<!-- markdownlint-disable MD033 -->

OpenZiti

OpenZiti is an open-source zero-trust networking platform that makes network services invisible to unauthorized users. Every connection, whether from a user, a service, a device, or a workload, is authenticated with cryptographic identity, authorized by policy, and encrypted end-to-end.

OpenZiti works with both existing applications (using lightweight tunnelers with no code changes required) and new applications (using embedded SDKs for the strongest zero-trust model). This makes it practical for both brownfield environments and greenfield development.

Created and sponsored by NetFoundry. Licensed under Apache 2.0.

<p align="center"> <img src="./doc/images/openziti-architecture.svg" alt="OpenZiti Architecture: Controller, Edge Routers, SDKs, and Tunnelers" width="100%"/> </p>

---

Table of Contents

• Use Cases
• Key Capabilities
• Three Deployment Models
• Getting Started
• Architecture
• Zero Trust, Dark Services, and End-to-End Encryption
• SDKs
• Community & Support
• Contributing
• Adopters
• Managed Solution

---

Use Cases

OpenZiti enables you to extend zero-trust anywhere for any use case, including non-human workloads and workflows, across multiple networks and third parties. The following are some common use cases.

Replace VPNs

Provide secure access to internal services without VPN clients, split tunneling headaches, or concentrator bottlenecks. Each service is individually authorized. No "once you're in, you can reach everything" problem.

Dark APIs and Services

Make APIs and services invisible to the internet. Zero listening ports means zero attack surface. Authorized clients connect through OpenZiti; everyone else sees nothing.

IoT and Non-Human Identity

Give every device, sensor, and machine a unique cryptographic identity. OpenZiti's identity model works for non-human workloads just as well as human users, providing strong authentication for the machine-to-machine connections that make up the majority of modern network traffic.

Zero Trust Workloads

Secure workload-to-workload communication across clouds and environments. Services authenticate each other with cryptographic identity, not network location. No shared secrets, no IP allowlists, no ambient authority.

Agentic AI

Secure agent-to-service and agent-to-agent communication with cryptographic identity for every AI participant. MCP servers, tool endpoints, and private LLMs stay dark, with no listening ports or public URLs. Agents authenticate with strong, unique identities and reach only the resources that the policy allows, so autonomous workflows get the access they need without ambient authority over everything else.

Multi-Cloud and Hybrid Connectivity

One overlay network across AWS, Azure, GCP, on-prem data centers, and edge locations. No cloud-specific networking tools, no VPN tunnels between environments, no complex peering arrangements.

Self-Hosted Service Access

Access home lab or self-hosted services like Nextcloud, Home Assistant, media servers, and development environments from anywhere. No open router ports, no dynamic DNS, no reliance on third-party tunnel services. You control the entire path.

Kubernetes and Cross-Cluster Services

Connect services across Kubernetes clusters without complex ingress rules, service mesh sidecars, or VPN tunnels between clusters. Works beyond Kubernetes, supporting connecting k8s services to VMs, bare metal, IoT devices, or anything else on the overlay.

---

Key Capabilities

| Capability | Description | |---|---| | Dark Services | Services have zero listening ports. Invisible to scanners and unauthorized users. | | Identity for Everything | Cryptographic identity for users, services, devices, and non-human workloads (NHI). Not IP-based. | | Identity-Based Operations | Manage networks through identities and policies instead of IP addresses and firewall rules. Simplifies operations and eliminates manual network configuration. | | End-to-End Encryption | Data encrypted from source to destination using libsodium. mTLS for authentication. Zero trust in the network path. | | No VPNs or Open Ports | Connections route through OpenZiti's overlay. No VPN clients, no inbound firewall rules, no exposed ports. | | Smart Routing | Mesh fabric with intelligent path selection for performance and reliability. | | Flexible Deployment | Embed SDKs, use tunnelers, or deploy at the network level. Mix and match per service. | | Policy-Driven Access | Fine-grained, identity-based policies. Access can be revoked in real time, closing active connections. | | Programmable REST APIs | Full management API for automation and integration. Web-based admin console included. | | Fully Self-Hostable | Run the entire platform on your infrastructure. No vendor dependencies. Open source, Apache 2.0. |

---

Three Deployment Models

OpenZiti supports three zero-trust models. Mix them in a single network and migrate between them over time.

Network Access

Deploy an OpenZiti edge router in a trusted network zone. Traffic enters the overlay from authenticated clients and exits into the private network where services run.

• Code changes: None
• Agent on service host: None
• Security model: Identity-based access at the network boundary. Similar to a gateway, but with cryptographic identity and encrypted transport.

Host Access

Run an OpenZiti tunneler on the same host as your service. The tunneler handles identity, authentication, and encryption. The service only needs to accept connections from localhost.

• Code changes: None
• Setup: Install tunneler, enroll identity
• Security model: Trust boundary at the host OS. Service is dark to the network and only reachable through the tunneler.

Application Access (Strongest)

Embed an OpenZiti SDK directly in client and/or server applications. The application itself holds the cryptographic identity and encrypts traffic in-process. No listening ports exist, not even on localhost.

• Code changes: Yes
• Security model: Strongest. End-to-end encryption in-process. Fully dark. Identity at the application layer, not the network, not the host.

Where to start: Many teams begin with Host Access (tunnelers) for existing services. It deploys in minutes with no code changes. For new development or high-security workloads, Application Access (SDKs) provides the strongest zero-trust posture.

---

Getting Started

The following Quick Starts show how to set up a local OpenZiti network for development, testing, and learning. For production deployments, see the product documentation at https://netfoundry.io/docs/openziti/category/deployments/.

Quick Start with Docker

The fastest way to get a local OpenZiti network running:

wget https://get.openziti.io/dock/all-in-one/compose.yml
docker compose up

This starts a controller, edge router, and the Ziti console in a single compose stack. The console is available at https://localhost:1280/zac/. From here you can create identities, define services, and configure access policies.

See the all-in-one Docker quickstart for full details including storage options, environment variables, and CLI usage.

Quick Start with the CLI

Download the latest ziti binary from GitHub Releases, then:

ziti edge quickstart

This brings up a local development network: controller, router, and a default admin identity. Ideal for testing and learning.

Learn More

| Resource | Description | |---|---| | Introduction | Core concepts and how OpenZiti works | | Quickstart Guides | Step-by-step setup for local, Docker, and hosted environments | | Zero Trust Models | Deep dive into the three deployment models | | Tunneler Reference | Get started with zero code changes |

---

Architecture

OpenZiti's overlay network runs on top of existing infrastructure: any IP network, any cloud, any combination. The core components:

Controller

The controller is the management plane. It handles:

• Identity management: issues and verifies cryptographic identities (x509 certificates) for every participant in the network
• Policy enforcement: defines which identities can access which services, through which edge routers
• Network state: tracks routers, services, and topology; provides a REST API and web-based admin console for management

Edge Routers

Edge routers form the data plane, a mesh fabric that carries encrypted