How to Use Ziti Tunneler on a Linux Server


ziti-tunnelis an expert-level alternative to using the preferred method of running Ziti software on Linux servers: the NetFoundry VM. ziti-tunnel for Linux servers may be enrolled as a NetFoundry Endpoint. A CLI (headless) executable, it provides several modes of intercepting client traffic or publishing servers or both. You may run ziti-tunnel with or without built-in DNS for hostname and domain name interception.



ziti-tunnel may intercept client traffic or forward server traffic or both. You may run ziti-tunnelinteractively or as a daemon by installing one of the process management scripts from OpenZiti.  You may also run ziti-tunnel in a Docker container with "host" networking mode. Elevated privileges are only necessary for transparent intecepting proxy mode (tproxy).


Intercepting Proxy 

If you wish to use ziti-tunnel tproxy to intercept client traffic then you will need to decide if you will also be intercepting hostname or domain names and then discover how to configure your Linux server OS to use the built-in nameserver (default: udp://

If you will not intercept names then disable the built-in nameserver with the--resolver noneparameter and skip the step to configure Linux server OS's DNS or run ziti-tunnel proxy (an opaque proxy mode) instead of tproxy. proxy mode will bind a specified service or services to the specified TCP port(s) on the loopback interface and does not rely on IPtables nor DNS


Service Hosting

Hosting a NetFoundry Service with ziti-tunnelallows you to publish any IP server that is reachable by ziti-tunnelto your NetFoundry Network. This requires no additional configuration of ziti-tunnel itself, does not require elevated privileges, and does not provide built-in DNS. That is, ziti-tunnel will begin hosting at startup any NetFoundry Services that are assigned in your NetFoundry network. To host a Service with this install of ziti-tunnel:

  1. make a note of the Endpoint name used by the ziti-tunnel enrollment that will host the Service
  2. ensure the server you wish to publish as a Service is reachable by ziti-tunnel
  3. create a Service in your NetFoundry Network and select this enrollment of ziti-tunnel by Endpoint name
  4. restart ziti-tunnel if running in proxy mode or execute host-only mode like
    $ ./ziti-tunnel host --identity myTunneler.json


  1. Create an Endpoint in your NetFoundry Network and save the JWT file for the enrollment step
    general article about Endpoints
  2. Download the Ziti release tarball and extract the ziti-tunnelexecutable
  3. ziti-tunnel is portable and so can be run in-place. You will need to ensure the downloaded file has the execute permission bit set.
    $ chmod +x ./ziti-tunnel
  4. Enrollziti-tunnel. The permanent identity JSON file will be created in the same directory as the enrollment token.
    $ ./ziti-tunnel enroll --jwt myTunneler.jwt
  5. Configure Linux DNS
    1. Set primary to theziti-tunnelbuilt-in nameserver (default: udp://
    2. Set a secondary nameserver to handle queries for global names that do not match your Services
  6. The NET_ADMIN Linux capability is the minimum requirment for transparent proxy mode.
  7. Run the transparent intercepting proxy (tproxy) and built-in nameserver
    $ sudo ./ziti-tunnel tproxy --identity myTunneler.json
  8. Outgoing data that matches a Service by domain name or IP address is securely directed over the overlay fabric instead of the normal IP underlay, i.e. the internet.




Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.