Public lighthouse service

[manuels]

Setting up a Lighthouse server is probably quite a high hurdle for many people, because many users usually do not have a server and probably wouldn't want to rent one.

For this reason, I wonder if it is possible to offer a free lighthouse service that basically does nothing more than tell the individual nodes of a network their IP addresses.

So I imagine a public service that works like this:

1. You upload your ca.crt file
2. Then you get a public key of the free lighthouse service as an answer
3. You then sign this key with your private certificate key and upload it as well
4. Now the free lighthouse service can act as a lighthouse server for your network

There are two main questions here:

A) Is it possible to set up a lighthouse service in such a way that it does not have to be trusted with regard to traffic of the network? Is it possible to achieve this for the security of nodes and lighthouse server by excluding the lighthouse server from any groups/host setting in the firewall configuration and disabling the tap device on the lighthouse server?

B) The traffic for the lighthouse server should of course be kept to a minimum. Is it therefore possible to force the nodes to communicate directly so that there is no fallback to forwarding communication between two nodes via the lighthouse server (if nebula supports TURN server-like behaviour at all)?

[solarkraft]

I'm interested as well; I may have the resources to run such a server. It would be cool if there could, on the long run, be a public pool of free to use lighthouses (perhaps via typical DNS load distribution techniques).

Seems to be related to #478.

It'd be nice to get a clarification of the security implications of running a public server (for users and people offering the servers).

[manuels]

@solarkraft I created a snap package that provides such a service [1]. It is sandboxed using snap's confinement.

If you have the capability, feel free to add your services to the public lighthouse server list [2].
And for everybody that does not have the capability to run your own lighthouse service, feel free to use a server from this list as your lighthouse (see [1] for quick start)

[1] https://github.com/manuels/nebula-lighthouse-service
[2] https://htmlpreview.github.io/?https://github.com/manuels/nebula-lighthouse-service/blob/main/server-list.html

[johnmaguire]

Hi @manuels - thanks for contributing to the Nebula project.

One concern I have about the service, as I understand it, is that because the Lighthouse is not multi-tenant (#306), it will share a single hostmap for all hosts connected to it. If two nodes connect with certificates that have the same Nebula IP address, what happens next? The Lighthouse may return information for a node on another user's network, rather than your own, and handshakes will fail.

That aside, Nebula OSS has no plans to run a public Lighthouse - this is left as an exercise to the users. I'm closing this task out as unplanned.

[magg00]

Cross posting here to an open discussion on this topic: #823