Concepts

NetBird

NetBird is open source VPN software based on Wireguard. Because of this, it works especially well on Linux where Wireguard is built into the kernel. NetBird adds some abstraction on top of Wireguard to allow for easier configuration. Under normal circumstances, Wireguard has to be configured manually and involves sharing public keys with other peers. IP addresses are manually assigned and IPs that are allowed to communicate must be defined. NetBird simplifies this via a management server. The --management-url parameter you pass when connecting to NetBird to the first time lets the client know where to get all its configuration. From here, the management server will ask for authentication via single sign-on (SSO). Successful authentication registers the device, sharing your public key to other devices that need to communicate with you (in this case, our RISENet router). NetBird pulls their public keys down so you can communicate with them too.

NetBird also introduces security over Wireguard via access control lists (ACLs). WireGuard, by default, does not enforce any firewall rules. NetBird does, and while you're connected to RISENet, you will only have access to other RISENet devices, and only other RISENet devices will have access to you. All traffic passes through the ST4RGATE router so that IP addresses, ports, and protocol can be logged. This is to increase security visibility over the network and discourage misuse.

With the NetBird firewall allowed, you can initiate connections to any RISENet IP address, however they cannot initiate connections with you. For that you will need to make firewall changes manually, or disable firewall with --disable-firewall. For the sake of doing this as securely as possible, a ST4RGATE agent will eventually be developed to wrap around NetBird and make only the necessary changes to the firewall for your host to act as a server.

Certificate Authority

A root CA (certificate authority) is an SSL certificate which has no higher authority. SSL certificates are used for a lot on the internet, but most notably is in HTTPS. When you visit a HTTPS website, the first thing your computer receives is an SSL certificate for the website. This has been signed by the higher authority that verifies you own this domain, and that higher authority's certificate was at some point verified by a root CA. Trusting a root CA, or the root certificate it provides you, means entrusting that authority to secure all your HTTPS traffic. The CA can't necessarily spy on you during normal usage as it can't actually decrypt the traffic handled by the certificates it signs without their key, but it could sign illegitimate certificates that allow it or others to spy on you.