How to Install & run ziti-edge-tunneller as a Service on Linux


ziti-edge-tunnelis a CLI and daemon that configures a transparent proxy for the OpenZiti Edge. This means the device where it is running will be able to connect to any OpenZiti services with DNS or IP address, and any servers that are reachable by the device may be published to the OpenZiti Network.

The latest ZET package can be downloaded from the repository.

Follow the below steps to install and verify ZET as a service on Linux

Step 1: Create an endpoint and download JWT

You need a enrollment token ( JWT) that is issued to you by your administrator of the NetFoundry console. If you have the registration token, proceed to step 2.

If you have to provision you endpoint, click here, for step by step process of creating an endpoint and downloading the JWT

Step 2: Install Curl

Curl is a command line tool that enables data transfer over various network protocols. Install curl using the below command

sudo apt-get install curl


Step 3: Update Repository

 Use the below script to import the signing key, and add a package source to the repository list.

curl -sSLf \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/openziti.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/openziti.gpg] jammy main' \
| sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null


Ubuntu Focal 20.04, Bionic 18.04, Xenial 16.04, Trusty 14.04

The script is the same as Jammy for these older Ubuntu releases, but you must substitute the correct Ubuntu release code name e.g. "focal" in place of "jammy" in the apt sources file.

Step 4: Update and Install ZET

update sources and install ziti-edge-tunnel using the below commands

sudo apt update
sudo apt install ziti-edge-tunnel



You can see a successfully installed message as shown above.

Step 5: Enroll Endpoint

Enroll the identity by adding the JWT file or identity config JSON file in /opt/openziti/etc/identities

sudo cp Downloads/UbuntuEP.jwt /opt/oenziti/etc/identities



Step 6: Add current user to ziti group 

Ubuntu - $ sudo usermod --append --groups ziti <your-username>


Step 7: Run ZET

Use the below commands to start the ZET service. 

sudo systemctl enable --now ziti-edge-tunnel.service

Note: The service needs to be restarted if the contents of the identities directory change


Step 7: Verify

Use the below command to check the status of the tunnel. 

sudo systemctl status ziti-edge-tunnel.service


Once the ziti edge tunnel service started we can observe that the endpoint as registered on MOP.


Debian GNU/Linux

The script is the same as Ubuntu Jammy for Debian releases, but you should substitute the youngest Ubuntu release code name e.g. "focal" that is older than your release of Debian in place of "jammy" in the apt sources file. For simplicity's sake, the Ubuntu 18.04 "bionic" build is broadly compatible with modern Debian releases.

Installing the RPM (RHEL, CentOS, Rocky Linux, Fedora and Amazon Linux)

  1. Create a repo file like/etc/yum.repos.d/openziti.repomatching the appropriate example below for your OS.
  2. Runyum updateto refresh your repodata cache. Optionally, you may wish to also install all available updates.
  3. Runyum install ziti-edge-tunnelto install the RPM.
  4. Install an enroll token JWT file or identity config JSON file in/opt/openziti/etc/identities.
  5. Runsystemctl start ziti-edge-tunnel.service. The service needs to be restarted if the contents of the identities directory change.

RHEL, CentOS, and Rocky Linux




Amazon Linux



Uninstalling the ziti edge tunnel:

sudo apt remove --purge ziti-edge-tunnel

Refer steps for installing the binary in place of the package here


Refer the article on troubleshooting ziti edge tunnel for linux 





Was this article helpful?
1 out of 3 found this helpful



Please sign in to leave a comment.