This article describes how to use
ziti-tunnelfrom the OpenZiti project as an endpoint for your NetFoundry network. You can run
ziti-tunnel in a Docker container on Linux to yield the same capabilities as running
ziti-tunnel natively on Linux. This is especially useful for a Linux workstation because a Desktop Edge standalone app is not yet available for Linux.
You will need the enrollment token (JWT) from NetFoundry for the endpoint you have created for Docker Tunneler. By providing the JWT file, your endpoint will be enrolled the first time you run the container. This will generate a permanent identity file (JSON) in the same directory as your Docker Compose file.
Docker Compose Up
Next, you'll need to download the Compose file from GitHub (secondary link) to the computer that is running Docker. Docker Compose uses the
up command to run the container. With your enrollment token file in the same directory with a name that matches the value of
NF_REG_NAME, run the following command.
Linux Transparent Proxy
❯ docker-compose pull && NF_REG_NAME=my-ziti-identity-file docker-compose up ziti-tproxy
With the transparent proxy running the Linux host that is running Docker will have intercept rules for the authorized Services added to IPtables chains when the container starts and removed when it exits. You may exit by typing ctrl+c. To run the container in the background you may add the
❯ docker-compose pull && NF_REG_NAME=my-ziti-identity-file docker-compose up --detach ziti-tproxy
MacOS & Windows
Most users should install the Desktop Edge app in order to gain access to their NetFoundry network on MacOS and Windows. It is possible to run the Linux container in other OSs with a VM, but transparent proxy mode only works on Linux where the IPtables command is available.
ziti-proxysection of the Compose file you downloaded above. Let the service names and ports suit your needs and then run this command.
❯ docker-compose pull && NF_REG_NAME=my-ziti-identity-file docker-compose up ziti-proxy