ziti-tunnelis an expert-level alternative to using the preferred method of running Ziti software on Linux servers: the NetFoundry VM.
ziti-tunnel for Linux servers may be enrolled as a NetFoundry Endpoint. A CLI (headless) executable, it provides several modes of intercepting client traffic or publishing servers or both. You may run
ziti-tunnel with or without built-in DNS for hostname and domain name interception.
ziti-tunnel may intercept client traffic or forward server traffic or both. You may run
ziti-tunnelinteractively or as a daemon by installing one of the process management scripts from OpenZiti. You may also run
ziti-tunnel in a Docker container with "host" networking mode. Elevated privileges are only necessary for transparent intecepting proxy mode (tproxy).
If you wish to use
ziti-tunnel tproxy to intercept client traffic then you will need to decide if you will also be intercepting hostname or domain names and then discover how to configure your Linux server OS to use the built-in nameserver (default: udp://127.0.0.1:53).
If you will not intercept names then disable the built-in nameserver with the
--resolver noneparameter and skip the step to configure Linux server OS's DNS or run
ziti-tunnel proxy (an opaque proxy mode) instead of
proxy mode will bind a specified service or services to the specified TCP port(s) on the loopback interface and does not rely on IPtables nor DNS.
Hosting a NetFoundry Service with
ziti-tunnelallows you to publish any IP server that is reachable by
ziti-tunnelto your NetFoundry Network. This requires no additional configuration of
ziti-tunnel itself, does not require elevated privileges, and does not provide built-in DNS. That is,
ziti-tunnel will begin hosting at startup any NetFoundry Services that are assigned in your NetFoundry network. To host a Service with this install of
- make a note of the Endpoint name used by the
ziti-tunnelenrollment that will host the Service
- ensure the server you wish to publish as a Service is reachable by
- create a Service in your NetFoundry Network and select this enrollment of
ziti-tunnelby Endpoint name
ziti-tunnelif running in
proxymode or execute host-only mode like
$ ./ziti-tunnel host --identity myTunneler.json
- Create an Endpoint in your NetFoundry Network and save the JWT file for the enrollment step
general article about Endpoints
- Download the Ziti release tarball and extract the
ziti-tunnelis portable and so can be run in-place. You will need to ensure the downloaded file has the execute permission bit set.
$ chmod +x ./ziti-tunnel
ziti-tunnel. The permanent identity JSON file will be created in the same directory as the enrollment token.
$ ./ziti-tunnel enroll --jwt myTunneler.jwt
- Configure Linux DNS
- Set primary to the
ziti-tunnelbuilt-in nameserver (default: udp://127.0.0.1:53).
- Set a secondary nameserver to handle queries for global names that do not match your Services
- Set primary to the
- The NET_ADMIN Linux capability is the minimum requirment for transparent proxy mode.
- Run the transparent intercepting proxy (
tproxy) and built-in nameserver
$ sudo ./ziti-tunnel tproxy --identity myTunneler.json
Outgoing data that matches a Service by domain name or IP address is securely directed over the overlay fabric instead of the normal IP underlay, i.e. the internet.