Hey all,
I'm beginning my openziti journey, slowly. I'm fairly well versed in IT having worked a a SMB IT consultant for decades. However in the SMB space I'm dealing largely in the windows world, so my linux/docker skills are "adequate" but not great. The following is my environment and what I'm trying to achieve with OpenZiti. I figured it would be worth bringing up at the beginning in case I'm going down a bad path.
My current environment isn't too crazy, however I'd like to expand on things securely.
On my home network I have a mix of devices, primarly windows computers, mobile devices (both android and IOS), and some home automation gear. I utilize a synology NAS for local file storage as well as a backup target for key computers, phone photo backups and so forth. I have a second synology NAS at my parents house that acts as an offsite backup for my NAS. My parents use that NAS for similar purposes and it backs up to my NAS as it's offsite backup.
Locally I also run our password manager for the family. It is run using vaultwarden in a docker container. It is accessible externally via a reverse proxy. I got tired of every online PW manager server getting some sort of hack so I wanted it locally.
For some security, such as the 2 synology backups I utilize a free account with Tailscale. I picked it because it was free and had a native synology app so it was quick and easy to setup. However I've decided to give openziti a try for a number of reasons.
- fully self hostable
- external IDP support. I currently use DUO for securing a number of services, including the password manager.
- Better granular control.
- service oriented. While I'm not a developer, so I won't be writing code integrating Openziti, it seems that I can utilize more granular access, such as having tunnerlers directly on docker for those container etc. I found with tailscale I would just have to setup lan routing for all of the devices/services that cannot load the client directly.
So my initial plan to set things up is as follows.
- I've setup a controller on a cloud instance on an Oracle VPS. It is running and tested however this is as far as I've gotten so far
- Setup a router at my house running as a docker instance
- configure all of my family's devices with the appropriate tunneler app.
- setup the docker tunneler so I can access those services, such as vaultwarden and get rid of the reverse proxy.
I'm sure I am missing a lot of other stuff, but hopefully that is a feasible solution to get started with.