"Openziti with openvpn" or "Openziti instead of openvpn"

Hello All,

I confused a little bit openvpn with openziti approach.

Our as-is system looks like to attached diagram ,We have lots of clients and devices ,All of them connect to openvpn and we have server we can enable to access some users to some devices using ip route add command.And so on ,Now we want to add zero trust apporach to our system.How we can convert our system to openziti?I mean should we replace openvpn with openziti? Or can we use openziti with openvpn.I am confused please lighten me :slight_smile:
As far as ı understand zero trust means dont expose any port to outside so I think thet we have to replace openvpn with openziti ,Am ı right ?

As ı result I am trying to understand if we use opwnvpn and openziti together ,how it works ? Does it good approach?

Hey Muhammed, while it could be possible to use them together, I would 100% not recommend it unless you have a specific need. As it sounds like you do not, OpenZiti would be completely replacing OpenVPN.

Your use case sounds like a very standard one for OpenZiti, and yes, it will allow you to close all inbound ports at source/destination. I likened this to making you apps 'invisible' when I wrote a blog comparing ZTN using Harry Potter analogies - Demystifying Zero Trust Networking

1 Like

Hi @muhammed, welcome to the community and to OpenZIti (and browzer and zrok)!

Step one is simply replacing exactly what you have with OpenZiti. OpenZiti will cover that exact usecase perfectly. You replace the OpenVPN clients with Ziti Mobile/Desktop Edge, you setup an overlay network granting "everyone" access to "everything" (the way a VPN works) and nobody would really know any difference.

Yes you should. :slight_smile:

I don't see any benefit of OpenVPN + OpenZiti. Use one or the other.

Remember before, when I said "give everyone access to everything"? Well a critical difference with OpenZiti is you can start microsegmenting this type of access. The "developers" have access to the "developer things". The HR people have access to the HR things. The Sales people have access to the Sales things -- etc. You can do that with OpenZiti whereas you cannot do that with OpenVPN (well, I don't think it's easy anyway, given my limited understanding of OpenVPN).

Not exposing ports is something OpenVPN does (or can do) for you right now. OpenZiti is about controlling the access of who can access what without having complex firewall rules based on IP addresses. So from a segmenting of the network point of view, OpenZiti can somewhat be thought of as replacing both the VPN and certain firewall activity. It's also providing you end to end encryption, SDKs for developer to use, a whole mesh network with redundancy and fastest path delivery of packet and "a lot more".

Hopefully that makes sense. Philip's blog post is a good one. There are lots of threads here on discourse to find and read that might help you too.

1 Like

Thank you for answers,I watched your videos and read articles. On the other hand one more question is "Users can access app over ingress controller" it seems that we need to ommit ingress controller as well ,Am i right? .Users can access over application over Ziti desktop edge with http://localhost:zzz/application ,or should we keep ingress conroller within openziti ?

one last thing I really didnot understand how it access to edge router withour expose ports :slight_smile: could you share me some article explain this .

This really ends up being a "nuance" type of question. There's no clear, obvious answer. In some ways, the "ingress controller" moves. You might consider the OpenZiti router an 'ingress controller' because without OpenZiti routers, there's no overlay network, and thus no traffic can flow. You also might use a "ZTNA" approach where that "ingress controller" ends up being a private router on the 'trusted' network that all your traffic exits from... A better approach than that is the ZTHA approach where all your servers have the OpenZiti tunneler on them and in that situation, there's no "ingress controller" but there's still those OpenZiti routers .... So it kind of depends on what you mean and how you go about it...

The good news is that OpenZiti supports all these models nicely, so regardless of how you decide, I'm certain OpenZiti would be great for your needs.

EDIT: I saw you are using kubernetes... If you deploy OpenZiti in kubernetes you'll still need ingress for the OpenZiti overlay

1 Like

Curious question too, which ingress controller are you using??

