currently I am playing with OpenZiti thinking about replacing mit current (Tailscale) mesh setup.
Getting things up and running took some time but I finally managed to connections to my local subnet
192.168.100.0/24 from and outsite windows system working.
All internel clients are Ubuntu 22.04 with the tunneler installed and inside this network is also the edge router and the controler located.
Now my two questions:
Having a policy with an intercept.v1 allowing 192.168.100.0/24 and the same for the host.v1 policy leads to the fact that I can see SSH connections from the outside windows mashine are getting created from different internal hosts (which all are running the tunneler).
For Example: starting an SSH session from the windows machine to 192.168.100.5 several times, shows different origins (192.168.100.4, 192.168.100.7 and sometimes even 192.168.100.5) in the logs.
I would expect that it always tries to stay within the encrypted ziti network, but it seems that it doesn`t?
How could I restrict this to stay within the city network not using different tunnelers because all system are equipped with them?
All systems are named $host.ziti.
Building polcies with *.ziti for the intercept and localhost for the host.v1 does not work.
How do I have to build the policies so that I am able to use ssh to the fqdn which is resolved correctly?
Even setting 100.64.0.0/12 in the host.v1 does not work.
Any help would be great. It seems that I am a little lost.