openziti / ziti

OpenZiti OpenZiti is an open-source zero-trust networking platform that makes network services invisible to unauthorized users. Every connection, whether from a user, a service, a device, or a workload, is authenticated with cryptographic identity, authorized by policy, and encrypted end-to-end. OpenZiti works with both existing applications (using lightweight tunnelers with no code changes required) and new applications (using embedded SDKs for the strongest zero-trust model). This makes it practical for both brownfield environments and greenfield development. Created and sponsored by NetFoundry. Licensed under Apache 2.0. --- Table of Contents • Use Cases • Key Capabilities • Three Deployment Models • Getting Started • Architecture • Zero Trust, Dark Services, and End-to-End Encryption • SDKs • Community & Support • Contributing • Adopters • Managed Solution --- Use Cases OpenZiti enables you to extend zero-trust anywhere for any use case, including non-human workloads and workflows, across multiple networks and third parties. The following are some common use cases. Replace VPNs Provide secure access to internal services without VPN clients, split tunneling headaches, or concentrator bottlenecks. Each service is individually authorized. No "once you're in, you can reach everything" problem. Dark APIs and Services Make APIs and services invisible to the internet. Zero listening ports means zero attack surface. Authorized clients connect through OpenZiti; everyone else sees nothing. IoT and Non-Human Identity Give every device, sensor, and machine a unique cryptographic identity. OpenZiti's identity model works for non-human workloads just as well as human users, providing strong authentication for the machine-to-machine connections that make up the majority of modern network traffic. Zero Trust Workloads Secure workload-to-workload communication across clouds and environments. Services authenticate each other with cryptographic identity, not network location. No shared secrets, no IP allowlists, no ambient authority. Agentic AI Secure agent-to-service and agent-to-agent communication with cryptographic identity for every AI participant. MCP servers, tool endpoints, and private LLMs stay dark, with no listening ports or public URLs. Agents authenticate with strong, unique identities and reach only the resources that the policy allows, so autonomous workflows get the access they need without ambient authority over everything else. Multi-Cloud and Hybrid Connectivity One overlay network across AWS, Azure, GCP, on-prem data centers, and edge locations. No cloud-specific networking tools, no VPN tunnels between environments, no complex peering arrangements. Self-Hosted Service Access Access home lab or self-hosted services like Nextcloud, Home Assistant, media servers, and development environments from anywhere. No open router ports, no dynamic DNS, no reliance on third-party tunnel services. You control the entire path. Kubernetes and Cross-Cluster Services Connect services across Kubernetes clusters without complex ingress rules, service mesh sidecars, or VPN tunnels between clusters. Works beyond Kubernetes, supporting connecting k8s services to VMs, bare metal, IoT devices, or anything else on the overlay. --- Key Capabilities | Capability | Description | |---|---| | **Dark Services** | Services have zero listening ports. Invisible to scanners and unauthorized users. | | **Identity for Everything** | Cryptographic identity for users, services, devices, and non-human workloads (NHI). Not IP-based. | | **Identity-Based Operations** | Manage networks through identities and policies instead of IP addresses and firewall rules. Simplifies operations and eliminates manual network configuration. | | **End-to-End Encryption** | Data encrypted from source to destination using libsodium. mTLS for authentication. Zero trust in the network path. | | **No VPNs or Open Ports** | Connections route through OpenZiti's overlay. No VPN clients, no inbound firewall rules, no exposed ports. | | **Smart Routing** | Mesh fabric with intelligent path selection for performance and reliability. | | **Flexible Deployment** | Embed SDKs, use tunnelers, or deploy at the network level. Mix and match per service. | | **Policy-Driven Access** | Fine-grained, identity-based policies. Access can be revoked in real time, closing active connections. | | **Programmable REST APIs** | Full management API for automation and integration. Web-based admin console included. | | **Fully Self-Hostable** | Run the entire platform on your infrastructure. No vendor dependencies. Open source, Apache 2.0. | --- Three Deployment Models OpenZiti supports three zero-trust models. Mix them in a single network and migrate between them over time. Network Access Deploy an OpenZiti edge router in a trusted network zone. Traffic enters the overlay from authenticated clients and exits into the private network where services run. • **Code changes:** None • **Agent on service host:** None • **Security model:** Identity-based access at the network boundary. Similar to a gateway, but with cryptographic identity and encrypted transport. Host Access Run an OpenZiti tunneler on the same host as your service. The tunneler handles identity, authentication, and encryption. The service only needs to accept connections from localhost. • **Code changes:** None • **Setup:** Install tunneler, enroll identity • **Security model:** Trust boundary at the host OS. Service is dark to the network and only reachable through the tunneler. Application Access (Strongest) Embed an OpenZiti SDK directly in client and/or server applications. The application itself holds the cryptographic identity and encrypts traffic in-process. No listening ports exist, not even on localhost. • **Code changes:** Yes • **Security model:** Strongest. End-to-end encryption in-process. Fully dark. Identity at the application layer, not the network, not the ho…