Ziti routers and ECH

Rantanplan · November 8, 2025, 10:34am

Is there a way to enable ECH for ziti network?

anshjoshi · November 8, 2025, 11:06am

When a network is deployed behind OpenZITI it becomes invisible, Not reachable by IP, Not visible in port scans, Not discoverable by DNS. I think these features surpasses what Applying ECH over the ziti network offers. Correct me if I am wrong.

Rantanplan · November 8, 2025, 11:38am

The goal is to protect the SNI (router’s name) in ClientHello messages using standardized solutions (ECH) so that connections reveal only that they are talking to an ECH‑enabled endpoint. Our ISP currently enforces a very restricted whitelist; could you advise which options you support (ECH or other approaches) to make the service reachable while preserving user privacy?

anshjoshi · November 8, 2025, 12:06pm

As much as I know OpenZITI doesn't natively support ECH in its standard deployment.

OpenZiti's Current Privacy Approach

TLS Encryption Throughout: OpenZiti encrypts all traffic end-to-end, but the initial ClientHello SNI is still visible (as with standard TLS)

IP-based Connections: You can configure OpenZiti edge routers to be accessed by IP address rather than hostname, which eliminates SNI entirely from the connection establishment

Wildcard Certificates: Using wildcard certs on edge routers means all services share the same SNI value, obscuring which specific service is being accessed

Options for Your Restricted ISP Environment

Option 1: IP-Only Access

# Configure edge router without hostname

advertise:

tls:203.0.113.10:443

This eliminates SNI but requires whitelisting IP addresses.

Option 2: Generic SNI with Wildcard Cert

Use a generic domain like secure-gateway.example.com

Deploy wildcard certificate for *.example.com

All services share the same SNI, revealing only the gateway endpoint

Option 3: ECH via Reverse Proxy

Since OpenZiti doesn't support ECH directly, you could:

Place an ECH-capable reverse proxy (nginx with ECH patches, Cloudflare tunnel) in front of your edge router

The proxy handles ECH termination

Forwards decrypted connections to OpenZiti

Option 4: Request ISP Whitelist Addition

Whitelist your OpenZiti edge router's domain/IP

Justify based on business needs

This is the most straightforward if possible

andrew.martinez · November 17, 2025, 4:17pm

We can support it. For a long time, the standard HTTP library didn’t support server-side ECH, but clients did. It looks like in Go 1.24, released this Feb, added it.

Topic		Replies	Views
How does SSL work in OpenZiti network? Building/Development	8	250	June 21, 2024
OpenZiti as replacement for client VPN Building/Development	8	1451	January 18, 2023
Ziti Tunneler Configuration: Resolving Identical ziti0 IPs and Enabling Cross-EC2 Communication Ziti Overlay	4	59	December 28, 2024
Use OpenZiti as Tunnelling Gateway on LAN Ziti Overlay	9	239	February 1, 2024
Managing TLS Certs for HTTPS APIs via OpenZiti	6	62	July 7, 2025

Ziti routers and ECH

Related topics