Trying to setup OpenZiti for remote homelab access and jellyfin

I'm trying to setup OpenZiti to allow me to access my home network remotely. I am behind a CGNAT and believe OpenZiti to be the solution.

I currently have followed the selfhost setup and installed OpenZiti controller and public edge router on my cloudfanatic server instance. I have proxmox installed on my homelab. I have installed a new instance on proxmox and created another edge router. I'm trying to setup the home edge router to handle the local network routing. I have a jellyfin instance on the homelab and have given the service the IP address and port of that instance.

When I visualize the local router I see its connecting to the Public edge router but the service is not connecting. I'm sure this is probably something very simple I'm misunderstanding and would greatly appreciate any assistance anyone can provide.

Hi @smarttowers, welcome to the community and to OpenZiti!

I'll need a few more details to help you out. When you state 'the service is not connecting', the next things to look at are:

  • the local tunneler logs (ziti desktop edge for windows/mac, ziti-edge-tunnel, Ziti Mobile Edge etc)
  • the remote router logs (your 'private' router)

In those logs will be something that will lead us to understanding what the problem is. You also should verify the public router has accepted a connection and formed the mesh by running

ziti fabric list links

You should see a single link.

Let's start by making sure you can see a link, and look in both the intitating logs and the terminating router logs for helpful reasons as to 'why'. A very common reason, for example, is getting the "host.v1" config wrong and sending traffic to an unroutable IP/hostname or bad port etc.


So where will I find the logs for the remote router and the local tunneler? I'm using android trying to intercept the jellyfin app server.

It'll depend on how you're running things and what tunneler it is. If you're running using systemd, journalctl is what you'll want to look at. What tunneler are you using and how did you install the router

I setup using systemd and for the tunneler I just defined the service in the openziti admin web page.

ziti-edge-tunnel:

journalctl -u ziti-edge-tunnel --since "4 hours ago"

router:

journalctl -u ziti-router --since "4 hours ago"

I assume 4 hours ago is enough time, if not you'll need to go back to whenever you need. Look in those logs for some sort of reason as to why the traffic isn't succeeding.

Maybe the best solution would be to start over and try to do it the correct way. I have no entries for ziti-edge-tunnel on the private router or the public router. So I'm sure I have not set it up right. I thought that setting up a service in the admin console would create a tunnel.

I wouldn't redo it just yet... It sounds like you've done everything ok so far. The best thing right now is to figure out why the tunnel isn't working. The visualizer isn't something I'm particularly well-versed in so I can't really help with that, but I can tell you that in the intercepting logs will likely have a reason as to why the tunnel didn't succeed. The same for the offloading router.

We really do need to look at the logs from the intercepting and offloading side to understand what's going on.

so the intercepting side is that going to be the android client? and I'm assuming the offloading side is going to be private router on my local network.

If that's the client you're using right now then yes that's right. The android tunneler has a way to view the logs but it's kind of hard to look at them from the UI. The "feedback" option is an easy way to collect the logs and email them to yourself to reivew. But you an also look at them in the app if you want to try that. Main Menu -> Advanced -> Logs -> Application. But like i said, it's hard to look at them on a phone...

Yes the private router is the other set of logs we need to look at.

how do I reset the logs it was a week ago when I set this up and the logs are very cluttered currently. Or how can I restart everything in a way that we can use previous 4 hours

I actually don't know how to do that with the android tunneler. I'm sure you can purge the logs from journalctl but i don't know how off the top of my head (I never need to).

If it was me, I'd just recreate the issue now, get the logs and look at the end of the logs.

09-29 18:12:09.795 26458 26483 I Tunnel : resp = {"Success":true,"Data":{ "ziti://jeXn9Er.r@zrok.danebie.com:8441": "\n=================\nZiti Context:\nID:\t0\nenabled[true] uptime[790s]\nConfig Source:\t(none)\nController:\thttps://zrok.danebie.com:8441\nConfig types:\n\tziti-tunneler-client.v1\n\tintercept.v1\n\tziti-tunneler-server.v1\n\thost.v1\nIdentity:\tcellphone[jeXn9Er.r]\n\n=================\nAPI Session:\nSession Info: \nauth_method[Legacy]\napi_session_state[3]\n\n=================\nServices:\njellyfin: id[4FW2dtZzQKZJ3GGPWZvsUa] perm(dial=false,bind=true)\n\tconfig[ziti-tunneler-server.v1]={ "hostname": "192.168.2.45", "port": 8096, "protocol": "tcp" }\n\tconfig[ziti-tunneler-client.v1]={ "hostname": "jellyfin.ziti", "port": 8096 }\n\tposture queries[1]:\t\tposture query set[dummy bind policy: no posture checks defined]\n\n==================\nSessions:\n\n==================\nChannels:\nch0 connected [latency=554]\n\n==================\nConnections:\nconn[0]: server service[jellyfin] terminators[1]\n\n==================\n\n" },"Code":0}

Looks like the android end may be working for intercepting

Good to hear. What about the logs from the other side? We may end up needing to see the logs from both routers and the controller but we should start by looking at the logs on the private router to see if there's anything relevant in there