You can run Tunneler in a Docker container. This article describes how to useziti-tunnelfrom the OpenZiti project as a proxy Endpoint for your NetFoundry network. 

Why should I run Tunneler in a container?

Running Tunneler in a container yields the same capabilities as running Tunneler natively on the host. The advantages are in the portability and the ability to reproduce every aspect of the installation on any computer. For example, this approach allows you to systematically upgrade or downgrade Tunneler and to encode the environment and parameters for Tunneler in a Docker Compose file and so to run a predictable configuration on any computer.

Your choice: transparent or opaque proxy

 ziti-tunnel is an interactive command-line interface (CLI) and works best on Linux as a transparent proxy (tproxy). Alternatively, Tunneler has an opaque proxy mode that will bind a specified set of services to the loopback (localhost) interface.proxy is the only mode of operation on MacOS and Windows.

Endpoint Enrollment

You will need the enrollment token (JWT) from NetFoundry for the Endpoint you have created for Docker Tunneler. By providing the JWT file, your Endpoint will be enrolled the first time you run the container. This will generate a permanent identity file (JSON) in the same directory as your Docker Compose file.

Create a Docker Compose File

Create a file named docker-compose.yml. This is the default filename expected by the docker-composecommand which you may install with the Python Package Index (PyPi) like this: pip install --upgrade docker-compose. Customize the boldface values to suit.

version: "3.3"
image: netfoundry/ziti-tunnel:latest
- .:/netfoundry
network_mode: host
- NF_REG_NAME=my-ziti-identity-file
# uncomment the next line to skip DNS interception
# command: run --resolver none
image: netfoundry/ziti-tunnel:latest
- .:/netfoundry
- NF_REG_NAME=my-ziti-identity-file
- "8888:8888"
- "9999:9999"
command: proxy "my example service":8888 "my other example service":9999

Docker Compose Up

Docker Compose uses theup command to run the container described by the docker-compose.yml file you created. Now, with your enrollment token file in the same directory with a name that matches the value of NF_REG_NAME, run one of the following commands.

Linux Transparent Proxy

❯ docker-compose up ziti-tunnel

With the transparent proxy running the Linux host that is running Docker will have intercept rules for the authorized Services added to IPtables chains when the container starts and removed when it exits.

MacOS & Windows Proxy

❯ docker-compose up ziti-proxy

With the proxy running the MacOS or Windows host that is running Docker will have mapped ports from the loopback interface to the bound Service ports on the container. You must send NetFoundry network traffic to the appropriate port for each bound Service.

Was this article helpful?
0 out of 0 found this helpful


1 comment

  • When I run this then I get a "no key mechanism specified", unsure where to configure this. On the dashboard or do I need another file that has the key config?


Please sign in to leave a comment.