OpenZiti Controller on Hetzner Cloud

Hi all, I hope you're all enjoying your weekend time productively ! First of, I am completely new with OpenZiti but I have been reading the documentation on and off for some time now when my work projects and studies(Related to IT for work) aren't first on the list. I've only started back in IT again after years of being in the EE industry so bare with me!

I first got baptized with for the Zero Trust mesh networking and firewall punching with Twingate when I had to access internal hosts through Starlink to a phone system and Security cameras. Since then I have been hooked on the technology and would like to implement it as a foundation leading to all my IT related practices where possible but self hosted and more hands on for learning than the likes of other solutions.

To be honest it's taking me quite some time to get used to all the new terminology and playing with the self hosted setup tutorials, reading the forums, your YouTube channel.

At the moment, I have setup a controller on Hetzner with the quickstart host anywhere quickstart (expressInstall) with ZAC and I have been playing around with it with all the features. While confusing to get it all pictured in my head as I find it the easiest way to understand, so thanks for the diagrams you have on your documentation! While they help, or maybe I am just too green, I still find them hard to understand at times.

I do understand the concept of connecting from Host to Host and only allowing services to people that have the group / access policies / roles attached to them for like internal web services.

Where I am stuck at the moment is actually, just using my Hetzner instance for browsing the web like a VPN while myself and the family are away soon. So we would connect from our devices (Users) to the Hetzner Controller and we can just browse the web tunneled through OpenZiti network if we are on public WiFi etc in our Hotel, Carrier Network etc while Abroad.

Is there a certain setting, or Tunneler that I would have to create on the Hetnzer host that we could assign it to all the Users as a service to allow access to the internet as in like a VPN so to speak?

Any help would be great! Either way, thank you for opening up such a awesome piece of software to me and the abilites, from Zrok, embedding your own applications etc. What great project/s to share and continue to support and develop.

Oh, and I just want to say thanks to "Clint" for his answers to some of the peoples questions here and on Reddit. He's some Information Oracle! No small answers, just full on finely laid out paragraph answers in which I bookmark to come back to.

I forgot to actually say what my layout is like.

OpenZiti Windows / Linux Client on laptop ==> Ziti Controller on Hetzner ===> Private Internet access...

Same layout with Phones and tablets running Android ==> Ziti Controller on Hetzner ===> Private Internet access...

Where at the moment, I can get all of the clients to talk to each other over various networks (Mobile, Lan, etc) I just cant seem to find the switch to enable Outbound to the Internet for general Access as in a VPN style configuration.

1 Like

Hi @CorpseGrinder, welcome to the community and to OpenZiti!

OpenZiti isn't exactly designed for browsing the Internet, VPN-style like that and it's something I've actually never attempted myself. Generally, OpenZiti is more about the opposite where each and every discreet service is authorized, following the principle of least privilege.

Things can get extra complicated with http. Http has features that make it more difficult to implement least privilege (sourcing scripts and resources from other domains, redirects, etc).

OpenZiti does have the concept of a wildcard intercept. It might be able to accomplish what you're trying to do? It can also intercept CIDR ranges such as but again, it's not something I've actually done myself to date.

I do think you can accomplish what you're trying to do, I've just never done it myself. Perhaps another community member has?

1 Like

Hi @TheLumberjack , thanks for getting back to me so quickly.

I know I am asking for something outside the scope of OpenZiti and to be honest, it's not the intended scope of what I want to accomplish and continue on with with OpenZiti Either! It would have been just "handy" to have to be able to do that type of service instead of spinning up another cloud server for VPN just in case the Hotel blocks ports etc. I would rather just browse through a encrypted tunnel that can punch through a firewall etc.

Anyway, thanks @TheLumberjack for your feedback, I really do appreciate it!

As @TheLumberjack mentioned that service should accomplish to divert all traffic to ziti tunnel. We also exclude fabric routes from that so the fabric tunnels don’t get sucked into the tunnel like vpn would. I did not test this service myself. But before we had this type of service, I configured all public prefixes to cover all internet to steer traffic into the ziti tunnel, which essentially equaled to
Additionally related to what Clint mentioned as well, if I wanted to watch a specific tv streaming service like sling tv I created a service with wildcard to capture traffic destined to sling ie * The trick is to find all urls this streaming service is trying to reach.

1 Like

Hi actually you will want to set up 2 cidrs and The reason is that if you use the ziti route typically does not have a better metric than the existing route. By splitting the entire internet range in 2 we are then using a longer prefix match which will always be preferred.