Options and Modes
ziti-edge-tunnel
Environment Variables
ZITI_TIME_FORMAT=utc
- set the log message time format to UTC timestamp instead of milliseconds since start
ZITI_LOG=4
- set the log level of the underlying Ziti C SDK, higher is more verbose (level 4 means DEBUG)
TLSUV_DEBUG=4
- set the log level of the underlying libuv library, higher is more verbose (level 4 means DEBUG)
For more information about configuring the underlying Ziti C SDK with environment variables, see the Ziti C SDK documentation.
ziti-edge-tunnel
Global Options
You can start ziti-edge-tunnel
with different options, some of the most commonly used options are listed below.
# Load a single identity.
--identity <identity>
# Load all identities in a dir, ignoring files with a .bak or .original filename suffix.
--identity-dir <dir>
# Set log level, higher is more verbose (default level 3 means INFO).
--verbose N
# Set service polling interval in seconds (default 10).
--refresh N
Run Modes
There are two run modes:
run
: transparent proxy with DNS nameserverrun-host
: hosting-only without proxy or nameserver
run
Mode
ziti-edge-tunnel run
provides a transparent proxy and nameserver. The nameserver may be configured to be authoritative (the default) or recursive with command-line option --dns-upstream
. systemd-resolved
, if enabled, automatically configures the Ziti nameserver. You may inspect the configuration with these commands.
resolvectl dns # inspect the association of tun device and nameserver
resolvectl domain # inspect the configuration of query routing domains
If any interface has a wildcard routing domain configured, ziti-edge-tunnel
will also configure its tun with a wildcard routing domain. If no other interface has a wildcard routing domain configured, neither will the ziti-edge-tunnel
tun.
# Specify the tun interface address and the subnet to which Service domain names are resolved (default 100.64.0.1/10). The nameserver address is always the tun interface address +1, default is 100.64.0.2.
--dns-ip-range <ip range>
How does run
configure nameservers?
ziti-edge-tunnel run
provides a built-in nameserver that will answer queries that exactly match authorized OpenZiti services' intercept domain names and will respond with a hard-fail NXDOMAIN
code if the query does not match an authorized service.
You may enable DNS recursion by specifying an upstream nameserver to answer queries for other domain names that are not services' intercept domain names: ziti-edge-tunnel run --dns-upstream 208.67.222.222
.
ziti-edge-tunnel
uses the libsystemd
D-Bus RPC client and will try to configure the OS's resolvers with systemd-resolved
. If that's not possible for any reason then ziti-edge-tunnel run
will fall back to shell commands like resolvectl
. If resolvectl
fails then ziti-edge-tunnel run
will attempt to modify /etc/resolv.conf
directly to install the built-in nameserver as the primary resolver.
If the DNS record exists it returns the answer and sets query status to NO_ERROR
. If it does not exist then it sends the query to an upstream DNS server if configured. Otherwise, it sets the query status to REFUSE
. This implies that the caller should keep trying to resolve the domain name with other nameservers.
System Requirements for Mode run
ziti-edge-tunnel run
requires Linux capabilities for managing the /dev/net/tun
device, running resolvectl
to assign nameservers and domain routes to the tun interface, and running ip route
to manage IP routes.
- tun device and route management are permitted by passing the
CAP_NET_ADMIN
to the ziti-edge-tunnel process viaAmbientCapabilities
in the systemd service unit. systemd-resolved
DNS configuration is permitted by a PolKit rule installed with the RPM or DEB package.
run-host
Mode
ziti-edge-tunnel run-host
is a mode for hosting (listening) for services which does provide service intercepts or DNS. Services configured for 'Bind' will be hosted by the tunneller.
System Requirements for Mode run-host
ziti-edge-tunnel run-host
does not require elevated privileges or the above device or socket, only network egress to the servers for which it is hosting Services.