Skip to content

Exit nodes

CyberHive Connect allows an Endpoint to be designated as an exit node. This can be used to ensure that outbound internet traffic from all Endpoints in your Organisation is routed through the TAN, for breakout via the designated Endpoint.

Release 3.7 supports a single exit node per Organisation.

Required version: 3.7.0 or higher

Endpoints running Connect before release 3.7 won't be aware of the exit node, and will route internet traffic as if it wasn't present.

Only Endpoints running Connect 3.7 or above can be designated as exit nodes.

Designating an exit node

In the Control Service, navigate to the Settings tab of the Endpoint within your Organisation and click on the Edit Settings button.

Endpoint settings

Enable the exit node using the check box, and then click on the Save button.

The setting will take effect automatically; there is no need to restart the Endpoint(s).

Tip

The setting only needs to be enabled on the Endpoint that will act as the exit node. The exit node is automatically assigned for peer Endpoints.

Configuring routing on the exit node

In order for traffic to be routed to the internet by the exit node, routing must be manually configured on the exit node in the same way as for a subnet behind an Endpoint.

Peer behaviour with an exit node

When an exit node is online within an Organisation, its peer Endpoints will route all internet traffic through the TAN, even when their internet connectivity is interrupted. This means that traffic cannot "leak" onto the internet when Connect is running, no matter how spotty the Endpoint's internet connectivity is.

Note that traffic will not be routed through the TAN when one or more of the following happens:

  • IAM Policy does not permit an Endpoint to access the exit node.
  • No exit node is online.
  • Connect is not running on a peer Endpoint.

Tip

On Windows, the exit node is displayed in the network diagram available in the user interface.

Excluding addresses from exit node routing

Non-routable IP addresses [1]

IP addresses reserved for internal (private) networks are included in exit node routing to reduce data leaks for Endpoints where outgoing data should be controlled and audited.

This means that local area network (LAN) routing between a non-Connect device and a Connect Endpoint may not work by default when an exit node is in use by the Connect Endpoint.

To resolve this, add the non-Connect device's LAN address to the list of exclusions, as described below. Alternatively, you can choose to exclude the following three subnets from exit node routing:

  • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Routing all traffic through an exit node may not always be desirable. It is therefore possible to exclude specific addresses from exit node routing for all Endpoints within your Organisation.

  1. In the Control Service, navigate to the Exit Nodes tab within your Organisation and click on the Edit button.

    Exit node exclusions empty

  2. Update the list of exclusions as required. Use the Add another button to add a new exclusion, or click the red bin icon next to an exclusion to remove it.

    You can choose to exclude a single address by leaving Mask as its default, 32, or exclude a range of addresses by specifying a different value.

    When you are done, click the Save changes button for your changes to take effect. Clicking Cancel will immediately discard your changes.

    Exit node exclusions editing

  3. When not in "edit mode", the read-only list of exclusions is ordered by IP address and then by subnet mask if necessary.

    The full list of address ranges visible to you is sent to all Endpoints in the Organisation and used to prevent traffic going via the exit node to those addresses. Instead, traffic will go directly from an Endpoint to the addresses displayed.

    Exit node exclusions saved and read-only