Seeking Guidance on OpenZiti Deployment for On-Prem Server Access

1

Subject: Seeking Guidance on OpenZiti Deployment for On-Prem Server Access

Hi there,

I’m a Machine Learning Engineer, and our team needs to access on-premise servers across multiple sites. Currently, we use NoMachine for remote access, with Twingate handling connectivity. However, we’re exploring OpenZiti as an open-source alternative.

While I’m relatively new to networking (with only basic knowledge), I’ve taken the following steps to set up OpenZiti:

  1. Reviewed Documentation: Followed the Docker deployment guide: OpenZiti Docker Docs
  2. Watched Tutorials: The official YouTube walkthrough by @qrkourier : OpenZiti Setup Video
  3. Read Blogs: Tested the Minecraft server example for insights: Secure Minecraft Server Blog

Current Setup:

  • OS: Ubuntu 20.04
  • Docker Containers:
    $ docker ps
CONTAINER ID   IMAGE                   COMMAND                  STATUS                 PORTS                    NAMES
056cbc2cdcec   openziti/ziti-router    "/entrypoint.bash ru…"   Up 5 hours (healthy)   0.0.0.0:3022->3022/tcp   oz-ziti-router-1
2c7d35df7d36   openziti/ziti-controller "/entrypoint.bash ru…"   Up 5 hours (healthy)   0.0.0.0:1280->1280/tcp   oz-ziti-controller-1
  • Screenshot:
    Controller Dashboard
    Controller Dashboard925×512 68.1 KB

Issue:

Despite these steps, enrolling the controller using the .jwt file fails.

Questions:

  1. Are there critical details I might have missed in the setup?
  2. What troubleshooting steps would you recommend?

I’d greatly appreciate any feedback or guidance to resolve this. Thanks in advance!

2

Hi @aymja, welcome to the community and to OpenZiti!

Can you provide the exact steps you mean when you say "the jwt"? Do you mean an identity for a client? Which client is trying to enroll? Can you provide some sort of output so we know what you're doing better?

Also, keep in mind if you have too many troubles that you can get an OpenZiti overlay from NetFoundry and take any setup out of the equation. :slight_smile:

Can you provide any more details about what you did and how and where it went wrong? Cheers

1 Like
3

Hi @TheLumberjack,

Thank you for your support! I’ve been working through the OpenZiti setup similar to the blog post I mentioned earlier. Here’s where I stand:

Current Setup:

  1. Deployed the controller and router on a server.
  2. Created two identities:
    • Identity 1 (Office Workstation)
    • Identity 2 (Remote Site Machine)
      (Each machine is on a separate network.)

Identity 1 Enrollment Output:

ziti-edge-tunnel enroll --jwt phone.client.jwt --identity phone.client.json
(3375946)[        0.000]    INFO ziti-sdk:utils.c:196 ziti_log_set_level() set log level: root=3/INFO
(3375946)[        0.000]    INFO ziti-sdk:utils.c:165 ziti_log_init() Ziti C SDK version 1.6.5 @gd72ea7c(HEAD) starting at (2025-06-24T09:36:13.294)
(3375946)[        0.000]    INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.6.5 @gd72ea7c(HEAD) starting enrollment at (2025-06-24T09:36:13.294)
(3375946)[        0.000]    INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://{our_public_ip}.sslip.io:***] controller initialized

Identity 2 Enrollment Output:

ziti-edge-tunnel enroll --jwt nomachine.zotac.jwt --identity nomachine.zotac.json
(3294734)[        0.000]    INFO ziti-sdk:utils.c:196 ziti_log_set_level() set log level: root=3/INFO
(3294734)[        0.000]    INFO ziti-sdk:utils.c:165 ziti_log_init() Ziti C SDK version 1.6.5 @gd72ea7c(HEAD) starting at (2025-06-24T09:42:55.102)
(3294734)[        0.000]    INFO ziti-sdk:ziti_enroll.c:112 ziti_enroll() Ziti C SDK version 1.6.5 @gd72ea7c(HEAD) starting enrollment at (2025-06-24T09:42:55.103)
(3294734)[        0.000]    INFO ziti-sdk:ziti_ctrl.c:637 ziti_ctrl_init() ctrl[https://{our_public_ip}.sslip.io:***] controller initialized

Different Attempt trying ziti mobile edge:

  • Followed the Linux Tunneler (Debian Package) guide.
  • Tested Ziti Mobile Edge with NoMachine and it shows on the mobile client that it is connected and there is one service. this the is the config of of nomachine connection:
    Mobile Edge Screenshot
    Mobile Edge Screenshot580×1280 45.3 KB

    Following my previous setup, I've encountered connectivity issues when trying to establish connections through NoMachine. Here's what I've observed:

Connection Attempts & Errors

  1. Office → Site Connection
  • Attempted to connect from my office workstation to the remote site machine via NoMachine
  • Error in NoMachine logs: Host not found
  1. Mobile → Site Connection
  • Tried connecting from my mobile device (using Ziti Mobile Edge) to the site machine
  • Error in NoMachine logs: Cannot access port
4

This makes me wonder if NoMachine uses one port for brokering the connection to another port. Can you confirm the "firewall requirements" for the server? Ziti can represent multiple hosts and multiple ports or port ranges in a Ziti service config, if needed.