Exit Configuration

The exit section configures the agent as an exit node that opens connections to external destinations.

Configuration

exit:
  enabled: true
  routes:
    - "10.0.0.0/8"
    - "192.168.0.0/16"
    - "0.0.0.0/0"
  dns:
    servers:
      - "8.8.8.8:53"
      - "1.1.1.1:53"
    timeout: 5s

Options

Option	Type	Default	Description
`enabled`	bool	false	Enable exit node
`routes`	array	[]	CIDR routes to advertise
`dns.servers`	array	[]	DNS servers for resolution
`dns.timeout`	duration	5s	DNS query timeout

Routes

Routes define which destinations this exit node can reach:

exit:
  routes:
    - "10.0.0.0/8"         # Private class A
    - "172.16.0.0/12"      # Private class B
    - "192.168.0.0/16"     # Private class C
    - "0.0.0.0/0"          # Default route (all traffic)

Route Types

Route	Description
`10.0.0.0/8`	Internal network
`192.168.1.0/24`	Specific subnet
`1.2.3.4/32`	Single host
`0.0.0.0/0`	Default route (internet)

Route Selection

When multiple exit nodes advertise overlapping routes:

Longest prefix wins: /32 beats /24 beats /0
Lower metric wins: Closer exit preferred

Example:

Exit A advertises 10.0.0.0/8 (metric 1)
Exit B advertises 10.1.0.0/16 (metric 2)
Traffic to 10.1.2.3 goes to Exit B (longer prefix)
Traffic to 10.2.3.4 goes to Exit A

DNS Configuration

Public DNS

exit:
  dns:
    servers:
      - "8.8.8.8:53"         # Google DNS
      - "1.1.1.1:53"         # Cloudflare DNS
    timeout: 5s

Private DNS

For internal domains:

exit:
  dns:
    servers:
      - "10.0.0.1:53"        # Internal DNS server
    timeout: 5s

DNS-over-TLS (DoT)

Not currently supported. Use standard DNS.

No DNS

If DNS is not configured, domain names will fail to resolve:

exit:
  enabled: true
  routes:
    - "10.0.0.0/8"
  # No dns section - only IP addresses work

Access Control

Routes also serve as access control:

exit:
  routes:
    - "10.0.0.0/8"          # Only allow internal network
    # No 0.0.0.0/0 = no internet access

Connections to non-matching destinations receive STREAM_OPEN_ERR.

Examples

Internet Gateway

Allow all traffic:

exit:
  enabled: true
  routes:
    - "0.0.0.0/0"           # All IPv4 traffic
  dns:
    servers:
      - "8.8.8.8:53"
      - "1.1.1.1:53"
    timeout: 5s

Private Network Only

Internal resources only:

exit:
  enabled: true
  routes:
    - "10.0.0.0/8"
    - "192.168.0.0/16"
  dns:
    servers:
      - "10.0.0.1:53"       # Internal DNS
    timeout: 5s

Specific Service Access

Only database and API servers:

exit:
  enabled: true
  routes:
    - "10.0.1.10/32"        # Database server
    - "10.0.1.20/32"        # API server
  dns:
    servers:
      - "10.0.0.1:53"
    timeout: 5s

Split Horizon

Different exits for different networks:

Exit A (internal network):

exit:
  enabled: true
  routes:
    - "10.0.0.0/8"
  dns:
    servers:
      - "10.0.0.1:53"

Exit B (internet):

exit:
  enabled: true
  routes:
    - "0.0.0.0/0"
  dns:
    servers:
      - "8.8.8.8:53"

Traffic is routed:

10.x.x.x -> Exit A (longer prefix)
Everything else -> Exit B (default route)

Route Advertisement

Routes are advertised to the mesh:

Automatically: Every routing.advertise_interval (default 2m)
Manually: Via HTTP API

Trigger Immediate Advertisement

curl -X POST http://localhost:8080/routes/advertise

Use after:

Configuration changes
Network changes
Agent restart

Routing Configuration

routing:
  advertise_interval: 2m    # How often to re-advertise
  route_ttl: 5m             # Route expiration time
  max_hops: 16              # Maximum path length

Metrics

Metric	Type	Description
`muti_metroo_exit_connections_active`	Gauge	Active connections
`muti_metroo_exit_connections_total`	Counter	Total connections
`muti_metroo_exit_dns_queries_total`	Counter	DNS queries
`muti_metroo_exit_dns_latency_seconds`	Histogram	DNS latency
`muti_metroo_exit_errors_total`	Counter	Errors by type

Troubleshooting

No Route Found

Error: no route to 1.2.3.4

Check exit is enabled
Verify routes include destination
Check exit agent is connected to mesh

DNS Resolution Failed

Error: DNS lookup failed for example.com

Verify DNS servers are reachable
Check DNS timeout
Test DNS directly: dig @8.8.8.8 example.com

Connection Refused

Error: connection refused to 10.0.0.5:22

Verify destination is reachable from exit agent
Check firewall rules on exit host
Test directly: nc -zv 10.0.0.5 22

Access Denied

Error: destination not in allowed routes

Add appropriate route to exit.routes
Use more permissive CIDR (e.g., /8 instead of /24)

Security Considerations

Principle of least privilege: Only advertise necessary routes
Avoid 0.0.0.0/0 unless you need full internet access
Use internal DNS for private networks
Monitor exit traffic via metrics
Consider network segmentation: Different exits for different trust levels

Features: Exit Routing - Detailed usage
Concepts: Routing - How routing works
Security: Access Control - Security best practices

Configuration​

Options​

Routes​

Route Types​

Route Selection​

DNS Configuration​

Public DNS​

Private DNS​

DNS-over-TLS (DoT)​

No DNS​

Access Control​

Examples​

Internet Gateway​

Private Network Only​

Specific Service Access​

Split Horizon​

Route Advertisement​

Trigger Immediate Advertisement​

Routing Configuration​

Metrics​

Troubleshooting​

No Route Found​

DNS Resolution Failed​

Connection Refused​

Access Denied​

Security Considerations​

Related​