-
Notifications
You must be signed in to change notification settings - Fork 948
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public lighthouse service #642
Comments
I'm interested as well; I may have the resources to run such a server. It would be cool if there could, on the long run, be a public pool of free to use lighthouses (perhaps via typical DNS load distribution techniques). Seems to be related to #478. It'd be nice to get a clarification of the security implications of running a public server (for users and people offering the servers). |
@solarkraft I created a snap package that provides such a service [1]. It is sandboxed using snap's confinement. If you have the capability, feel free to add your services to the public lighthouse server list [2]. [1] https://github.com/manuels/nebula-lighthouse-service |
Hi @manuels - thanks for contributing to the Nebula project. One concern I have about the service, as I understand it, is that because the Lighthouse is not multi-tenant (#306), it will share a single hostmap for all hosts connected to it. If two nodes connect with certificates that have the same Nebula IP address, what happens next? The Lighthouse may return information for a node on another user's network, rather than your own, and handshakes will fail. That aside, Nebula OSS has no plans to run a public Lighthouse - this is left as an exercise to the users. I'm closing this task out as unplanned. |
Cross posting here to an open discussion on this topic: #823 |
Setting up a Lighthouse server is probably quite a high hurdle for many people, because many users usually do not have a server and probably wouldn't want to rent one.
For this reason, I wonder if it is possible to offer a free lighthouse service that basically does nothing more than tell the individual nodes of a network their IP addresses.
So I imagine a public service that works like this:
ca.crt
fileThere are two main questions here:
A) Is it possible to set up a lighthouse service in such a way that it does not have to be trusted with regard to traffic of the network? Is it possible to achieve this for the security of nodes and lighthouse server by excluding the lighthouse server from any
groups
/host
setting in thefirewall
configuration and disabling the tap device on the lighthouse server?B) The traffic for the lighthouse server should of course be kept to a minimum. Is it therefore possible to force the nodes to communicate directly so that there is no fallback to forwarding communication between two nodes via the lighthouse server (if nebula supports TURN server-like behaviour at all)?
The text was updated successfully, but these errors were encountered: