The great thing about the zrok-share.service
is that it comes with the zrok
binary and is always on in the background, so it's a good fit for a reliable VPN connection. Let's install the service and configure it to auto-start after a reboot.
curl -sSLf https://get.openziti.io/install.bash | sudo bash -s zrok-share
Edit /opt/openziti/etc/zrok/zrok-share.env
.
# env
ZROK_ENABLE_TOKEN="w9pEuX3Gb750" # account token from the console
ZROK_ENVIRONMENT_NAME="my zrok vpn service on hostname"
# share
ZROK_UNIQUE_NAME="mysecretsharetoken"
ZROK_BACKEND_MODE="vpn"
ZROK_TARGET="172.21.71.1/24" # allocate ip in some private subnet
ZROK_FRONTEND_MODE="reserved-private"
You can control access to your VPN by keeping ZROK_UNIQUE_NAME
a secret (the share token) or adding the following to restrict zrok accounts by email. Only your account can use the share in closed mode if you don't add grants.
ZROK_PERMISSION_MODE="closed"
ZROK_ACCESS_GRANTS="alice@example.com bob@example.org"
Grant kernel capability NET_ADMIN
to the service.
sudo sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
sudo systemctl daemon-reload
Start the service now and auto-start after a reboot.
sudo systemctl enable --now zrok-share.service
Check the logs.
sudo journalctl -lfu zrok-share.service
The logs should look like this, confirming this device is allocated 172.21.71.1 on the VPN.
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.2556849,"msg":"interface created tun0"}
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.255752,"msg":"exec /sbin/ip [link set dev tun0 mtu 16384]"}
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.2595484,"msg":"exec /sbin/ip [addr add 172.21.71.1/24 dev tun0]"}
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.2627363,"msg":"exec /sbin/ip [-6 addr add fd00:7a72:6f6b::1/64 dev tun0]"}
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.2659466,"msg":"exec /sbin/ip [link set dev tun0 up]"}
Aug 02 16:33:08 ubuntu zrok-share.bash[6243]: {"level":"info","ts":1722616388.2711568,"msg":"interface configured tun0"}
Join the VPN from Another Device
The zrok console looks like this for an account with two environments, one per VPN peer, and one VPN share.
To temporarily join the zrok VPN you only need to run this command.
sudo -E zrok access private mysecretsharetoken
You will see zrok's terminal user interface (TUI) telling you what is happening. This second device will be allocated 172.21.71.2 and subsequent devices will get unique IP allocations when they join. This is a network-layer VPN. You can send ICMP, TCP, UDP, etc.
Now, this second device is joined to the VPN, so it has a dashed line to the VPN share indicating a zrok "private access."
Share the Project
If you find this interesting, please give zrok a star on GitHub!
Let us know if you found a good use for this or have an improvement or question in mind on X twitter, in /r/openziti, or the Discourse forum. We upload and stream on YouTube too. We'd love to hear from you!