This article describes how to useziti-tunnelfrom the OpenZiti project as an endpoint for your NetFoundry network. You can runziti-tunnel in a Docker container on Linux to yield the same capabilities as runningziti-tunnel natively on Linux. This is especially useful for a Linux workstation because a Desktop Edge standalone app is not yet available for Linux.  

Endpoint Enrollment

You will need the enrollment token (JWT) from NetFoundry for the endpoint you have created for Docker Tunneler. By providing the JWT file, your endpoint will be enrolled the first time you run the container. This will generate a permanent identity file (JSON) in the same directory as your Docker Compose file.

Docker Compose Up

Next, you'll need to download the Compose file from GitHub (secondary link) to the computer that is running Docker. Docker Compose uses theup command to run the container. With your enrollment token file in the same directory with a name that matches the value of NF_REG_NAME, run the following command.

Linux Transparent Proxy

NF_REG_NAME=my-ziti-identity-file docker-compose up ziti-tproxy

With the transparent proxy running the Linux host that is running Docker will have intercept rules for the authorized Services added to IPtables chains when the container starts and removed when it exits. You may exit by typing ctrl+c. To run the container in the background you may add the--detach parameter.

NF_REG_NAME=my-ziti-identity-file docker-compose up --detach ziti-tproxy


MacOS & Windows

Most users should install the Desktop Edge app in order to gain access to their NetFoundry network on MacOS and Windows. It is possible to run the Linux container in other OSs with a VM, but transparent proxy mode only works on Linux where the IPtables command is available. 

Proxy VM

Modify the ziti-proxysection of the Compose file you downloaded above. Let the service names and ports suit your needs and then run this command.

NF_REG_NAME=my-ziti-identity-file docker-compose up ziti-proxy


Was this article helpful?
0 out of 0 found this helpful


1 comment

  • When I run this then I get a "no key mechanism specified", unsure where to configure this. On the dashboard or do I need another file that has the key config?


Article is closed for comments.