OpenZiti SSH Troubleshooting Report (ssh-to-vps)

Ziti Overlay
1

Hi all,

I’ve been stuck on this for a while and I really need help figuring out where the issue is.

My setup:

  • VPS: Ubuntu 22.04, running OpenZiti v1.6.7 (controller + edge router).

  • MacBook: Ziti Desktop Edge (identity enrolled, connected).

  • Service: ssh-to-vps

    • host.v1 → 127.0.0.1:22

    • intercept.v1 → ["ssh.ziti", "100.64.0.2"] on port 22

What works:

  • I can SSH into the VPS through Ziti if I target the intercept IP directly:
     ssh -i ~/.ssh/id_ed25519_ziti root@100.64.0.2

  • That connects fine (through overlay).

  • Controller shows ssh-to-vps active, edge router online.

  • VPS side confirms port 22 is open (localhost), hosting looks correct.

What fails:

  • ssh root@ssh.ziti just hangs.

  • dig ssh.ziti → NXDOMAIN.

  • dig @100.64.0.2 ssh.ziti → timeout.

  • nslookup ssh.ziti 100.64.0.2 → timeout.

  • macOS scutil --dns shows a resolver block for ssh.ziti with nameserver 100.64.0.2, but it’s flagged “Not Reachable.”

Things I already tried:

  • Restarted Ziti Desktop Edge.

  • Toggled Intercept DNS by Matching Domains off → on.

  • Flushed macOS DNS (dscacheutil + mDNSResponder).

  • Re-added 100.64.0.2 to the intercept config so at least the raw IP works.

Where I think the issue is:

  • macOS DNS resolver for ssh.ziti seems to be binding to the wrong utun interface (I also run another VPN).

  • Because of this, ssh.ziti never resolves, so no “Dial” session is created.

  • Ziti overlay itself is fine (since 100.64.0.2 works), but DNS intercept is broken.

What I need help with:

  1. How to make Ziti Desktop Edge on macOS bind DNS intercept to the correct utun interface?

  2. Should I keep only ssh.ziti in the intercept addresses (and drop 100.64.0.2)?

  3. Is there a way to check Ziti Desktop Edge DNS logs on macOS?

  4. Any workaround so that ssh root@ssh.ziti resolves and works properly (instead of using raw IP)?

My goal:

I want to log in cleanly with: ssh root@ssh.ziti

using my SSH key, and then shut down public port 22 on the VPS completely.

I feel like I’m very close, but the DNS intercept on macOS is the blocker. Any ideas or guidance would really help.

Thanks in advance and appreciate your support.

2

Hi @relias - Welcome to the community.

Does it work if the other VPN is disabled?

If a conflict is the problem, you can reconfigure Ziti to use a different address range. See Mac client Turn ziti on failed - #4 by smilindave26 for instructions

3

Ugh - I just re-read the linked post, and it shows the right screen, but for a different reason. You can change the IP range shown on that screen from 100.64.0.1 to something else and see if this avoids the conflict (assuming that’s the issue…)

4

Hi Dave,
Your advice about changing the DNS range and re-enrolling the identity actually did the trick. I was stuck on this for days, and your tip saved me a ton of frustration. Really appreciate your help!