OpenZiti overlay for simple homelab

Ziti Overlay
1

Hello I want to test out OpenZiti for my simple homelab which I am using for my bachelors thesis. The thesis goals are to test out various free solutions for implementing zero trust architecture at home. These solutions should also suport external IdP authentication and authorization. I am kinda lost at how to deploy and use OpenZiti for my case and honestly don't even know where to start.

My current underlay network

My home network is very simple. I have miktrotik hAP ac² as my router and also a vlan aware switch of sorts. On the mikrotik i have setup 4 vlans (Homleab, Parents(unsafe), Personal(more safe), IoT (nothing here yet but maybe in the future). I also have a simple firewall setup on the miktrotik that only allows connection to the internet and i have opened port 53 for other vlans in Homelab vlan for dns.

Homelab setup

In the homelab VM I have a raspberry pi 4 with pihole and ngnix proxy manager on it. I use pihole for dns blocking but also for local dns. I also have a PC running Proxmox here. On the proxmox i have a Docker host VM where i currently run only Immich and Paperless but plan to also run *Arr stack here with jellyfin. I also have one VM for authentik where i have configures OAuth login for Immich and paperless (I plan to have SSO for all my applications). I also setup reverse proxy for all of these services so i can reach them with domain names and with a ssl certificate.

My plan with OpenZiti

I want to use OpenZiti for accessing services from the other vlans with various policies and control over them. It would all be hosted locally as I dont need remote access for now and i also dont trust myself with safely hosting something like this in publicly accessible server. I have the option to use my schools cloud for it so it is an option if it cant be done only locally. I also want to use Authentik as extenral IdP. My question is if something like this is even possible and if yes where should i start and where can i find guides/where in the documentation is it. My first plan was to deploy the openziti controller in the same VM as authentik (so they start together always) but i dont know whats the purpose of tunnelers, routers etc. For example should i add a Ziti tunnel to every docker stack on the docker VM as a sidecar or is it enough to host it on the VM itself.

I know that most of these questions can probably be answered with the documentation but I am a dumb student and i am getting completly lost at it. I understand the basic terminology but I have no idea where to start with actually deploying it and using it. Hope i mention everything needed and thanks for answers in advance

2

Hi @barta50, welcome to the community and to OpenZiti! Yes this is totally possible and SHOULD HOPEFULLY be pretty easy overall... :slight_smile:

First, start off by installing an OpenZiti overlay on some FQDN that all four of your VLANs will be able to access it (thus - emulating publishing the controller/router on the open internet).

Once you've done that - work WITHOUT Authentik. Get things working, understand how to make an identity, how to enroll it, how to authorize it to dial or host a service using a tunneler and setup a simple example say, ssh'ing from one client in vlan1 to some server in vlan2.

After you have that understood, layer on configuring and using external authentication using an "external jwt signer". Authentik | NetFoundry Documentation

Once you have done all that, you should be well underway. That help? There are a LOT of videos on our YouTube channel along with a lot of relevant blog posts on the blog (and MANY similar questions here on Discourse) that would help as well.

3

Thank you for your anwer. I guess there i have to learn the best way. Trying and breaking stuff. Just one question. Can I set things up a way that will let me keep the functionality of nginx proxy manager (ssl certificates for all the web uis i have) ?

4

I would strongly urge you to keep it as simple as possible out of the gate. Don't use nginx at all if you can is my recommendation. "Why", you ask... To answer your actual question which you bring up managing certs will likely end up causing consternation until you understand what OpenZiti is doing and why... CAN you do that - yes but you must not terminate TLS. So if you want to use nginx as a simple proxy that can work but you're introducing areas that can cause problems if you don't set it up properly and adds confusion and configuration challenges. It will work, but again, you'll need to understand OpenZiti enough to configure it properly without breaking the mutual-tls setup that OpenZiti provides. The same goes for running your own PKI, yes you CAN do it but it adds complexity. etc etc etc.

You can setup an OpenZiti overlay with a single "throwaway" command way if you want that would be a great starting point imo:

Download the ziti CLI and run:

ziti edge quickstart --ctrl-address my.local.fqdn --router-address my.local.fqdn

(of course replace my.local.fqdn to your desires)

This will get you a fully functional OpenZiti overlay network that is 100% throwaway. Stop the ziti CLI and the overlay vanishes.... After that you can run:

ziti edge quickstart --ctrl-address my.local.fqdn --router-address my.local.fqdn --home /some/persistent/location

Same command but now you can stop/start the overlay and it's persistent.

Those two commands will get you up and running very quickly. After that i'd look at using a quickstart deployment or the more durable, intended to be long-lived deployment example.