Using edge router with the tunneler enabled

I know this has been covered before… though I thought to revisit this…

To configure the edge router to operate as a tunneler, you use the “-t” flag when creating an edge router

ziti edge create edge-router ${routerName} -t -a “public” -o ${routerName}.jwt

This is what I used to make ZAC dark… what this allows you to do is to set the name of the edge router as the identity for the bind policy.

When you do this… the terminator is automatically created for you.

In this configuration, the tunneller is acting as a host

can the edge router also act as a proxy or tproxy?
if so, how do you configure this ?
in what scenarios would you use a proxy / tproxy?

Is there anything else that can be done, other than setting up a terminator, when the tunneller flag is configured.


Yes, and to paraphrase: a tunneller-enabled router will generate a system-managed identity with the same name. The identity appears in the list of identities, and the router appears in the list of routers, but the two entities are coupled to the same running instance of ziti-router. You may then “bind” as you mentioned any service to the router’s coupled tunneller identity. The router’s tunneller may operate in any mode that’s supported by ziti-tunnel: host, tproxy, proxy.

Fresh documentation is on the way for this in ziti-doc/ at 5e84723ae8278af43752def4e3d4210f7519adfe · openziti/ziti-doc · GitHub

1 Like