Linux
The Ziti Tunneller
ziti-edge-tunnel is the general purpose tunneller CLI and can also run as a systemd daemon.
The purpose of the tunneller is to configure host access. This means all users and all processes on the host will share the same level of access. This is accomplished by configuring the OS to have an on-board OpenZiti DNS nameserver and IP routes for authorized OpenZiti Services.
Install Linux Package
Reasons to use the package:
- Install the tunneller as a systemd service.
- Create permissions and policies for the tunneller to run as a non-root user.
- Automatically enroll the identity and clean up the enrollment token in identity directory.
- Automatically upgrade the tunneller when a new package is available.
Linux DEB packages are currently available for the x86_64 and arm64 platforms and RPM packages are available for x86_64. Additionally, there are executable downloads available for arm/v7 (32bit) for manual installation.
It is not necessary to manually enroll the identity when using the RPM or DEB package. Just install the token in the identities directory with file owner "ziti" and it will be enrolled and cleaned up when you start the service.
Installing the DEB
- Run the script for your OS to install
ziti-edge-tunnel.
- Ubuntu
- Debian GNU/Linux
Ubuntu
Packages are available for all Ubuntu releases since 18.04 (Bionic).
Architectures available:
- x86_64
- arm64
Please read this script to ensure it is safe before running it.
curl -sSLf https://get.openziti.io/tun/scripts/install-ubuntu.bash | bash
Debian GNU/Linux
| Debian | Ubuntu | Archs |
|---|---|---|
| 12 Bookworm | Jammy 22.04 | x86_64, arm64 |
| 11 Bullseye | Focal 20.04 | x86_64, arm64 |
| 10 Buster | Bionic 18.04 | x86_64 |
| 9 Stretch | Xenial 16.04 | x86_64 |
This example subscribes you to the Ubuntu focal repo which will work well in most cases. Alternatively, you may refer to the table to find the Ubuntu release name that is the contemporary of your Debian release. Then, substitute the Ubuntu release name for focal in the /etc/apt/sources.list.d/openziti.list file.
(
set -euo pipefail
curl -sSLf https://get.openziti.io/tun/package-repos.gpg \
| sudo gpg --dearmor --output /usr/share/keyrings/openziti.gpg
echo 'deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable focal main' \
| sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null
sudo apt update
sudo apt install ziti-edge-tunnel
)
Place a copy of the enrollment token JWT file in the
/opt/openziti/etc/identitiesdirectory.Set the filemode and owner so that members of group
zitiwill be able to read and delete the token file.sudo chown -cR :ziti /opt/openziti/etc/identities
sudo chmod -cR ug=rwX,o-rwx /opt/openziti/etc/identitiesEnable and start the service
sudo systemctl enable --now ziti-edge-tunnel.serviceThe process needs to be restarted if the contents of
/opt/openziti/etc/identitieschange.sudo systemctl restart ziti-edge-tunnel.service
Installing the RPM
- Create a repo file like
/etc/yum.repos.d/openziti.repomatching the appropriate example below for your OS.
- Red Hat
- Fedora
- Amazon Linux
Red Hat
Architectures available:
- x86_64
Use this repo with var $releasever on CentOS 7, Rocky 8-9, and RHEL 7-9.
[OpenZiti]
name=OpenZiti
baseurl=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat$releasever/$basearch/repodata/repomd.xml.key
repo_gpgcheck=1
Fedora
Architectures available:
- x86_64
[OpenZiti]
name=OpenZiti
baseurl=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat8/$basearch
enabled=1
gpgcheck=0
gpgkey=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat8/$basearch/repodata/repomd.xml.key
repo_gpgcheck=1
Amazon Linux
Architectures available:
- x86_64
[OpenZiti]
name=OpenZiti
baseurl=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat8/$basearch
enabled=1
gpgcheck=0
gpgkey=https://packages.openziti.org/zitipax-openziti-rpm-stable/redhat8/$basearch/repodata/repomd.xml.key
repo_gpgcheck=1
Run
sudo yum updateto refresh your repo data cache. Optionally, you may wish to also install all available updates.Run
sudo yum install ziti-edge-tunnelto install the RPM.Place a copy of the enrollment token JWT file in the
/opt/openziti/etc/identitiesdirectory.Set the filemode and owner so that members of group
zitiwill be able to read and delete the token file.sudo chown -cR :ziti /opt/openziti/etc/identities
sudo chmod -cR ug=rwX,o-rwx /opt/openziti/etc/identitiesEnable and start the service
sudo systemctl enable --now ziti-edge-tunnel.serviceThe process needs to be restarted if the contents of
/opt/openziti/etc/identitieschange.sudo systemctl restart ziti-edge-tunnel.service
Manual Installation
The latest binary release of ziti-edge-tunnel is distributed as an executable for amd64, arm, arm64 architectures. The upgrade procedure is identical to the installation procedure.
You'll need to install the wget and unzip commands to use this example.
wget -q "https://github.com/openziti/ziti-tunnel-sdk-c/releases/latest/download/ziti-edge-tunnel-Linux_$(uname -p).zip" \
&& unzip ./ziti-edge-tunnel-Linux_$(uname -p).zip \
&& rm ./ziti-edge-tunnel-Linux_$(uname -p).zip \
&& chmod -c +x ./ziti-edge-tunnel \
&& ./ziti-edge-tunnel version
Enroll Before You Run
You will need the token file or its contents to enroll. Enrollment is the act of exchanging the token for an identity that is to be permanently installed in the filesystem.
Run the Manually Installed Binary
ziti-edge-tunnel run \
--identity-dir /opt/openziti/etc/identities
Learn more about tunneler options and modes.
Run with Docker
Please reference the article about running the Linux tunneler in a container for guidance and examples!
Troubleshooting
Please refer to the troubleshooting guide