Tproxy not supported on darwin

I am working through setting up a LAN Gateway, which involves the following

  1. remote Oracle Linux as the host
  2. local MacOS as the client

I have the ziti-router on the Oracle Linux machine up and running now.

I successfully enrolled the router identity on the local MacOS

However, when I started up the ziti-router, I received the following error message

"error":"failed to initialize tproxy interceptor: tproxy not supported on darwin

Any tips?

Maybe… as an alternative… I need to setup a docker / virtual box instance… that uses Ubuntu etc… and use that instance to run the ziti-router

Is this how it is normally done?.. or is there way to make it work on a MacOS?

Alternatively… now that I am thinking about it… is there a way to use the ziti-edge-tunnel?

Maybe I am taking the wrong approach


I’m sorry this question has sat here unanswered for this long. I was just scrolling through the list and noticed it now. Hopefully you are all set at this point, but I’ll take a crack at responding just in case.

If you need to intercept connections on your Mac then Ziti Desktop Edge. You can technically run ziti-edge-tunnel on darwin/macOS, although there will be some limitations there (specifically with DNS).

Whichever client you use, you’ll also need a ziti-router running somewhere that your Mac can get to. You could run ziti-router right on your Mac (adjacent to the ZDE or ziti-edge-tunnel client), but you’ll need to disable “tunnel” listener in the router’s .yml configuration file to avoid the TPROXY error that you encountered. You can do this by commenting out or removing the “tunnel” binding in the listeners tree:

#  - binding: tunnel
#    options:
#      mode: host

Here’s some background info on TPROXY that you probably don’t need, but I’ll mention it to explain why we can’t use it on macOS.

TPROXY refers to a socket option and associated firewall rules that are only supported on Linux. We only use this technique in ziti-router (and the standalone ziti-tunnel tunneler). Basically TPROXY it’s similar to DNAT, but with TPROXY the packet is not modified (and so the original destination of the packet is left intact). So TPROXY lets us “intercept” connections by sending packets with destination addresses from the ziti service configurations to a local port that the ziti-router is listening on. When a connection is made, ziti-router uses the destination address of the packet to determine which ziti service should be connected on the overlay.