Hi everyone,
I’ve set up OpenZiti locally and it’s working well for most users. However, we’ve noticed that clients on a specific ISP here in Botswana are unable to connect to the overlay network.
Has anyone else run into ISP-related blocking issues like this? Are there recommended steps to work around this—such as changing ports or tweaking how Ziti attempts to traverse the network?
Appreciate any insights.
Hi @katlegomoilwa
What ports are you using for controller and routers?
Hi @timnis
The controller is listening on port 1280 and the router on port 3022
Hi @katlegomoilwa welcome to the community and to OpenZiti!
This isn't something I've encountered myself but some countries are more restrictive than others for sure. A very, very common pattern is to use different ports like @timnis is hinting at.
One VERY common problem is local anti-virus software thinking that strange ports are data exfiltration/attack attempts. We've seen anti-virus software terminate connections on machines in the past. It's also a problem if they have OTHER vpn software install as those can conflict with OpenZiti.
You could try deploying the controller to port 443 and the router to port 80 since those ports generally are allowed.
It's also quite possible that those clients are on an IPv6 only network and maybe there's some misconfiguration where it'll work great on IPv4 but IPv6 fails for "whatever" reason. (probably DNS but it'd be hard to figure out)
Unfortunately in a case like this the only thing you can do is ask that user to look at their logs from their tunneler (or ask them to send you the logs and you look at them). The logs are generally quite useful to figure out 'why' something is goign wrong.
The only other option after that is a packet capture to understand if the traffic is actually getting blocked or sniped by network gear etc.
Hi @TheLumberjack, thank you for your response.
The logs didn't show me all that much except for the fact that the user can't reach the controller.
Let me try and work with port 443 for the controller and port 80 for the routers.
Does this mean I should use the newAddress for both, and will I need to re-enrol all of my identities afterwards?
As a solution you can find a small vps near user location and set up a secondary (slave) controller node and a router.
In some countries ISPs do not allow external tcp connections from home.
Before going there, I would start by trying it just to see if it'd work. But yes, if it works you would use newAddress and migrate users over. They wouldn't need to reenroll if you allow the newAddress functionality to work.