Modern networks are increasingly difficult to manage. Static IPs, NAT, firewalls, and overlapping subnets create fragile environments that break easily when scaled across cloud, hybrid, and mobile systems. Traditional IP-based trust models are no longer enough.

OpenZiti is an open source project sponsored by NetFoundry that addresses this by making identity the core of the network. Instead of trusting IP addresses, OpenZiti enforces zero trust principles, ensuring that only verified identities can access services.

What Makes OpenZiti Different

• Identity first: Every user, device, or application gets a cryptographically verifiable identity. IP addresses are irrelevant.
• No open ports: Services are hidden from the public internet, reducing the attack surface to zero.
• End-to-end encryption: Traffic is always encrypted in transit using libsodium.
• Private DNS: Services are resolved by authenticated DNS inside the overlay, not by public IP.
• Smart routing: The overlay routes traffic optimally for both performance and security.

Three Zero Trust Models

OpenZiti offers flexibility with three approaches, depending on organizational needs.

Zero Trust Application Access (ZTAA)

The most complete model, where zero trust is compiled directly into applications using the OpenZiti SDK. This achieves process-to-process encryption, removes reliance on the host network, and eliminates east-west traffic risks.

Zero Trust Host Access (ZTHA)

Extends zero trust to entire hosts using the OpenZiti Tunneler. Ideal for securing servers or endpoints in complex environments, with deny-by-default network and OS firewalls.

Zero Trust Network Access (ZTNA)

Provides secure access to services within a network zone using an OpenZiti Router. Suitable for devices that cannot run a tunneler, and a practical entry point for organizations beginning their zero trust journey.

Why Organizations Choose OpenZiti

• Simplified operations without worrying about IP conflicts or firewall rules
• Fine-grained, identity-aware access with posture checks and authorization
• Invisible services that cannot be discovered by port scans or attack tools
• Flexible deployment options: fully managed SaaS by NetFoundry, supported self-hosting, or community self-hosting with no commercial support

Open Source and Community Driven

OpenZiti is fully open source, with active development on GitHub, SDKs for embedding zero trust directly into applications, and community support through forums and documentation. It can be deployed in enterprises, regulated environments, or home labs without licensing restrictions.

OpenZiti for Amateur Radio

Amateur radio operators can benefit from OpenZiti by securely linking internet-connected systems without exposing them to the public. Remote station controllers, SDR receivers, APRS servers, and digital mode gateways can all be placed inside an OpenZiti overlay, making them invisible to the internet while still reachable to authenticated operators. Clubs running multi-operator contest stations could use OpenZiti to securely connect logging systems across different sites, while emergency communications groups could build private overlays linking repeaters, gateways, and servers with zero open ports. By focusing on identity instead of IP, OpenZiti provides a reliable and private backbone for modern amateur radio networking.

Conclusion

OpenZiti redefines how secure networking can be done by removing IP addresses from the trust equation and replacing them with verifiable identities. With no open ports, hidden services, and multiple zero trust deployment models, it offers organizations a modern way to secure applications and infrastructure across any environment.

👉 Learn more at openziti.io or explore the code on GitHub.