1 Like

Thank you for details answer. I want to clear my question;

So as you know that this is standart architecture ;

We have k3s cluster ,Users and devices can register our system via UI.Frontend service can be accesible via nginx-ingress-controller.Then authentication service assign access_token after authentication. Assume that there are many users and devices .Then we create cert for each device and user ,then they can access openvpn via this certificate. Then one important thing is We have firewall rules to limit users to access specific devices. some users can access to specific subnets and devices.

So ;
Questions;
1.) Can we replace all these firewall rules with "identity and service approach" Means create identites and services for each indivial access policy.We dont need firewall rules anymore ?
2.) Assume that openvpn should be scalable because of many users should access to pod thats why kubernetes can be good solution,another solution is openvpn access server for scalability but Should we need scalability for openziti? I mean When we create a service for device A ,how many users can access to serviceA ?

EDIT: I saw you are using kubernetes... If you deploy OpenZiti in kubernetes you'll still need ingress for the OpenZiti overlay

3.) I didnot understand,We talk zero trust why we expose service to public internet or I think we should not need ingress because,becase openziti should act to be ingress as you describe in the first explanation.Why we need ingress for kubernetes.  Users can access  like http://localhost:8080/frontend   like kubectl port-forward svc/xxx 8080:8080                because it is exist in the same network right? 

Thank you for your support and patience :slight_smile:

Yes, exactly. OpenZiti replaces that firewall functionality.

You will always require at least one OpenZiti controller and at least one OpenZiti router exposed to the internet. How you go about doing that: LoadBalancer, NodePort, IngressController, that's up to you. The controller and routers are what make up the "virtual network" part of the OpenZiti overlay network and those MUST be exposed to the internet if you expect ubiquitous connectivity.

The controller and the router do not need to be deployed into the k8s cluster nor into the same k8s cluster. You could provision them on their own in AWS/Oracle/DigitalOcean/another k8s cluster somewhere... wherever you want but they must be addressable.

So if you choose to deploy the OpenZiti overlay in the same k8s cluster - by definition they will need some form on ingress. If you don't deploy them in the same k8s cluster, then you could remove all the ingress from that k8s cluster entirely by installing OpenZiti components (not the overlay itself) in that cluster.

That make sense? I hope that's more clear.

1 Like

A couple of quick things I will add on to what TheLumberjack said:

1 Like

I got your point now,it makes me sense

I have another discussion topic :slight_smile: As far as I see if the system require more user and devices,Kubernetes is a good option for scalability and redundancy,So if you need highly available system kubernetes is a good option for open ziti architecture also ,Am i right? What 's your advice for openziti in the kubernetes?

Kubernetes is a fine choice, sure. Any platform that allows you to add and remove edge routers easily and works for you is a good option.

1 Like

On the other hand we have one reqirement it is assume that some of the leagacy devices connect to openvpn and newer devices connect to openziti, can we connect both of them ? is it possible ? BEcause we have openvpn compatible devices,so we need to create new devices with openziti compatible, so we want to connect openvpn devices and openziti devices. I think it is impossible

I'm not exactly sure what you mean here. It doesn't seem like it's necessary to use OpenZiti in conjunction with OpenVPN. If you could give me an example deployment scenario where you feel like you might want/need both, that would help me give you a better answer.

From my perspective, I would think you would just replace OpenVPN with OpenZiti so I'm just not understanding the situation....

That said, OpenZiti's tunnelers are configurable and I believe (i have not tested) they could be configured in a way that would not interfere substantially with OpenVPN but it'll be more complex for sure.

1 Like

[removed image]

Assume that device1(Legacy) has openvpn connection capability,there is no choice for openziti .But device2 has openziti capability, We want to be backward compatible,User1 has openvpn,user 2 has openziti.Is it possbile to send packet from openziti user2 to device 1.Same network? On the other hand how can we manage firewall rules.I mean assume that we can manage traffic between users and devices with firewall rules in the kernel level,But openziti maanage routing in edge routing,How we combine each of them. Another issue: Could there be an IP conflict between OpenVPN and Openziti?

For anyone from the future, conversation continued in a new topic here Connection between ziti and openvpn

:slight_smile: