How to Use the Edge Tunneler CLI

Follow

Overview

The Edge Tunneler CLI allows regular apps, such as a web browser, on your computer to access your NetFoundry Network through a proxy. The Edge Tunneler can also host a Service for the Network e.g. a local server on the computer or reachable in that device's private network(s).

Use Edge Tunneler CLI as a Dialing Endpoint

Your choice: proxy or hosting or both

 ziti-tunnel is an interactive command-line interface (CLI) and works best on Linux as a transparent proxy (tproxy). You may also run ziti-tunnel as a system daemon by installing one of the process management scripts from OpenZiti. Alternatively, Edge Tunneler CLI has an opaque proxy mode that will bind a specified set of services to the loopback (localhost) interface.proxy is the only mode of operation on MacOS and Windows.

Download and Install

1. Create an Endpoint in your NetFoundry Network
   general article about Endpoints
   
2. Downloadziti-tunnel
   v7 downloads
3. ziti-tunnel is built for portability and so can be run wherever it is downloaded or copied.

Enroll and Run

Linux

1. Enrollziti-tunnel. The permanent identity JSON file will be created in the same directory as the enrollment token.

   $ ./ziti-tunnel enroll --jwt myTunneler.jwt

2. Configure Linux DNS
   
   1. Set primary to theziti-tunnelbuilt-in nameserver (default: udp://127.0.0.1:53).
   2. Set a secondary nameserver to handle queries for global names that do not match your Services
3. The NET_ADMIN Linux capability is required for transparent proxy mode.
4. The run command will select the best mode, typically transparent proxy (tproxy)
   

   $ sudo ./ziti-tunnel run --identity myTunneler.json

5. Outgoing data that matches a Service by domain name or IP address is securely directed over the overlay fabric instead of the normal IP underlay, i.e. the internet.

MacOS

1. Enrollziti-tunnel. The permanent identity JSON file will be created in the same directory as the enrollment token

   $ ./ziti-tunnel enroll --jwt myTunneler.jwt

2. Specify a list of services to bind on the loopback interface like "{service name}":{local port}

   $ ./ziti-tunnel proxy --identity myTunneler.json "my secret service":8888 "my favorite service":9999

3. Outgoing data for a proxied service must be sent to that service's bound local port. It is then securely directed over the overlay fabric instead of the normal IP underlay, i.e. the internet.

Windows

1. Enrollziti-tunnel. The permanent identity JSON file will be created in the same directory as the enrollment token

   C:\> .\ziti-tunnel.exe enroll --jwt myTunneler.jwt 

2. Specify a list of services to bind on the loopback interface like "{service name}":{local port}

   C:\> .\ziti-tunnel.exe proxy --identity myTunneler.json "my secret service":8888 "my favorite service":9999

3. Outgoing data for a proxied service must be sent to that service's bound local port. It is then securely directed over the overlay fabric instead of the normal IP underlay, i.e. the internet.
   

Use Edge Tunneler CLI as a Hosting Endpoint

Hosting a service requires no configuration of Edge Tunneler CLI itself and the steps are the same for Linux, MacOS, and Windows. Edge Tunneler CLI will simply host any services it is allowed to host in your NetFoundry network. To host a service with this install of Edge Tunneler CLI:

1. make a note of the Endpoint name used by the Edge Tunneler CLI install that will host the Service
2. ensure the server is reachable by the device where Edge Tunneler CLI is installed
3. create a Service in your NetFoundry Network and select this install of Edge Tunneler CLI's Endpoint name
4. restart Edge Tunneler CLI if running in proxy mode, or wait for other modes to begin hosting newly available Services

Reference