Hello I have a (hopefully) quick and easy question that I couldn’t find mentioned on the docs (or maybe I used the wrong search terms)
When using OpenZiti, what is the default range of IPs that devices can get? I was going to set up a Traefik reverse proxy and I wanted to limit access to services behind Traefik to users coming only from OpenZiti, for which I thought I could use an IP range limited to OpenZiti’s IPs only.
Thanks in advance!
Hi @jruiz94,
I feel like you might have a bit of confusion here. My first reaction is to understand what you’re trying to do better. Is Traefik going to be used on private IP space, or are you using it to expose ports to people who don’t have the OpenZiti tunneler installed? I’m interested in understanding what you’re using it for and how it comes into the equation.
As for “the default range of IPs”… If traffic leaves an OpenZiti overlay network via some application like one of our tunneling apps, the IP will be “whatever” IP that node has. The IPs assigned to OpenZiti services have absolutely no bearing to actual underlay traffic. Now, if Traefik is installed on a machine running and intercepting traffic, and you want to send traffic to a particular service FROM Traefik, the range is entirely up to you. You can manually set any IP on any service you like. This is why I don’t think I can give you a really good answer without understanding what it is you are trying to do a little bit more.
Would you be so kind as to make a crude diagram or explain the use case a bit more? I want to make sure I give you accurate information for your use case.
Thanks
Sure, I drafted this diagram to try to illustrate what I want to achieve (the white square is a publicly available machine)
Let’s assume for this example that I have this setup where I have one machine publicly on the internet on IP 1.2.3.4. Let’s also assume that I have a domain pointing to it, something like jruiz.com. I also have set up a wildcard subdomain *.jruiz.com pointing to it.
Let’s also assume that OpenZiti is all ready and set. Also, Traefik is set up as a reverse proxy for some other services. Ports 80 and 443 are open so Traefik can obtain and renew automatically wildcard certificates. This is done so i can use HTTPS instead of HTTP with some custom subdomains. For example, the SOMESERVICE that appears in the diagram is set to be accessible at someservice.jruiz.com, Traefik handles this.
The thing is that I want Traefik to block access to someservice.jruiz.com coming from the internet, and only allow traffic coming from OpenZiti.
AFAIK there’s a middleware that whitelists some IP ranges so you can set to only accept requests coming from certain IPs.
So my question is what should I put as an IP filter so some random user on the internet gets access denied to someservice.jruiz.com and some client using OpenZiti Desktop Edge gets full access to it.
I used to do this with Wireguard setting the IP range whitelist to something like 10.X.X.X/24, I was wondering how would this go with OpenZiti.
If I understand properly, you want Traefik to only accept traffic from the edge router (ie from OpenZIti) then I would think you’d want something like this?
If that is what you want, I would use 127.0.0.1 as the ziti offload/traefik onboard IP. I would setup Traefik to listen on 127.0.0.1 only (not 0.0.0.0 or some specific IP). That would mean it would ONLY be accessible from OpenZIti because you’d need to be on the local machine in order to connect to Traefik.
But if that is the case, why shuttle the traffic through Traefik at all? It must be providing something for you. I would probably just go right from the edge router to the service in that case?
I feel like I must be not understanding something though?
Damn, you're right, I was too focused on what I did some years ago with Wireguard and the 10.x.x.x IP range that I didn't think of localhost (127.0.0.1), that makes sense yeah, probably that's all I need tbh.
Well on my setup, the reason of using Traefik is to obtain SSL certificates so when clients ask for https://someservice.jruiz.com they won't get the security alert from a self signed certificate, right? Is there a way to set up OpenZiti for this?
Ah! That makes perfect sense. And, no, that is not functionality that OpenZiti provides. Thank you for that explanation, it's interesting and useful to understand how/why people are doing what they are doing.
Again, if this were me, what I'd like to see is for the OpenZiti controller (and router) to implement the ACME v2 protocol so that it could satisfy the challenge responses from LetsEncrypt (or others). I actually filed an issue to track that here; Support ACME v2 · Issue #722 · openziti/ziti · GitHub
If everything is on the same local machine, and if OpenZiti was satisfying the ACME v2 challenge you'd be able to remove Traefik entirely (well, assuming this is "all" you're using it for). I would then utilize the cert obtained for OpenZiti on those other services as well. That way you wouldn't need a proxy (OpenZiti or Traefik in this case) terminating your TLS, it would go all the way into the application itself for a slightly more secure connection (as there's no PITM).
Not that you probably care, but you could do that with your controller if you want so that your ZAC and your OpenZiti controller API are presenting certificates from a known authority and not the self-signed ones. We have some doc on that https://docs.openziti.io/docs/guides/alt-server-certs/ and if you're interested in zrok (you have checked out zrok, right) you could self host your own zrok which MIGHT do for you exactly what Traefik is ... 
So I think you should try that out!
Check out this discourse post for that video/commands/information Zrok Controller certificate error when using public CAs on openziti controller - #5 by TheLumberjack I think you might like it!
Cheers
Yeah that’s all I’m using Traefik for right now. In fact, after some investigating, I might even replace it with Caddy because I’m seeing that it’s easier to configure. Right now my only interest with Traefik is to have some way to automatically provide SSL certificates to access my services with HTTPs.
Would it be nice to have this directly integrated with OpenZiti? Yes. Do I really need it right now or is it super important for my setup? Not really, I’ll just go with Caddy/Traefik or whatever for now, it’s ok I will keep an eye on the GitHub issue you mentioned tho, thanks for bringing that up!
Didn’t know about zrok, looks pretty cool, but for now I’ll be sticking to raw OpenZiti until I have my setup fully complete haha.
Thanks for all the help!
Cheers
