Host OpenZiti Anywhere
You can absolutely choose to host your OpenZiti Network anywhere you like. It is not necessary for the server to be on the open internet. If it works better for you to deploy OpenZiti on your own network, great, do that. The only requirement to be aware of is that every piece of the a network will need to be able to communicate to the controller and at least one edge router, which this quickstart will provide.
If you have a Linux server available on the open internet, or you will provision one for use with OpenZiti, that's the ideal scenario. With a zero trust overlay network provided by OpenZiti, you can rest assured that your traffic is safe even when using commodity internet. Furthermore, you do not need to worry about being on a network you trust, as all networks are considered untrustworthy, even your work/home network!
Installation
When starting out deploying an OpenZiti Network, we recommend you follow
and use the expressInstall
function provided by the OpenZiti project. Once you're familiar with the network and
the configuration options available you'll be better equipped to make changes.
Firewall
The first issue you will need to deal with is opening some ports. A network will consist of at least one controller and at least one edge router. Both of these components will require ports to be open. For the controller you will need to open a range of ports through your firewall:
8440/tcp
: Edge Controller providing router control plane8441/tcp
: Edge Controller providing client sessions8442/tcp
: Edge Router providing client connections8443/tcp
: Ziti Admin Console (ZAC) [optional]
These are the arbitrary ports we'll use in this example for convenience when specifying the firewall exception as a port range.
Express Install
Prerequisites
Make sure you have tar
, hostname
, jq
and curl
installed before running the expressInstall
one-liner.
expressInstall
Setup
expressInstall
may be customized with environment variables. Consider creating a DNS name for this installation before running the script. By default, the
quickstart will install your Ziti network's PKI and configuration files in ${HOME}/.ziti/quickstart/$(hostname -s)
. You may choose a different location by defining ZITI_HOME=/custom/path/to/quickstart
. If you do customize ZITI_HOME
then you should also make this assignment in your shell RC, e.g., ~/.bashrc
for future convenience.
You will almost certainly want to use the public DNS name of your instance. It is possible to use an IP address, but a DNS name is a more flexible option, which will be important if the IP ever changes.
The quickest and easiest thing to do, is find your external DNS name and set it into the EXTERNAL_DNS
environment
variable. You may skip setting EXTERNAL_DNS
if you don't need to configure the advertised DNS Subject Alternative Name (SAN). For example,
export EXTERNAL_DNS="acme.example.com"
export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_EDGE_CONTROLLER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_EDGE_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS}"
export ZITI_CTRL_LISTENER_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
export ZITI_EDGE_ROUTER_PORT=8442
Run expressInstall
As with any script that is downloaded and run from the internet, we recommend you examine the script before running it locally. This script is provided as a convenience method for installing an environment quickly and easily.
source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; expressInstall
systemd
This assumes you already ran expressInstall
on a Linux server. If it's available on your system, then it is recommended to use systemd
to manage your controller and router processes. This
is useful to make sure the controller can restart automatically should you shutdown/restart the server. To generate the systemd
unit files, run:
createControllerSystemdFile
createRouterSystemdFile "${ZITI_EDGE_ROUTER_NAME}"
Example output:
$ createControllerSystemdFile
Controller systemd file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-23-18/ip-172-31-23-18-edge-controller.service
$ createRouterSystemdFile "${ZITI_EDGE_ROUTER_NAME}"
Router systemd file written to: /home/ubuntu/.ziti/quickstart/ip-172-31-23-18/ip-172-31-23-18-edge-router.service
The helper functions vs systemd
The set of startController/stopController, startRouter/stopRouter are functions declared in the
the ziti-cli-function.sh helper script and are useful for running
the controller and router directly in your shell. These functions are not meant to work with systemd-enabled installs. If
you are enabling systemd, use systemctl
to start/stop the components. During the expressInstall, the controller and router
were started using the helper scripts to complete the installation. Both should not be running, but before you run the
controller and router with systemd
you need to stop them if they're currently running:
stopRouter
stopController
Example output:
$ stopRouter
INFO: Router stopped.
$ stopController
INFO: Controller stopped.
After the systemd
service units are generated, you can then install them by running:
sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
sudo cp "${ZITI_HOME}/${ZITI_EDGE_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
sudo systemctl daemon-reload
sudo systemctl enable --now ziti-controller
sudo systemctl enable --now ziti-router
Example output:
$ sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
$ sudo cp "${ZITI_HOME}/${ZITI_EDGE_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable --now ziti-controller
Created symlink from /etc/systemd/system/multi-user.target.wants/ziti-controller.service to /etc/systemd/system/ziti-controller.service.
$ sudo systemctl enable --now ziti-router
Created symlink from /etc/systemd/system/multi-user.target.wants/ziti-router.service to /etc/systemd/system/ziti-router.service.
Now, both the controller and the edge router will restart automatically! After a few seconds you can then run these commands and verify systemd has started the processes and see the status:
sudo systemctl -q status ziti-controller --lines=0 --no-pager
sudo systemctl -q status ziti-router --lines=0 --no-pager
Example output:
$ sudo systemctl -q status ziti-controller --lines=0 --no-pager
● ziti-controller.service - Ziti-Controller
Loaded: loaded (/etc/systemd/system/ziti-controller.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-11 19:05:46 UTC; 8s ago
Main PID: 2375 (ziti-controller)
Tasks: 7 (limit: 1154)
Memory: 43.7M
CGroup: /system.slice/ziti-controller.service
└─2375 /home/ubuntu/.ziti/quickstart/ip-10-0-0-1/ziti-bin/ziti-v0.22.11/ziti-controller run /home/ubuntu/.ziti/quickstart/ip-10-0-0-1/co…
$ sudo systemctl -q status ziti-router --lines=0 --no-pager
● ziti-router.service - Ziti-Router for ip-10-0-0-1-edge-router
Loaded: loaded (/etc/systemd/system/ziti-router.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-11 19:05:47 UTC; 8s ago
Main PID: 2385 (ziti-router)
Tasks: 6 (limit: 1154)
Memory: 231.4M
CGroup: /system.slice/ziti-router.service
└─2385 /home/ubuntu/.ziti/quickstart/ip-10-0-0-1/ziti-bin/ziti-v0.22.11/ziti-router run /home/ubuntu/.ziti/quickstart/ip-10-0-0-1/ip-10…
Adding Environment Variables Back to the Shell
If you log out and log back in again you can source the *.env file located in ZITI_HOME
.
source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env
Example output:
$ source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env
adding /home/ubuntu/.ziti/quickstart/ip-10-0-0-1/ziti-bin/ziti-v0.20.2 to the path
$ echo $ZITI_HOME
/home/ubuntu/.ziti/quickstart/ip-10-0-0-1
Next Steps
- Now that you have your network in place, you probably want to try it out. Head to the services quickstart and start learning how to use OpenZiti.
- Install the Ziti Console (web UI)
- Add a Second Public Router: In order for multiple routers to form transit links, they need a firewall exception to expose the "link listener" port. The default port is
10080/tcp
. - Help