Not sure if this is the right channel to mention it, but I think the "rce" setting should also be enforced by the client (right now, it appears to only be enforced by the server) - my suggestion would be that in netclient/wireguard/common.go(https://github.com/gravitl/netmaker/blob/master/netclient/wireguard/common.go#L345) in WireWgConfig() you do a config check (defaulting to disabling PostUp/PostDown), and set PostUp and PostDown to empty strings if rce is not locally "allowed". Otherwise, a compromised server can run code on clients by pushing a rogue config manually.

That's a good idea, but the issue is, we still use postup/postdown when RCE is off; specifically when ingress/egress is turned on a node. In the case of ingress/egress, we still have the node run postup/postdown commands to set iptables

ah ok - I didn't test ingress/egress yet - do you mean that only ingress/egress nodes need postup/postdown commands? (that would make sense to me)