I am considering contributing to the Nebula project by implementing a new feature that would enable the pushing of unsafe routes from the Lighthouse host/s. Before proceeding, I would like to inquire if the project is interested in such functionality and to ensure that it aligns with Nebula's overall vision and design principles.

The rationale behind this proposal is to centralize route management through central points (LHs). This would make it much easier for me to manage route configurations at one or more central network points. This feature would not replace the existing unsafe_routes functionality but would offer additional options. My use cases often involve connecting multiple VM hosts where Nebula is not installed on each VM. Currently, this is managed by Ansible on my side, which is not a problem. However, I am considering this improvement. What are your thoughts?"

Hi @rjsocha - thanks for posing the question.

Unfortunately, distributing unsafe_routes via the Lighthouse doesn't fit with Nebula's security model. Lighthouses are designed to be "untrusted partners." That means, while they are used to determine potential IP addresses that nodes can be accessed at, handshakes don't succeed unless the node's certificate is signed by a trusted CA (and the IP in the certificate actually matches the IP address we're trying to communicate with.)

Each node is responsible for its own configuration and security posture (this is also why firewall rules live on the node, rather than a giant table on the Lighthouses, for example.) We expect users to use config management, such as Ansible, Chef, Puppet, or a managed service, such as Defined Networking's Managed Nebula (the company I work for.)

Allowing Lighthouses to install routes on nodes would be a departure from this model, as it would provide a sort of paved path towards MITM, instituted by the Lighthouses.

For that reason, I'm closing this wontfix.