search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.08k stars 509 forks source link

Client Route Approval Request #2783

Open andersonfas opened 1 week ago

andersonfas commented 1 week ago

Description:

I would like to request a feature that allows the end client to be notified and approve or reject routes created by the administrator. This functionality would add value, especially in environments where security and network control are crucial.

Context: In scenarios with multiple clients and administrators, not all routes may be applicable or desirable for every client. Having an approval step prevents a client from acting as a router unintentionally, providing control over what is routed through their device.

Suggested Functionality

  1. The feature workflow would be as follows:
  2. Pending Route Notification: When an administrator creates a route intended for a specific client, the client receives a notification informing them of the pending route.
  3. Approval/Rejection Option: The client can then choose to “approve” or “reject” the route.
  4. Conditional Route Application: Only routes approved by the client are activated on the device, while rejected routes remain inactive.

Benefits

Security: The feature allows clients to avoid forwarding traffic that they have not explicitly authorized. Control: Clients can select only the routes that make sense for their network context. Transparency: Both clients and administrators have greater visibility into the routes in use.

This feature would benefit users by giving them greater control over their traffic and contributing to a more secure network environment.

Thank you for considering this request. I am available to discuss the feature in more detail.

andersonfas commented 1 week ago

Additional Use Case: Control in Home Office Scenarios: In corporate networks, it makes sense for only the administrator to control route creation. However, there are cases where employees use personal devices on home networks, such as in a remote work setup. In this context, it is essential for employees to have control over the applied routes to prevent their home network from unintentionally extending access to corporate address spaces. This feature would allow employees to select only the necessary routes for their tasks, maintaining the privacy and security of their home network.

andersonfas commented 1 week ago

The current implementation is partially aligned with the objective but still falls short of full functionality. What has been implemented covers IP forwarding control, but to fully meet the original request, the following are still needed:

Pending Route Notifications for the client. Route Approval/Rejection Option in the interface. Conditional Route Application based on the client’s response. These elements are essential to achieve the complete functionality for route control and security. diff_systemops_linux-01 diff_clint_ui_go-10 diff_clint_ui_go-09 diff_clint_ui_go-08 diff_clint_ui_go-07 diff_clint_ui_go-06 diff_clint_ui_go-05 diff_clint_ui_go-04 diff_clint_ui_go-03 diff_clint_ui_go-02 diff_clint_ui_go-01 result