Skip to content

Exit Node

CyberHive Connect allows an Endpoint to be designated as an exit node. This can be used to ensure that outbound Internet traffic from all Endpoints in your Organisation is routed through the TAN, for breakout via the designated Endpoint.

Release 3.7 supports a single exit node per Organisation.

Required version: 3.7.0 or higher

Endpoints running Connect before release 3.7 won't be aware of the exit node, and will route Internet traffic as if it wasn't present.

Only Endpoints running Connect 3.7 or above can be designated as exit nodes.

1. Configure routing on the exit node

In order for traffic to be routed to the Internet by the exit node, routing must be manually configured on the exit node in the same way as for a subnet behind an Endpoint.

Make it persistent

The routing configuration must be made persistent so that it does not need to be manually re-applied after a system reboot.

2. Enable the Exit Node setting

The setting only needs to be enabled on the Endpoint that will act as the exit node. The exit node is automatically assigned for peer Endpoints.

In the Control Service, navigate to the Settings tab of the Endpoint within your Organisation and click on the Edit Settings button.

Endpoint settings

Enable the Exit Node setting using the check box, and then click on the Save button.

The setting will take effect automatically; there is no need to restart the Endpoint(s).

Connection Type

The Connection Type for an exit node will automatically change to Direct to improve performance. If the exit node requires a relay, the Connection Type setting can be overridden by selecting Auto or UDP Relay.

3. Enable Open Public Port (optional)

It is recommended, but not required, that exit nodes have an Open Public Port configured to force direct connections with peers, even when a peer would usually need to use a connection relay.

4. Exclude addresses from exit node routing (optional)

Non-routable IP addresses [1]

If IP addresses reserved for internal (private) networks are included in exit node routing, local area network (LAN) routing between a non-Connect device and a Connect Endpoint may not work when an exit node is in use by the Connect Endpoint.

To resolve this, add the non-Connect device's LAN address to the list of exclusions, as described below.

Routing all traffic through an exit node may not always be desirable. It is therefore possible to exclude specific addresses from exit node routing for all Endpoints within your Organisation.

Organisations are created with the following default exit node exclusions:

  • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
  • 127.0.0.0 - 127.255.255.255 (127.0.0.0/8)
  • 169.254.0.0- 169.254.255.255 (169.254.0.0/16)
  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
  • 224.0.0.0 - 224.0.0.255 (224.0.0.0/24)

This list of exclusions can be modified:

  1. In the Control Service, navigate to the Exit Nodes tab within your Organisation and click on the Edit button.

    Exit node exclusions empty

  2. Update the list of exclusions as required. Use the Add another button to add a new exclusion, or click the red bin icon next to an exclusion to remove it.

    You can choose to exclude a single address by leaving Mask as its default, 32, or exclude a range of addresses by specifying a different value.

    When you are done, click the Save changes button for your changes to take effect. Clicking Cancel will immediately discard your changes.

    Exit node exclusions editing

  3. When not in "edit mode", the read-only list of exclusions is ordered by IP address and then by subnet mask if necessary.

    The full list of address ranges visible to you is sent to all Endpoints in the Organisation and used to prevent traffic going via the exit node to those addresses. Instead, traffic will go directly from an Endpoint to the addresses displayed.

    Exit node exclusions saved and read-only

Peer behaviour with an exit node

When an exit node is online within an Organisation, its peer Endpoints will route all Internet traffic through the TAN, even when their Internet connectivity is interrupted. This means that traffic cannot "leak" onto the Internet when Connect is running, no matter how spotty the Endpoint's Internet connectivity is.

Note that traffic will not be routed through the TAN when one or more of the following happens:

Tip

On Windows, the exit node is displayed in the network diagram available in the user interface.

See Also