Nebula: Difference between revisions
imported>C4lliope Raise concerns around NAT and port forwarding. |
|||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 5: | Line 5: | ||
== Lighthouse Node == | == Lighthouse Node == | ||
In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. A simple configuration may look like: | In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. | ||
Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the [[NixOS_friendly_hosters| NixOS friendly hosters article]] your options for running NixOS in the cloud], or choose a secondary distribution and look for the <code>nebula</code> package, and go through [https://nebula.defined.net/docs/guides/quick-start/ the Quick Start guide]. | |||
A simple configuration may look like: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
environment.systemPackages = with pkgs; [ nebula ]; | environment.systemPackages = with pkgs; [ nebula ]; | ||
services.nebula.networks.mesh = { | services.nebula.networks.mesh = { | ||
enable = | enable = true; | ||
isLighthouse = true; | isLighthouse = true; | ||
cert = "/etc/ | cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon. | ||
key = "/etc/nebula/ | key = "/etc/nebula/beacon.key"; | ||
ca = "/etc/nebula/ca.crt"; | ca = "/etc/nebula/ca.crt"; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
The configuration files in `/etc/nebula` need to be readable by the Nebula service: | |||
<syntaxhighlight lang="bash"> | |||
sudo chmod --reference /etc/nix /etc/nebula | |||
sudo chmod --reference /etc/nix/nix.conf /etc/nebula/* | |||
</syntaxhighlight> | |||
Here is a quick process for making a certificate authority (<code>ca</code>) and a certificate for a lighthouse node, called "<code>beacon</code>". | Here is a quick process for making a certificate authority (<code>ca</code>) and a certificate for a lighthouse node, called "<code>beacon</code>". | ||
| Line 32: | Line 44: | ||
Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure. | Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure. | ||
[[Category:Networking]] | |||
Latest revision as of 22:30, 30 October 2024
Nebula is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.
Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.
Lighthouse Node
In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242.
Because you're likely using a cloud server option for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Double check the NixOS friendly hosters article your options for running NixOS in the cloud], or choose a secondary distribution and look for the nebula package, and go through the Quick Start guide.
A simple configuration may look like:
environment.systemPackages = with pkgs; [ nebula ];
services.nebula.networks.mesh = {
enable = true;
isLighthouse = true;
cert = "/etc/nebula/beacon.crt"; # The name of this lighthouse is beacon.
key = "/etc/nebula/beacon.key";
ca = "/etc/nebula/ca.crt";
};
The configuration files in `/etc/nebula` need to be readable by the Nebula service:
sudo chmod --reference /etc/nix /etc/nebula
sudo chmod --reference /etc/nix/nix.conf /etc/nebula/*
Here is a quick process for making a certificate authority (ca) and a certificate for a lighthouse node, called "beacon".
> mkdir ~/mesh && cd ~/mesh
> nebula-cert ca -name mesh
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1
> ls
ca.crt ca.key node.crt node.key
Of these four files produced, you should do as much as you can to keep ca.key secure.