Hi All,
I want to implement with openziti that when i browse to any ip on a specific port and that destination allows my WAN ip it just goes there.
Like the following: as destination i want 0.0.0.0/0 and port for example 9080 (https)
We have acces based on whitelisting on our customers but dont want to add every single customer their services. but i cant get it working right now.
I did manage to do this succesfully with a /24 subnet but not /0
any ideas?
Hi @toms24x7 ,
You may want to look at this thread. OpenZiti Controller on Hetzner Cloud - #4 by dariuszSki > Perhaps, there is already 0.0.0.0/0 on your system and one that is configured by Ziti does not have higher weight. You will need to split 0.0.0.0/0 into 2 longer prefixes as in described in the thread.
Thanks,
Dariusz
Hi Dariusz,
Thanks for your comment, I actually managed to get this working before you commented.
However i dont want it to configure it as a full tunnel. For example with Twinbird you still have a split tunnel where as right now i get a full tunnel when i go to ipinfo.io i will see my WAN change.
is this possible?
Let me explain what my goal is and our situation:
We are a IT service provider and currently are looking to switch from working on a remote enviroment to locally on the computers. Our datacenter "remote enviroment" has an WAN ip that is whitelisted for all our customers so we can acces their devices or servers. However as we have many customers we do not want to make a service etc for every customer their services. The 0.0.0.0/1 and 128.0.0.0/1 does omit this issue, however we do not want a full VPN tunnel that these changes makes as it will change the WAN ip from the local internet connection to the datacenter WAN ip.
My current setup is a Debian 12 vm with the router + tunnel + ZAC installed on it. I do not want to install any other vm's if not nescesary. This debian VM has the datacenter WAN ip and can access all our customer services because of that.
I was hoping OpenZiti could do this as Twingate does support this, so everything stays local except requests to ports that are setup to go via the tunnel.
I hope this explains it better.
By default, openziti services are configured as a load-balanced egress, i.e. egress identity is chosen by shortest distance, i.e. least cost. But we also have an addressable terminator service, where one service can be hosted on multiple identities and the client identity can select which identity the next session will access the service on. Let me find the thread when the details are discussed how to configure it. Perhaps that can satisfy your requirements.
Here is Ziti TV that talk about this type of service. https://www.youtube.com/watch?v=ppVUw_fbyS4&t=1067s
@dariuszSki as far as i am understanding the video this is not what i am looking for.
I just want a single port to be accessed in 0.0.0.0/1 and 128.0.0.0/1 but not forward al my traffic to the openziti but only forward traffic from that specific port
Testing my understanding, you want a single port (9080 for example) to be forwarded but you want it to be for any/every IP? I'd think you could do that but I've never tested it myself.
Earlier, you said you got it working - when you did that did you add a range for the intercepts of 0-65535? Put another way, how'd you get it working before? If you used a range of all ports, I'd think you could just reduce the intercept to be just 9080, did you try that and that didn't work?
Hmmm. I was just chatting with someone else about this and we might not forward traffic... I'll try it on a smaller set of IPs and see how it goes and let you know. 
I did indeed only select a single port 9080 for example and then hostnames at de hostv1 and interceptorv1 0.0.0.0/1 and 128.0.0.0/1 so it is basicly a 0.0.0.0/0
But after I did this my external IP changed to the edge router it's external ip which I do do not want if possible as this makes it a full vpn tunnel. However any other ports are getting blocked so that is working as expected.
On a smaller set or ips like a /24 the external ip of the connecting client does not change, but we have a lot of customers differing in subnets which would be a pain to have to do manually
Yeah... That's what I was worried would happen... I don't think we support that sort of setup at this time but I can understand the desire. I will mention this to the larger team. If we can support it, me/someone will follow up.
I am however very new to OpenZiti as i started 48hrs ago with it but after alot of reading and scrolling and trying i did not manage to get it working as i wanted.
We are currently looking for our full tunnel replacement which has to be free + selfhosted and zero trust capabilities
Twinbird has our solution working as we would like it but that one is not self hosted and not free 
I do hope you guys can get a creative solution working as openziti does look very promising
And out of curiosity, you MUST use IP addresses? I ask because one of the cooler (imo) features of OpenZiti is you can use DNS names and be very, very specific. So you could have a 'wildcard' intercept, something like:
and those would not use IPs, but would use DNS entries and seems like it might be able to accomplish the same goal, perhaps more flexibly? It might not be something you can do but there's a lot of things like this you'll find you're able to do with OpenZiti that might be "just as good"?
Well look, we have for certain hardware like firewalls or our customers 80% based on DNS how we acces them via our password system with url detection, some of them are on ip based. However we also service physical servers and hypervidor which are 80% based on ip in our password system for autofill and the other 20 based on DNS.
And so with many other services we have for our customers
The DNS wildcard on single ports I have that working as we have external DNS A records for several customers which work when you fill at the v1host and v1 interceptor . and *
I just need something for the IPs to get that working
Basically, you need policy based routing, e.g. only https packets to a specific next-hop. OpenZiti Edge Tunnelers use tun interface to intercept packets, OpenZiti Router-Tunneler uses iptables pre-routing marking to steer traffic into tproxy sockets. You mentioned you have a vm with router + tunnel in your DC, is that where you do your interception?
FYI, we have a second option of intercepting packets for these two tunnelers that bypasses the host routing and its limitations all together for the linux based deployments and it is a bit more flexible on routing decisions, but I need a bit more details on packet flow at the interception point.
Yeah comes down to policy based routing, as far as I know that vm is our interceptor. I have only that one installed and windows acces clients to the tunnel
It sounds like your windows openziti clients intercept the traffic, and the VM in your DC is hosting the service. The windows clients run the openziti edge tunnel under the covers. Since ZET uses the tun interface, it is the route based interception. We have developed the ebpf based interception for linux clients that I think could be tweaked to help here but not for windows yet.
Thanks for the advice, we are currently looking to add all dutch subnets publicly known to databases.
However i am trying to make a hostv.1 with multiple ipv4 subnets but cant find the right syntax, i have the right one for the interceptor.
I just want a single line command to put into the ssh, this is what i have used for a single address/subnet:
ziti edge create testx.host host.v1 '{"protocol":"tcp", "address":"x.x.x.x/24","port":'9080'}'
ziti edge create config your.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["address.one", "address.two"], "portRanges":[{"low":1234, "high":2345},{"low":5678, "high":9123}]}'