First, I want to say thanks for this project and all the amazing resources found here.
I spent the last couple of days reading docs, watching videos, and trying to lab my solution without success.
My current setup relies on a VPN server inside the office. Users connect to that VPN server using a VPN client and then can reach internal and external resources that can only be accessed from inside the office.
I want to implement OpenZiti to replace this and have a more granular control of what each device and user can access.
Here is a diagram of how the solution should look (in blue you can see the data flow)
Questions:
If I think of it as VPN, the client will get an IP, and send traffic to the Ziti router or Ziti Tunneler running in the office, then this device will route traffic to the internet where the firewall will NAT that traffic.
On the Firewall, I have a route pointing to the Ziti Tunneler for the subnet of the Ziti Client.
Unfortunately running OpenZiti in the Webserver is not an option.
Thanks!
Howdy @Foles_90, welcome to the community. Weâre thankful for the kind words about the project and Iâm sorry you didnât have any luck so far but letâs see if we can help.
Your diagram is exactly correct and makes perfect sense to me. Technically the traffic flow will flow like this:
- client to public edge router (top left)
- public edge router to âprivate tunnelerâ (edge router or ziti-edge-tunnel, Ziti Desktop Edge for Windows, etc)
- âprivate tunnelerâ to web server which uses the outbound IP from âOfficeâ in its web ACL, thus allowing the traffic.
If I think of it as VPN, the client will get an IP, and send traffic to the Ziti router or Ziti Tunneler running in the office, then this device will route traffic to the internet where the firewall will NAT that traffic.
On the Firewall, I have a route pointing to the Ziti Tunneler for the subnet of the Ziti Client.
This is âclose enoughâ. Your client doesnât get an IP really, more the client knows how to intercept an IP you assign or better yet a DNS entry you assign. When youâre on âthe clientâ and you navigate to something like âmy.totally.private.serverâ, the OpenZiti tunneler knows how to capture this request and put it onto the OpenZiti overlay. The overlay then routes the traffic to the âfinal destinationâ (in your example, that tunneler in âthe officeâ) where in your example it would be offloaded from the overlay network and sent towards the actual server.
How can we help?
So yes, this is absolutely possible. Now that you know itâs doable, what sort of issue are you having? Where did you get stuck? How can we help out?
Thanks for the quick reply!
The webserver URL can be resolved by a public DNS, so no need to use a specific DNS entry.
My idea was to intercept traffic going to that URL.
Here is where I have my main question. What is the source IP that the packet will have once it leaves the tunneler in âthe officeâ.
Will the tunneler in the office do NAT? If not I need some sort of route back, but to what IP?
With OpenZiti â you can totally do that. That is actually useful because the certificate delivered from that server is probably able to be validated by clients. That will allow https to work properly.
The traffic originates from âthe officeâ. So itâs the exit IP of âthe officeâ network. Thatâs how the web ACL will allow that traffic to the target server.
This will all âjust workâ. The OpenZiti client deployed in âthe officeâ will handle this, you wonât need a route back to any IP.
Excellent!
So I understood correctly, the client with whatever IP it has (does not matter to Ziti) will send traffic to the Ziti tunneler in the office. The tunneler will decapsulate that packet, inspect it and when it leaves to the webserver it will do NAT and use its own IP (10.0.0.2) as the source IP. Then the Firewall will do NAT again using the outside address 8.8.8.1
You got it. Locally on that tunneler client, with OpenZiti running, will intercept the request for âyour.private.serverâ and itâll get assigned to a 100.x.x.x IP (for example, 100.64.0.3). That IP is then captured by the OpenZiti client. So your browser ends up sending traffic from 73.5.5.5 to 100.64.0.3 (via the DNS lookup to âyour.private.serverâ).
Thatâs when the OpenZiti client maps the packets landing at â100.64.0.3â to âyour.private.serverâ and wraps the packets in OpenZiti routing protocol and puts those OpenZiti packets onto the overlay.
The overlay knows that the offload point for âyour.private.serverâ is âthe officeâ and routes the traffic to âthe officeâ. Once there the tunneler in âthe officeâ knows that itâs traffic for âyour.private.serverâ and it knows that it needs to make a TCP connection to the configured offload target (the actual remote server). That traffic then exits âthe officeâ from 8.8.8.1, allowing the traffic to land at the private server and make it through the IP-based ACL.
Since the tunneler initiated the outbound connection, thereâs no NAT to worry about (the underlay handles all that as it would normally).
Hope that all makes sense! 
Simply amazing! Thank you very much.
I am testing now everything in my lab and will come back later either with a success story or with more questions 
1 Like
Could not make it work 
This what I am doing:
Create 2 identities
ziti edge create identity user androidphone -o androidphone.jwt -a client
ziti edge create identity device linux -a server -o linux.jwt
create the configs:
ziti edge create config webserver.host host.v1 '{"protocol":"tcp", "address":"55.167.228.139","port":'9000'}'
ziti edge create config webserver.intercept intercept.v1 '{"protocols":["tcp"],"addresses":["55.167.228.139"], "portRanges":[{"low":'9000', "high":'9000'}]}'
create service:
ziti edge create service webservice.service --configs "webservice.host,webservice.intercept"
create service polices:
ziti edge create service-policy webservice.bind Bind --service-roles '@webservice.service' --identity-roles '#server'
ziti edge create service-policy webservice.dial Dial --service-roles '@webservice.service' --identity-roles '#client'
Then from my phone I try to go to 55.167.228.139:9000 but it is not working
EDIT:
I was using chrome as my browser (Android device), changed to firefox and it worked!
Any ideas why chrome may be failing?
First of all - nice job! All your commands were spot on and you got it working.
As for chrome/firefox, if I had to guess, Iâd guess the polling interval for the client to discover new services was slower than you. I think itâs set to a one minute poll before the services are available to try to reduce bandwidth and battery use. Maybe when you moved to firefox, the one minute elapsed? If you try it again, does chrome still not work properly?
I use brave which is chrome-based and Iâve not seen that particular problem. If chrome still gives you problems, Iâll try ping another dev and see if they have any ideas. It might just work now though?