Ziti router run with TPROXY mode (original) (raw)
December 2, 2025, 2:38pm 1
I would like to add a Ziti Gateway as described in "Use a Router as a Local Gateway".
Currently, my router is configured as follows and works as a reverse proxy:
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:3022
options:
advertise: domain.name:3022
connectTimeoutMs: 5000
getSessionTimeout: 60
- binding: tunnel
options:
mode: host #tproxy|host
I am considering simply adding a new binding for the gateway:
listeners:
- binding: edge
address: tls:0.0.0.0:3022
options:
advertise: domain.name:3022
connectTimeoutMs: 5000
getSessionTimeout: 60
- binding: tunnel
options:
mode: host
- binding: tunnel
options:
mode: tproxy
bind: udp://127.0.0.1:5553 # input from named (DoT)
resolver: udp://127.0.0.1:53 # forward to cloudflared (DoH)
dnsSvcIpRange: 100.64.0.0/10
domains:
public.dns.zone: internal
default: upstream
Can I safely add this new binding alongside my existing ones, or are there any considerations I should be aware of when combining host and tproxy tunnel modes on the same router?
plorenz December 2, 2025, 8:12pm 2
Hi @Rantanplan, you should only need one tunnel binding. If it's running in mode tproxy then hosting will also be enabled. We should make it more configurable so you can do intercept only, but for now, that's the recommendation.
Paul
I have configured a Ziti router with a tproxy tunnel listener for DNS as follows:
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:3022
options:
advertise: domain.name:443
connectTimeoutMs: 5000
getSessionTimeout: 60
- binding: tunnel
options:
mode: tproxy
bind: udp://127.0.0.53:53
resolver: udp://127.0.0.1:5553
dnsSvcIpRange: 100.64.0.0/10
domains:
public.dns.zone: internal
default: upstream
The logs indicate:
{
"file": "github.com/openziti/ziti/tunnel/dns/dns_linux.go:62",
"func": "github.com/openziti/ziti/tunnel/dns.NewDnsServer",
"level": "info",
"msg": "dns server running at 127.0.0.1:5553",
"time": "2025-12-03T20:28:44.353Z"
}
And netstat -lunp confirms that 127.0.0.1:5553 is bound by the Ziti process
netstat -lunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:5355 0.0.0.0:* 835499/systemd-reso
udp 0 0 127.0.0.1:5553 0.0.0.0:* 846612/ziti
udp 0 0 127.0.0.54:53 0.0.0.0:* 835499/systemd-reso
udp 0 0 127.0.0.53:53 0.0.0.0:* 835499/systemd-reso
udp6 0 0 :::5355 :::* 835499/systemd-reso
However, when I query the DNS server on port 5553. I receive:
dig @127.0.0.1 -p 5553 google.com
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @127.0.0.1 -p 5553 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64666
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Wed Dec 03 20:31:56 UTC 2025
;; MSG SIZE rcvd: 28
It is unclear to me where the Ziti router forwards DNS queries from this port.
I am running a Ziti router with a tproxy tunnel listener for DNS queries.
StateDirectory=ziti-router
WorkingDirectory=/var/lib/ziti-router
ExecStartPre=/opt/openziti/etc/router/entrypoint.bash check config.yml
ExecStart=/opt/openziti/bin/ziti router run config.yml ${ZITI_ARGS}
Could you clarify the correct way to configure the upstream DNS server, so that queries are properly resolved?
ziti version
v1.6.10