using your config from before i would change this section:
I'd bind the interface to 192.168.X.X (not all interfaces) and then any time you wanted to manage/maintain the controller, you would need to be on the local network that would allow you to access 192.168.X.X.
You could ALSO choose to limit it to 120.0.0.1 and force anyone wanting to manage/maintain the controller to be on the same machine.
Recently I covered using a router colocated with the controller to allow for exactly this, and thus you can only access/manage/maintain the controller if you're ON the openziti overlay itself here Making ZAC and management API accessible only through service
You have to bootstrap it with ziti itself, but once you do you could then configure OpenZiti as shown above and in that post and exclusively manage ziti -- using ziti... 