Openziti as VPN

I hope you all are doing well.

I have question regarding VPN server which we are considering to replace it with OpenZiti for testing purpose.

If I want to replace openvpn client with ziti tunneler then what requirements or configurations are needed on openziti server it self.

A testpage.ziti url is accessed in LAN via tunneler and I also want this testpage.ziti should accessed from public (WAN).

I think what I need is this

  • DNS record in a cloud server. linked with 88.xx.xx.22 public IP
  • Adding a firewall record (DST NAT) to forward traffic from public to the local openziti server (locally hosted
  • If I need to add a firewall rule then which port 8440 8441 8442 I need to forward to local or I need to add all?

Do I need other configuration like creating a new router edge for such traffic?

The Network Controller must be addressable for the clients to reach it to attach and make dial attempts. It can be a FQDN or a bare IP. Other than that, all the firewall rules need to be outbound only. The tunnelers and Edge Routers will connect to the controller outbound, and maintain the connections that need to be persistent. If you want the traffic to be localized in the LAN but still over OpenZiti, you will need an Edge Router inside the LAN. The control traffic will still flow tot he controller, but the data plane would remain between the initiating tunneler, the local Edge Router, and the terminating tunneler (or the Edge Router, it could service that traffic itself, but then the port would have to be open the Edge Router)

All of that said, what are you really testing? OpenZiti, or some application you want to be reachable? Zrok ( may be an option for you, which is built on OpenZiti, but is less work to operate.

If you can explain what you want to achieve, it would be easier to help.

1 Like

Thank you for your very quick reply.

I'm testing a web page which is hosted in LAN (locally) which is only accessible via VPN. So I want to achieve it using Ziti Desktop instead of VPN client.

testpage.ziti is accessible in LAN. So need some help on how to access it publicly using tunneler of course.

Zero Trust Host Access | OpenZiti Looks to be pretty close to what you’re trying to do

Thank you for your reply.

Zero Trust Host Access | OpenZiti Looks to be pretty close to what you’re trying to do

This has been done in LAN. Just asking on how an edge client sitting on another network (lets say at home) is able to access a server (like testpage.ziti) located in office.

Gotcha. I think this is where @gormami was going: You need the controller and at least one edge router accessible over the Internet (from both your home, running Ziti Desktop Edge, and from the network hosting the server). This article gives an overview of how to host a controller and edge router in Oracle public cloud's free tier, which you may find helpful.

1 Like

Thank you so much.
Will try it