Public IP/FQDN problem

Building/Development
1

Hi everyone,

I am a new OpenZiti user and I have a question regarding network accessibility.

I successfully deployed an OpenZiti network on an Ubuntu server. During the installation process, I used the local IP address of my Ubuntu machine for the configuration. However, I’ve encountered a problem:

When I try to connect using the Ziti Edge Desktop client from a different network (a different IP block/subnet), the connection fails. It seems the client can only connect if it is on the same local network as the controller.

This leads me to a fundamental question: If the system requires the client to be in the same IP range to connect, how can I achieve the "secure access from anywhere" goal that OpenZiti promises?

I suspect my issue is related to the Advertisement Address used during setup. How can I reconfigure my environment so that clients from external networks can reach the Controller and Edge Router? Do I need to use a Public IP/FQDN, or is there a specific way to handle NAT/Firewall settings for this use case?

Any guidance or best practices for making the Ziti fabric accessible across different networks would be greatly appreciated.

Thanks in advance!

2

Hi @cyberpolat, yes this is exactly the issue I was talking about on that other thread. To be totally honest, I don't think it's worth it to try to learn how to update the configuration because that decision at the beginning, during the deployment phase is deeply integrated into the security model that OpenZiti implements. you can't "just change the advertised addresses" because you'll have to update the whole PKI and honestly given where you're at, i don't think it's worth it at all for you. I would recommend you start over, it'll be easier imo. What you did was fine for local dev only but not for a 'deployment'.

As for best practices, yes you should always use a FQDN that is globally accessible for your overlay if you can. It's often best to have some kind of VPS out there in the world where you run your controller and at least one router. that's the absolute minimum needed for an OpenZiti fully functoining overlay: public controller + public router. It's also usually far more than 'enough' for small businesses/deployments. a 2 cpu VPS could probably happily service 20-50 devices (maybe more but I've never pushed it so I'm being conservative).

hth