Is your feature request related to a problem? Please describe.
Not a problem so much as a security/architectural improvement. Currently as far as I can tell from the documentation Netbird works very similarly to Tailscale in as much as there is a central coordination server that is implicitly trusted to mediate key exchange - this creates a weakness in that the central server could substitute keys to intercept communications between nodes. Not a disaster if the central server remains trusted but hardly “zero trust” and since the central server needs to be publicly available it forms a natural point of attack, both for self hosted and cloud hosted options.
Describe the solution you’d like
Having the option to sign or verify each node’s keys with, for example, an offline certificate authority, ideally using a post quantum resistant algorithm for future proofing purposes
Describe alternatives you’ve considered
Nebula is another competitor in the overlay networking space that has no central trusted coordination server - node discovery is mediated by any non-zero number of “Lighthouse” nodes with clients exchanging public key certificates (using a simple purpose built format rather than x509) signed by an offline certificate authority. Nebula lacks some key features that Netbird and Tailscale both offer in part because of that lack of central coordination (the biggest being that DNS support is very lackluster) but combining the best of both worlds could offer similar security guarantees while maintaining the additional features that Netbird offers, and could be done by adding an optional additional cert exchange and verification alongside the public keys without changing the overall architecture.
I could be mistaken as I am not a 100% sure about the feature but if I recall correctly, you can set a pre-defined key for quantum encryption.
This is pulled from the docs:
Rosenpass is a post-quantum secure key-exchange protocol that enhances WireGuard VPNs against quantum computer attacks. It employs advanced cryptographic methods Classic McEliece and Kyber. The software is open-source and designed for easy integration with existing WireGuard installations. It ensures future-proof security against quantum threats by continuously generating and rotating WireGuard pre-shared keys every two minutes. Rosenpass can also be used as a generic key-exchange mechanism for other protocols. Starting v0.25.4, the NetBird agent runs an embedded Rosenpass server that automatically rotates and applies WireGuard pre-shared keys to every point-to-point connection.
Is this what you happen to be looking for? Or at least similair to what you are looking for?
I probably confused things a bit by bringing that up, post quantum crypto is one of the advantages of Netbird over other options. I was more referring to the fact that currently, like with Tailscale, the control plane is ultimately trusted, and unless the users manually verify all keys a compromised control server can substitute keys to intercept or modify traffic anywhere in the network. Nebula (GitHub - slackhq/nebula: A scalable overlay networking tool with a focus on performance, simplicity and security) solved this problem by using signed certificates with a CA, so you can keep the CA certificate offline and still trust each key without manual verification. This is desirable because the control server must be online and publicly routable to coordinate the network, making it a high value target. Adding a CA or other means of verifying keys without relying on the control server would make Netbird the most secure option for overlay networking, at least in theory.
I think with the use of ACL’s and DNS makes it complicated to get an offline root of trust. If you don’t have internet or the system is down, I doubt it would load anything else. So for security it woudn’t load anything. However, I could be wrong.
It may work, but it would require reworking how Wireguard itself works or Netbird in conjunction with wireguard.
True. Nebula does this by baking info like groups into the certs and setting access control rules on the nodes, which would require significant reworking to do on Netbird and come at the cost of convenience/much more management overhead. One option could be an option to use certs to guarantee each node is who it claims to be while still trusting the management server with access control and such - an attacker could mess with your firewall rules but at least they couldn’t install additional nodes into your network to exploit that. That would require wrapping keys in certs and checking them but shouldn’t require any dramatic architectural changes and cert checking could be implemented as a separate step so that plain Wireguard can still be used under the hood