Zrok + Ziti Mobile Edge

Hi!

Is there a way to use zrok with ziti mobile edge? If zrok is running on top of ziti, I should technically be able to do it using ziti APIs directly. I tried to look for similar topics on discourse, and the closest I got is this article: Can zrok be used to expose local mqtt broker to internet? - #26 by michael.quigley

In one of the comments I found this:

ziti edge create identity "android1"
--role-attributes "mqtt-clients"
--jwt-output-file "android1.jwt"

ziti edge update service "my-mqtt-zrok-share" \ --role-attributes "mqtt-services"

ziti edge create service-policy "mqtt-dial-policy" Dial \ --service-roles '#mqtt-services' \ --identity-roles '#mqtt-clients'

I added an identity to my phone, I can see the network in ziti mobile edge. Then, I ran a zrok share (private, this is what I would like to achieve) and updated the service attributes directly where my controller and edge router runs using ziti api (I run a self hosted zrok instance). Finally, I ran the last command to setup a service policy. After this I am able to see the service in Ziti Mobile Edge.

However, I was not able to access it. I tried to use the regular way as when i use zrok for public shares (<generated_token>.my.network.com, although with zrok a private share would spin up a local port, so this doesn’t feel right, but since i setup a service policy, i figured maybe). I thought maybe ziti mobile edge will intercept it as it appears to be running as a vpn service on the phone.

I want to setup a reserved share, make it private and then using the commands above expose it to my phone (or any other identities i issue)

Would it be feasible to try to make it work in this combo (zrok + ziti + ziti mobile edge) or should i just set it up directly, without using zrok (the API is really nice though)? Another option would be to put zrok on my phone and run it via Termux (i as in one of the topics somebody put arm version onto the phone). That was my first thought of how I could use it directly, but I’d prefer using mobile edge if possible.

Thank you in advance.

P.S. I love zrok and open ziti Only scratching the surface, but it’s really fun. Thank you for creating a wonderful project!
zrok Ziti Overlay Tunneler Apps > Ziti Mobile Edge for Android

Hey there…

You should be able to access a zrok share from a ziti desktop or mobile edge just fine. zrok is just a wrapper over regular ziti stuff.

It’s just a matter of making sure the identity that you’ve created has the appropriate edge router policy, and the appropriate service policy (specifically you’ll need a “dial” policy for that share’s service).

In zrok a “share” is just a set of conventions around a ziti “service”. The name of the service is the zrok share token.

I am not 100% sure about what’s involved in adding the config necessary to tell the mobile/desktop edge what to do with the service once the permissions are there.

Maybe one of the other ziti folks can chime and and we can figure this out together?

in addition to the policy setup Q mentions, you’ll likely need to create an intercept.v1 config and update the ziti service for the share with the created config

…and once you’ve done that, you should be able to access your zrok share through a desktop/mobile edge.

Let us know what questions you have, what you run into, and we’ll see what we can figure out.

Thank you for your reply!

I tried to update edge router policy and service policy, together with intercept config. Once it worked and I was able to access the share via ziti mobile edge. I tried to repeat the process and was not able to make it work again.

Steps that I took:

create phone identity:
ziti edge create identity "phoneIdentity"
--role-attributes "ziti-clients"
--jwt-output-file "android.jwt"

create intercept config:
ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["myservice.zrok.domain.com"], "portRanges":[{"low":80, "high":80}]}'

create host config:
ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"localhost", "port":3000}'

apply configs:
ziti edge update service myservice --configs http.intercept.v1,http.host.v1

create service policy (tried to create new and update those generated by zrok):

ziti edge create service-policy dial-policy Dial --service-roles "@myservice" --identity-roles '@phoneIdentity'

ziti edge create service-policy dial-policy Bind --service-roles "@myservice" --identity-roles '@phoneIdentity'

edge router policy:

ziti edge create edge-router-policy "phone" --edge-router-roles '#all' --identity-roles '@phoneIdentity'

service-edge-router-policy also has the service visible to all routers (this was created by zrok)

I checked the logs for ziti mobile edge and I see this:
ziti-sdk:ziti_ctrl.c:503 ctrl_body_cb(): ctrl[``https://zrok.domain.com:8440``] completed GET[/services/52igUYtnZifGN13kKMWunT/edge-routers] in 0.141 s
10-11 02:51:18.777 23582 23612 D ziti-sdk:bind.c:273 list_routers_cb(): server2.1 router1/tls://zrok.domain.com:8442
10-11 02:51:18.777 23582 23612 D ziti-sdk:bind.c:136 process_bindings(): server2.1 checking router[router1]
10-11 02:51:18.777 23582 23612 D ziti-sdk:bind.c:537 start_binding(): server2.1 requesting BIND on ch[router1]
10-11 02:51:18.787 23582 23612 D ziti-sdk:bind.c:514 bind_reply_cb(): server2.1 failed to bind on router[router1]: OK
10-11 02:51:18.788 23582 23612 D ziti-sdk:bind.c:198 schedule_rebind(): server2.1 scheduling re-bind(attempt=51) in 22.719s

It fails to bind and just tries again and again.
failed to bind on router[router1]: OK

Is it possible to just run a ziti tunneler directly, not using zrok (it should come with zrok, right)? I know the original question was about the use of zrok, but I think that all it does (in this configuration with mobile edge) is identity set up and runs a server side tunneler for the local service. If I could run the server side tunneler beside zrok, I’d just use that directly (sorry, would not need to create this topic in the first place). I tried to install a tunneler, but it interferes with zrok installation, keyring file override, so I didn’t proceed.

Thank you