I am running controller and router on a single host using GitHub - nenkoru/openziti_manual_pki: Bootstrap PKI for OpenZiti manually. I added different routers on different host. All routers got successfully connected to the controller. On one host, the router was able to connect to the edge-router but routers on other host were not able to connect to the edge-router. The other routers communicate to the edge-router via other routers. Suppose for a network we have test-edge-router as the edge-router, router_121 as first router & router_125 is the second router.
This is how the routers are linking. But I want the router_125 to be connected to the test-edge-router. What are the edits that need to be made to the config files? How many individual routers can be connected to the edge-routers?
Sounds like MAYBE you're looking for "link groups"? released with 0.30. Release v0.30.0 · openziti/ziti · GitHub. Have a look at that changelog and see if there's any other questions you have?
"the edge-router" doesn't help me understand because all three of these routers are edge-routers. Is "test-edge-router" public? like, do you want to make sure router_121 DIALS test-edge-router and you want router_125 to DIAL test-edge-router? THAT configuration is easy, because you'd just remove the link listeners from router_121 and router_125 (or remove the dialer from test-edge-router).
I can't quite answer you specifically here, there's just enough ambiguity that I can't get a good picture of what you're trying to do... One of those two answers should fit tho.
Yes, the test-edge-router is the public one. I want router_125 to dial test-edge-router. I tried removing the link listeners from router_121 & router_125 but still router_125 doesn't connect to test-edge-router.
The network i am getting is as follows:
In the network above, edge-router is on public IP whereas the router1 and router2 have private IPs.
What i am trying to create is having desktop edge-clients on some third-party network to take ssh access of systems available on the same network as the router.
Thanks for the diagrams. Very helpful. I'll assume "Router1" is "router_121" and "Router2" is "router_125"?
but still router_125 doesn't connect to test-edge-router
Are there any errors in the log? Also if router_125 connects to router_121, it's definitely got a link listener configured and you want to remove that imo.
What is the advertised address for "test_edge_router"? I am guessing that router_125 just can't access that ip/port? Maybe a cloud firewall is in the way?
The advertised address for test-edge-router is the same as the advertise address for controller on which we are able to access ZAC console.
Currently for the testing purpose, both router_121 & router_125 are in the same network.
It is giving tls handshake error when I try to connect the router_125 to the edge-router.
Generally speaking, this happens when the router enrollment is 'out of date' for the target controller, or there's some sort of TLS inspection going on, etc. Can you delete the router in the controller and recreate, then reenroll it? I would think this would resolve the problem.
If that doesn't resolve the problem, I'll need more specific steps that you've done so that I can either spot the issue, or try it myself.
Then I created jwt file for routers on the controller system.
Created the respective config files for routers on the other hosts.
Then enrolled it on the router hosts .
So if we consider 2 systems, on both the system the routers are getting connected to the controller but the second system is not getting connected to test-edge-router.
I see, I forgot you mentioned that before, my bad... I expect "somewhere along the way" the PKI was misconfigured but I won't be able to tell you exactly where. I'd ask you try to create a third router and see if it connects. If it doesn't connect, you'll have to troubleshoot why the connection is incorrect by using openssl s_client and the values/files in the routers config file. If a third router doesn't connect, then perhaps those instructions are incomplete in some way
I tried creating the third router as well. So in that scenario, router were not getting connected to edge-router. Instead it was forming links with the other routers connected to same controller.
So as you mentioned about having some issues in the pki configuration, what steps you could suggest to trouble shoot the error?
You know what my required network is, so what if I want to again start openziti from scratch, what should the steps be followed to setup such network using openziti?
I went back through the repo and did all the steps myself. I expect you have misconfigured the router's yaml files. You likely have not updated the DNS section.
$ ziti fabric list links
╭────────────────────────┬────────┬──────────────────┬─────────────┬─────────────┬─────────────┬───────────┬────────┬───────────╮
│ ID │ DIALER │ ACCEPTOR │ STATIC COST │ SRC LATENCY │ DST LATENCY │ STATE │ STATUS │ FULL COST │
├────────────────────────┼────────┼──────────────────┼─────────────┼─────────────┼─────────────┼───────────┼────────┼───────────┤
│ 1ilYwT2MjkBh4x3XWEHT3D │ r1 │ test-edge-router │ 1 │ 65000.0ms │ 65000.0ms │ Connected │ up │ 130001 │
│ 4GhzfCilebkmkBxgSJwpQD │ r2 │ test-edge-router │ 1 │ 65000.0ms │ 65000.0ms │ Connected │ up │ 130001 │
╰────────────────────────┴────────┴──────────────────┴─────────────┴─────────────┴─────────────┴───────────┴────────┴───────────╯
results: 1-2 of 2
I forked and pushed a few changes. Have a look at
Add a hosts file entry for "public-router.some.domain", "r1.some.domain", "r2.some.domain" and then run the routers in three different windows/locations:
