Zitify Homelab Kubernetes Cluster

Hey, I’ve a Homelab Kubernetes cluster with a few old PCs, it’s been working great so far. But, now I’d like to add a few nodes hosted on a friend’s house, so I’ll have to open up some ports to the outside world and I’m not really confortable with this Idea haha

I’ve been watching Openziti for a few months but never really tried it outside of the quickstart guides.
I thought about using Ziti on all these nodes and use the overlay network instead of opening all the needed ports.

Has anyone done this before ?
How that would look ? I mean I’ll have private routers on every nodes of my cluster, and one edge router with an open port right?

Oh and btw I’m using K8S Rancher if that could help

Hi @Decerpis, welcome to OpenZiti and to the community!

nor should you be!

nice. nice… :slight_smile:

perfect use case. yep.

@qrkourier is off work this week and he’s got the most seat time with kubernetes in general but he’s got a lot of seat time with rancher. We also have a fair number of community members being quite successful with Kubernetes tpp.

As for what it would look like, I’d expect it to look something like this

We have a nice blog post from @gberl002 about how to setup a totally free VPS in Oracle too if you’re interested. Then you can keep all your ports closed everywhere! Setting Up Oracle Cloud To Host OpenZiti

You can layer an edge router into this mix once you get the most basic controller/router setup established. I think it’s easiest to start with something like this though.

That make sense?

1 Like

Damn I wasn’t expecting an answer that fast, thanks !

I’m not quite sure that’s my use case, I’m not looking to have multiple clusters communicating, even tho now that’s something I want to try just for fun lol

But I Guess I could apply the same principles to secure one cluster using :

  • Tunneler in each node
  • Have the controller with its Edge router on the internet (on oci for instance)

Is that right ?

Yeah it’s not 100% clear on the diagram, but basically I tried to show “home computers” accessing some workload deployed IN kubernetes. Most notably your home computer in “network 1” accessing your friend’s cluster on “network 2” and vice-versa. Not necessarily connecting two clusters together.

Maybe this is more accurate then? Showing network 2 and 3 (your friends/family) accessing your cluster on your network (and someone on a phone using just ‘the internet’ too)

And yes, you run a tunneler on each “home computer” or cell phone (Ziti Desktop Edge/Ziti Mobile Edge) and then have a VPS with OpenZiti out on the internet so that mTLS connections can be established. You got it! :slight_smile:

1 Like

Alright, great diagram ! One last question, I Saw somewhere few weeks ago maybe that Ziti Can optimize traffic routing (smart routing capabilities) when we have multiple routers.

Knowing that, is it a good idea to have private routers (dialing only) on each of my nodes instead of just tunnelers ?

I would first start out getting the diagram as shown working for you, and getting familiar with OpenZiti enough where you feel comfortable using it. Once you are comfortable and confident with the setup working, then you can try adding in other routers to the mix. In this diagram, with this situation, I don’t think there’s going to be a big benefit to you adding more than one router. If you add for or five of these things in various locations (like NYC, Miami, Dallas, Chicago, LA, Seattle)… Then the mesh can start to really take over and do some fancier routing for you. But for what you’re looking to do, I really doubt it’ll matter terribly. But it might?!? Maybe you’ll try it out and report back? :slight_smile:

I use exactly this diagram for my own home access and I haven’t added multiple routers yet. My performance needs don’t warrant it. If yours do, well then maybe you’ll want to put a few more public routers out on there.

Hope that helps, let us know how you get on and if you have more questions!

1 Like

Here’s a couple other good threads to read through if you’re interested. Particularly the fella using satellite internet. For them, having a private router makes LOTS of sense…

1 Like

I’m general, I don’t think so, not really. The term “private” is entirely relative/subjective. What it’s trying to convey is that it’s a router which only dials other routers. it doesn’t advertise link listeners. A link listener is a configuration item in the router that tells the router to listen on the underlay on a specified port for other routers to connect to the router on.

The term “edge router” just indicates the router is “edge enabled”. It’s configured to allow edge (client/sdk) connections, regardless of if the router has a link dialer or link listener. (Links are associated with the fabric/mesh, not the clients/sdk/edge)

“Fabric” routers would be routers that are not configured to accept edge connections. They are there to service the overlay/mesh, for redundancy, and for better path selection getting packets from place to place as fast as possible. Fabric routers could be configured with a link listener and dialer, just a listener, or just a dialer. Note that edge routers ARE fabric routers.

That help?


@Decerpis I hereby nominate you for the first ever Ziti Distributed K8s Cluster Control Plane backpack achievement patch because I’m pretty sure you’re the first one to do it! :tada:

I’ve thought about doing this for my homelab too. How did you split up the cluster control plane vs worker node roles? I think you’re using Rancher to manage the “local” cluster after installing it with Helm.

Did you get your remote nodes working by installing ziti CLI and running ziti router with a “router tunneler” configuration, or did you install ziti-edge-tunnel on all the nodes? It can be confusing because they both have the word “tunneler.”