Hello everyone,
I'm still pretty new to OpenZiti, but I have an idea of what my final setup should look like, although I'm not entirely sure from the documentation whether it will work as I envisioned. Finally, I still have a few questions, so sorry for the long thread.
I envision my final setup as follows:
- In the local network (at home) a private-edge-router runs under router.home.my.domain and listens on port 3022 (default port)
- Also in the local network, the controller runs under controller.home.my.domain and listens on port 1280 (default port)
- The ZAC admin interface is installed on the controller and can be accessed via zac.controller.home.my.domain (unfortunately I do not know the default port)
- Another router is operated as a public-edge router on a VPS at router.my.domain.com and also listens on port 3022
- New clients (Android, Windows, Linux, ...) can only register in the local network, as the controller and the private router can only be reached from there
- As soon as the clients have received their configuration, they no longer need the connection to the controller and can also connect to the public edge router from the Internet
- The ZAC console is therefore only accessible from the local subnet via zac.controller.home.my.domain or via OpenZiti when the connection is active
Does the setup work like this, or are there any suggestions for improvement?
Now to my questions:
- Do the router and controller talk via port 1280 and 3022 TCP or HTTP?
- Via which port is the ZAC accessible by default?
- If the ports speak HTTP, is it possible to operate these ports and the Admin Console behind a reverse proxy so that valid certificates are issued?
- Is a graphical OpenZiti client also planned for Linux desktop systems (at best via Flatpak) as with Windows?
- I configure practically all my systems with Ansible and Terraform.
- Is it possible to store config files in a path and the controller “automatically” executes them or removes configurations when files are deleted?
- Alternatively, is a Terraform module planned for the configuration of the controller?
- Can I experiment with a private edge router at home first and add a public edge router later?
- Does the public edge router also have to be able to reach the private edge router via port 3022, or is it sufficient for the private edge router to reach the public edge router?
Thanks already for the help, I think the software is super powerful, I just haven't understood it yet
\ZzenlD