Giters

slackhq / nebula

A scalable overlay networking tool with a focus on performance, simplicity and security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Documentation Improvement: routes vs unsafe_routes

benyanke opened this issue · comments

commented

What version of nebula are you using?

1.7.2

What operating system are you using?

linux

Describe the Bug

Looking at the documentation here (https://nebula.defined.net/docs/config/tun/#tunroutes), I'm having trouble being able to tell what the distinction between tun.unsafe_routes and tun.routes are in nebula's configuration construct. I think I'm beginning to figure it out, but the documentation still needs improvement.

I'd be happy to assist in making the documentation more clear.

As I understand it, tun.unsafe_routes are the routes that nebula allows inbound over the nebula network (think of it as the routes being "advertised" into the nebula network, except they're purely allowed, and not advertised), whereas tun.routes are routes that are being placed in the system's routing table to allow access to other hosts' unsafe routes (ie, adding additional routes which go over the nebula network, whereas normally only the traffic defined in the main nebula network goes out over the nebula network).

Is this understanding correct, and would you welcome documentation improvements to make this difference more clear?

commented

Hi @benyanke -

Thanks for the feedback. In actuality, in order to advertise a local subnet to the Nebula network, you need a CA to sign your certificate with the -subnets flag. You'll also want to open the necessary ports in that node's firewall. One thing that's missing from that guide is the new since v1.7.0 local_cidr firewall option, which makes it easier to manage these rules (since otherwise, they would apply to the node itself as well, rather than the just IPs in the subnet it's exposing.)

On your other nodes, you use the unsafe_routes configuration option in the config.yml to specify which Nebula host provides these subnets. So for example, the via should point to a Nebula IP address which has the route specified in its certs' subnets.

tun.routes is just used for MTU overrides for specific Nebula hosts.

I believe we would be open to PRs which clarify these settings! The repo for those docs is located here. Thanks!

commented

Thanks, @johnmaguire .

I think I got my POC working locally here last night, so I'll begin working on a documentation PR. I think a diagram may be useful in helping to make things more clear for newcomers (it would have helped me). Is there a preferred method for adding diagrams to the defined networking nebula docs?