Closed mrbluecoat closed 2 years ago
Ziti absolutely does not operate at layer 2. It's layer 3+. I corrected that statement further down that thread:
personally wouldn’t consider OpenZiti on layer 2 of the OSI model. Realistically, OpenZiti probably operates somewhere after layer 4 (TCP/IP) and before layer 7 (application). OpenZiti is an ‘overlay’ network. It’s a different way of thinking for sure.
Tunneling apps though - they do interact with layer 3/4 (TCP, IP, Ports etc). Tunneling apps are a step along the OpenZiti journey. Most people start here because it usually just easier to get going for new learners for that reason.
Zssh explicitly dials a service by identity name. At this time, you would be required to have a matching ziti identity. So you could use zssh to login to the switch, but not anything attached that switch.
I think a feature could be added to zssh that would allow you to connect through the bridge, allowing you to connect to anything attached to the bridge but it would have to be developed.
I guess I should have kept reading that post 😆
My use case only needs to login to the switch (no other devices on the network) so I'm interested on how this could be set up. Specifically, if I have a device running Linux and two NICs and I configure it as a Layer 2 transparent bridge between a modem connected to the internet and a router that provides the dhcp/nat for a small network, how can I ssh (or zssh) into the transparent bridge?
If you only need to login to the switch, then I would do the following:
ziti-edge-tunnel
to enroll the identityziti-edge-tunnel
in 'run-host' mode with that identity: ./ziti-edge-tunnel run-host -i switch.json
(or whatever identity file you called it)I made this video that shows that whole process if interested https://youtu.be/HFkT3NgjnJw
You'll end up with an ssh session to a machine that has no open firewall ports and only needs outbound internet that works/looks like this:
I am closing this issue for now. I think it was answered. If not, please re-open.
The original question was answered so I'll leave this as closed. Regarding the follow-up task, I got stuck trying to do the expressInstall on an Oracle Cloud instance:
1. Create free Oracle Cloud ARM instance: https://www.youtube.com/watch?v=4642CoP0q7Y
2. On the instance page, click "Copy" next to "Public IP address" and save it for later reference.
3. Click "Show" next to "Internal FQDN" and copy it for use later.
4. Click the link next to "Subnet"
5. Click the "Default Security List" link at the bottom of the page
6. Click "Add Ingress Rules" button and configure:
* Source Type: CIDR
* Source CIDR: 0.0.0.0/0
* IP Protocol: TCP
* Source Port Range: {leave blank for All}
* Destination Port Range: 6262,8441,8442,10080
* Description: OpenZiti
7. Click "Add Ingress Rules" button
8. SSH into your cloud instance and run:
sudo apt install -y jq wget psmisc
sudo apt install ca-certificates --reinstall
sudo update-ca-certificates -f
9. Install OpenZiti https://openziti.github.io/ziti/quickstarts/network/hosted.html
export EXTERNAL_DNS="value-from-step-3-above"
export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_EDGE_CONTROLLER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_EDGE_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_EDGE_CONTROLLER_HOSTNAME="${EXTERNAL_DNS}"
export ZITI_EDGE_ROUTER_HOSTNAME="${EXTERNAL_DNS}"
export ZITI_EDGE_CONTROLLER_PORT=8441
export ZITI_EDGE_ROUTER_PORT=8442
source /dev/stdin <<< "$(wget -qO- https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/image/ziti-cli-functions.sh)"; expressInstall
# throws these errors:
******** Setting Up Controller ********
wrote CA file to: /home/ubuntu/.ziti/quickstart/webmaster/pki/cas.pem
Controller configuration file written to: /home/ubuntu/.ziti/quickstart/webmaster/webmaster.yaml
ziti-controller initialized. see /home/ubuntu/.ziti/quickstart/webmaster/webmaster-init.log for details
ziti-controller started as process id: . log located at: /home/ubuntu/.ziti/quickstart/webmaster/webmaster.log
waiting for the controller to come online to allow the edge router to enroll
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 1
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 2
RESTY 2022/09/08 04:14:08 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 3
RESTY 2022/09/08 04:14:09 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 4
RESTY 2022/09/08 04:14:09 ERROR Get "https://REDACTED.oraclevcn.com:8441/version": x509: certificate signed by unknown authority, Attempt 5
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 1
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 2
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 3
RESTY 2022/09/08 04:14:11 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 4
RESTY 2022/09/08 04:14:12 ERROR Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority, Attempt 5
error: unable to authenticate to https://REDACTED.oraclevcn.com:8441. Error: Post "https://REDACTED.oraclevcn.com:8441/authenticate?method=password": x509: certificate signed by unknown authority
Sorry if this is documented elsewhere, but does OpenZiti operate at Layer 2? https://openziti.discourse.group/t/where-to-begin-with-openziti/426/33?page=2 says
So if I have a managed switch running a Linux transparent bridge I could use
zssh
to login?