OpenZiti overview
OpenZiti is a free, open-source zero-trust networking platform that makes network services invisible to unauthorized users. The project provides everything you need to create a zero-trust overlay network — controllers, routers, tunnelers, and SDKs — so you can secure both existing applications and new ones. Whether you add zero trust at the network level, the host level, or directly inside your application, every connection is authenticated, authorized, and encrypted end to end.
OpenZiti gives you zero trust, high performance networking on any Internet connection, without VPNs. Add it to existing applications with tunnelers, or embed it directly with our SDKs for the strongest posture.
Components
An OpenZiti network has a few key deployed pieces:
- Controller: The central coordination point. It manages configuration, identity, authentication, and authorization for the entire network. Every connection is validated by the controller. See the controller deployment guide.
- Routers: Form the mesh fabric that relays traffic between endpoints. Routers continuously monitor latency and select the fastest path, with automatic failover. See the router deployment guide.
- Edge clients: Connect endpoints to the network. Use an SDK to embed zero trust directly into your application, or use a tunneler to add zero trust to existing apps without code changes.
- BrowZer (optional): Bootstraps zero trust in a standard web browser — no browser extension or client install needed. See the BrowZer quickstart.
Three logical constructs govern access once the network is running:
- Services: The resources identities connect to. See Services.
- Identities: Authenticated endpoints — every connection in an OpenZiti network is mutually authenticated. See Identities.
- Policies: Govern which identities can access which services via which edge routers. See Policies.
Key concepts
- Zero trust / application segmentation: OpenZiti doesn't just gate access to a network — it enforces access to individual applications within it. Every identity requires a certificate, and access can be revoked at any time, closing existing connections immediately.
- Dark services and routers: Services and routers can be made "dark" — no open listening ports, no public exposure. They reach out to the fabric rather than accepting inbound connections, so nothing in your private network needs to receive inbound traffic.
- End-to-end encryption: Every connection is encrypted from endpoint to endpoint using public-private-key cryptography via libsodium, regardless of whether the underlying service encrypts its own traffic. All traffic is synthesized to port 443 and metadata is encrypted in transit, so attackers can't determine what services are in use or infer source and destination. See connection security.
Ready to deploy your first network? Follow one of the quickstart guides.
NetFoundry Cloud
NetFoundry sponsors the OpenZiti project and offers a hosted version of the OpenZiti platform, great for teams that don't want to host their own. It's free to get started and has an in-place upgrade to a paid enterprise option.