Replacing Site-to-Site VPN with OpenZiti (ZAC) — Guidance Needed

Dear OpenZiti Team,

First of all, thank you for building such an amazing platform. We’ve been actively exploring OpenZiti and have successfully implemented various scenarios — everything is working great so far.

Currently, we are working on a setup where we aim to replace traditional site-to-site VPN (like IPsec) with OpenZiti.

Ziti-Site-to-Site1403×620 84.3 KB

Objective:
As per above network diagram, we want Factory Office users and Site Office users to securely access internal resources like CRM and File Server, without making any changes or installing tunnel to the end-user machines.

Questions:

1. Is this kind of VPN-like site-to-site connectivity achievable with OpenZiti?
2. If yes, could you please guide us on how to achieve this using ZAC?
   We’ve attempted several configurations but haven’t had success so far.

Any guidance, best practices, or example configurations would be highly appreciated.

Overall it should be possible to do what you have planned. For example Use a Tunneler as a Local Gateway | OpenZiti is showing one way to do it.

Nevertheless, one of the tenets of Zero Trust is: "All communication is secured regardless of network location. [NIST SP 800-207, p. 6]"

Every existing network should be viewed as compromised. If you look at your company network you still have the "security is based on perimeters" point of view. And Zero Trust allows you to shift the point of view away from perimeters to identity-centered security.

If you deploy tunnelers (and identities) to all devices, you will be able to limit resource access to specific devices.

If you still want to have some perimeter "security" you can limit the services on the OpenZiti routers.