Documentation Improvement: routes vs unsafe_routes
benyanke opened this issue · comments
What version of nebula
are you using?
1.7.2
What operating system are you using?
linux
Describe the Bug
Looking at the documentation here (https://nebula.defined.net/docs/config/tun/#tunroutes), I'm having trouble being able to tell what the distinction between tun.unsafe_routes
and tun.routes
are in nebula's configuration construct. I think I'm beginning to figure it out, but the documentation still needs improvement.
I'd be happy to assist in making the documentation more clear.
As I understand it, tun.unsafe_routes
are the routes that nebula allows inbound over the nebula network (think of it as the routes being "advertised" into the nebula network, except they're purely allowed, and not advertised), whereas tun.routes
are routes that are being placed in the system's routing table to allow access to other hosts' unsafe routes (ie, adding additional routes which go over the nebula network, whereas normally only the traffic defined in the main nebula network goes out over the nebula network).
Is this understanding correct, and would you welcome documentation improvements to make this difference more clear?
Hi @benyanke -
Thanks for the feedback. In actuality, in order to advertise a local subnet to the Nebula network, you need a CA to sign your certificate with the -subnets
flag. You'll also want to open the necessary ports in that node's firewall. One thing that's missing from that guide is the new since v1.7.0 local_cidr firewall option, which makes it easier to manage these rules (since otherwise, they would apply to the node itself as well, rather than the just IPs in the subnet it's exposing.)
On your other nodes, you use the unsafe_routes
configuration option in the config.yml to specify which Nebula host provides these subnets. So for example, the via
should point to a Nebula IP address which has the route
specified in its certs' subnets.
tun.routes
is just used for MTU overrides for specific Nebula hosts.
I believe we would be open to PRs which clarify these settings! The repo for those docs is located here. Thanks!
Thanks, @johnmaguire .
I think I got my POC working locally here last night, so I'll begin working on a documentation PR. I think a diagram may be useful in helping to make things more clear for newcomers (it would have helped me). Is there a preferred method for adding diagrams to the defined networking nebula docs?