Between the Nodes and Lighthouse
Once enrolled, all communications between the Lighthouse and Nodes happen inside the Lighthouse VPN tunnel, i.e. the only port used is inbound TCP port 1194 on Lighthouse (note that by default Lighthouse VPN uses TCP not UDP).
Between the Lighthouse user and Lighthouse
The user primarily accesses Lighthouse using inbound TCP ports 22 (CLI) and 443 (Web UI). All remote access to Nodes and their Managed Devices is proxied via the Lighthouse's central IP address, then tunneled over Lighthouse VPN.
Initial registration over the network is via the RESTful API, which listens on TCP port 443. There are two primary registration methods, northbound (Node to Lighthouse) and southbound (Lighthouse to Node):
- Southbound registration (i.e. using the Add Node link) uses inbound TCP port 443 on the Managed Node
- Northbound registration (i.e. all other methods) uses inbound TCP port 443 on Lighthouse
Regardless of which method is used, once registration completes the Lighthouse VPN tunnel is established by the Node to Lighthouse, i.e. the only port used is inbound TCP port 1194 on Lighthouse.