Hi, i was going through docs and youtube movies but I cannot create a clear picture for VPN like access, has anyone replaced a traditional VPN with OpenZiti and gained better usability along with improved security?
It should be able to tunnel entire IP ranges and protocols like SSH and RDP towards e.g. Jump Hosts, not just application‑level access (dial/bind).
Can the destination server see the real client IP so we can map it to a VPN user, or will it only see the Edge Router IP for authentication purposes?
What about Kerberos authentication if Ziti becomes the authoritative DNS server?
Example: a workstation accessing a print server.
Is there an “always‑on” mode similar to a VPN (with split-tunnel with streaming services for example), so we can enforce our proxy web‑filtering policies on company laptops? In that case, how would our proxy be aware of the Ziti client IP and username, especially if we want to perform SSL inspection?
how to deal if we have internal reverse proxy that holds N fqdn-s to different internal web sites?
Hi @Idriel, welcome to the community and to OpenZiti!
You have a LOT of questions packed in here !
Yes you can do this. When you create an intercept you can specify a CIDR block if you like. You'd do this using an "intercept" .
OpenZiti does not care about protocols - only ports/port ranges. Not 'protocol'.
OpenZiti isn't a VPN so, I'll say "no" to this but the real answer is --pretty complicated... You can fwd the intercepted IP but because of how OpenZiti tunnelers work and accepting traffic at the tun, the IP would be 100.64.0.1 for everyone as it is. You'd have to go out of your way to update that IP for all the users. It's "doable" but I wouldn't try to do that until you are well-versed with OpenZiti and know you need it. In OpenZiti you would control access to services using OpenZiti itself so you may find this might not end up being necessary.
OpenZiti has generally been user-in-controll-focused and not central-administration-focused. This means the user is generally allowed to 'turn it on and turn it off'... By default, the Windows tunneler is started on startup. It requires admin escalation to install/change that value but once started the UI will allow a user to "stop and start" the tunnel - purposefully. We've had "centralized control" types of questions in the past but it's never been something that we've ended up decidign to add to OpenZiti yet.
I would generally think it wouldn't be. zfw might provide that but I'm not entirely sure if it would work for what you want/need.
If you are using OpenZiti you must do this outside of OpenZiti (either before or after). OpenZiti fundamentally breaks if you want to do any sort of DPI. It's just not possible to do at any point along the OpenZiti overlay.
I don't qiute understand the question without a lot more detail (probably requires too much detail) but my guess would be that OpenZiti can handle that fine. The other option is to use a companion project to OpenZiti called zrok that is a distributed reverse proxy and sharing solution.
I could speak from my perspective on using OpenZiti in our work environment. We use it in AWS where we have a Ziti Controller as a hub and Ziti Edge Routers in each VPC CIDR (i.e. dev, stage, corp, production). It is a pain to setup all connections in OpenZiti which are the Hosts and Intercepts; however, if you use a script it's a breeze to setup. And of course, it's understandable since it's OpenZiti is a ZTNA.
The biggest drawbacks that I have experienced are the following:
Ziti Controllers HA is still a PITA to setup and understand. It was just released so this is still new for the community.
Backups are not that easy either.
MFA is broken currently with MacOS Ziti Tunneler with version 2.0.0.
Even with all these issues, I still enjoy OpenZiti as an open source project which replaced all our VPNs and allowed us to give granular access to our services per group.
Thank you for your feedback, @MacFee. It's much appreciated to hear where we could improve and it's always great to have the community participating in the forums. I'm sure we will keep making progress in those areas. Cheers!
Thank you for the answers. I think I have a clearer picture now.
I am currently setting up a Docker environment for testing.
Basically, if I want to use it as a VPN or to publish a service, the final destination server will see the Edge Router's IP address. For services, I will need some kind of automation to handle the asset/service destinations and traffic flows.