Hi Nilesh, Thanks for the feedback. I really appreciate your time. You are focused on user experience and I'm sure we will make this really positive experience!
I want to add a little context about how the software works and see if you still think the default settings are too intrusive / unsafe. These are just the settings that are currently widely distributed by virtue of being provided by the upstream project. (The upstream instructions ask users to copy the example config to provide the defaults.) > Also, I'm not comfortable with nebula binding to port 4242 by "default" I don't see how this situation is materially different than other network daemons with default ports (e.g. ssh[22], wireguard[51820], prometheus[9090], etc.). It would probably be wise to choose a higher number port that doesn't conflict with other pieces of software, however obscure. Although, other versions of the software are bundled with this port. If you would like, I can ask the upstream maintainers if we want to standardize on a different default before it has been widely adopted. It will only bind to the port when the user takes a manual action to start the service. By virtue of creating an authenticated virtual network, it restricts access to only those who have a signed certificate. > It also seems to allow all outbound ports by default, in your d/config.yml To my understanding, this means that if another machine that is part of the virtual network exposed a port, you could connect to it. It doesn't mean that you are exposing services. Allowing outbound traffic is the default configuration for most firewalls. > If you agree w/ me, please also consider to do so for a few other settings too. I will work on this tomorrow. Unless you think these need to be included, I would start with other things like configuring lighthouse behavior. These are settings the user will likely wish to modify after installation and this is why I left in the boilerplate around the lighthouse section (e.g. static host map). The example IP is part of the TCP/IP standards meant as an unreachable IP for documentation purposes. I'll prompt the user for this information. Best, Alex
