Setting up a simple Service

Hey, Ive been playing around with OpenZiti as a replacement for Tailscale and seemed to have gotten the basic network setup. As a first service, I'd like to setup access to my Unraid NAS shares. The controller and router are on a VPS. A Windows laptop and NAS, running Unraid, have their respective tunnellers.

I've been referencing

which seems to be slightly out of date as "user" attribute is no longer used.

Up to this point I have;

  1. Two identities;

    • name: laptop
      attributes: @home.clients
    • name: unraid
      attributes: @home.servers
  2. A host.v1 config with;

    • protocol: TCP
    • address: localhost
    • port: 54000 (random)
  3. An intercept.v1 config with;

    • protocol: TCP
    • address: home.ziti
    • port: 54000
  4. A service config;

    • name: home
    • attributes: @home
    • referencing the host.v1 and intercept.v1
  5. Service Policies

      • name: home.bind
      • service roles: @home
      • identity roles: @home.servers
      • name: home.dial
      • service roles: @home
      • identity roles: @home.clients

Now, trying to access the server in Windows Explorer via "\home.ziti" returns the typicall "Windows cannot access" error when a host isnt available.Typically, I'd be accessing the servers shares via "\123.123.123.123" which gets me to the root of the servers share structure).

I feel like ive missunderstood something fundamental here in order to get this working. Any ideas on where I messed up?

Thank you

I think you need also a service edge router policy to bind the service to the router(s).

Hi @discourse.maternal501, along the lines of frm's response, does your windows ZDEW show you services? If it does, are there any helpful errors in the logs that might point to what frm is saying? Things like "no eligible router online" etc?

On top of that, I see you are using TCP in your services but is it possible that the app requires UDP? If so you could 'forward' the port or make two services (one for UDP one for TCP).

The logs are generally quite helpful. I always look at the logs from the onboard identity and from the offloading identity for hints. There is almost always a relevant error in there if traffic isn't flowing.

Hi,

I went ahead and added the two additional routing policies and referenced "Your First Service" doc and used its naming conventions to ensure I was doing everything correctly.

Updated configs:

  1. Two identities;

    • name: desktop
      attributes: @http-clients
    • name: unraid
      attributes: @http-servers
  2. host.v1 config;

    • protocol: TCP
    • address: localhost
    • port: 54000 (random)
  3. Intercept.v1 config;

    • protocol: TCP
    • address: http.ziti
    • port: 54000
  4. Service config;

    • name: http.svc
    • referencing the host.v1 and intercept.v1
  5. Service Policies;

      • name: http.policy.bind
      • service roles: http.svc
      • identity roles: @servers
      • name: http.policy.dial
      • service roles: http.svc
      • identity roles: @http-clients
  6. Edge Router Policy;

    • name: all-routers-all-identities
    • edge router roles: router1
    • service-roles: http.svc
  7. Service Edge Router Policy;

    • name: all-routers-all-services
    • edge router roles: router1
    • service roles: http.svc

At this point it seems like everything should be running correctly but sa of now neither host will connect as shown in the ZAC with only the API Call green button lit up.

EDIT: had a misconfigured edge router policy and didnt specify the router. I have the two hosts showing as connected in the ZAC Identity pane and the logs on each host showing connected.

So, how does one access the shares on the unraid machine now? If I was on local LAN it would be " \123.123.123.123". On a service like Tailscale it would use either the Tailscale host IP or DNS name.

EDIT 2: I found video that showed the use of ZAC and simple configs and gave that a go. Still seem to be missing something. typically one doesnt specify a port number when accessing another computers shared file system in Windows Explorer right?

Seems like I got the connection setup after reading some old posts. What was required was to Port Forward the entire port range in the host.v1 config by the looks of it.

I did some testing and it seems like I dont have a direct P2P connection between the two devices as made evident by throughput testing. The VPS Im hosting the Controller and Edge Router on only has a 50Mbps connection and that is my max throughput. However, the two devices, "unraid" and "desktop" are on the same LAN. Is this something OpenZiti is able to accomplish or does it always have to go through an edge router?

2 Likes

At this time, you always need to go through an edge router. If you're using OpenZiti in the same LAN it's often useful to deploy an edge router on that LAN to allow local connectivity via OpenZiti.

Gotcha, woudl that require opening ports externally or can that specific router just be used to LAN traffic. If I'm adding more than one router to the network, the controller will decide the best route to take?

No. The proper way to accomplish this is to have a controller and router in the VPS. The router on the VPS is 'public' (a loose term indicating what sort of networking space it's in) and the router on your LAN is 'private'.

The public router has a link listener (and optionally a link dialer) along with an edge listener
The private router has a link dialer (and most like, no link listener) along with an edge listener

This allows you to have an edge router when you're out and about (the public router) and then have a private edge router when you're on the private LAN.

The controller decides the best route and the client will connect to the 'fastest three routers'. (the three it connects to successfully first)