Nebula: Difference between revisions

From NixOS Wiki
imported>C4lliope
Begin describing Nebula.
 
imported>C4lliope
Raise concerns around NAT and port forwarding.
Line 1: Line 1:
[https://github.com/slackhq/nebula Nebula] is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.
[https://github.com/slackhq/nebula Nebula] is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.


This guide assumes there are a couple of Nix machines you'd like to connect, though you can go through the "Lighthouse Node" section on a single machine as a sample.
Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.


== Lighthouse Node ==
== Lighthouse Node ==
Line 12: Line 12:
     enable = false;
     enable = false;
     isLighthouse = true;
     isLighthouse = true;
     cert = "/home/user/mesh/node.crt";
     cert = "/etc/nebulanode.crt";
     key = "/home/user/mesh/node.key";
     key = "/etc/nebula/node.key";
     ca = "/home/user/mesh/ca.crt";
     ca = "/etc/nebula/ca.crt";
   };
   };
</syntaxhighlight>
</syntaxhighlight>


Please use your normal login username, or choose some other place on your disk as you like.
Because you're likely using a VPS server for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Check the package manager of your distribution for the <code>nebula</code> package, and go through the Quick Start guide: https://nebula.defined.net/docs/guides/quick-start/


Before enabling the service, do you see those certificates referenced under <code>cert</code>, <code>key</code>, and <code>ca</code>? They're easy enough to make.
Here is a quick process for making a certificate authority (<code>ca</code>) and a certificate for a lighthouse node, called "<code>beacon</code>".
 
Be sure you make the certs on the filepath used in your nix config, and use the IP you'd like your lighthouse node to be assigned.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
> mkdir ~/mesh && cd ~/mesh
> mkdir ~/mesh && cd ~/mesh
> nebula-cert ca -name mesh
> nebula-cert ca -name mesh
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name node -ip 10.0.0.180
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1
> ls
> ls
ca.crt  ca.key  node.crt  node.key
ca.crt  ca.key  node.crt  node.key
</syntaxhighlight>
</syntaxhighlight>


Of these four, you should do as much as you can to keep <code>ca.key</code> secure.
Of these four files produced, you should do as much as you can to keep <code>ca.key</code> secure.


(...more coming soon...)
(...more coming soon...)

Revision as of 06:48, 25 December 2023

Nebula is a meshing overlay network made as an open-source program by Slack. You can seamlessly mesh hundreds, thousands, or more machines across the globe, using minimal changes to your process.

Nebula runs by assigning a number of nodes the role of "lighthouse". These nodes should be assigned a public global IP address - any kind of NAT or port forwarding is likely to render your lighthouses useless. A minimal $5/mo cloud machine is good enough to run as a lighthouse node, and luckily no traffic passes through those nodes; they only broker the peer-to-peer connections of the other nodes in your mesh.

Lighthouse Node

In Nebula, a "lighthouse" is a signaling node accessible through a public IP address, using UDP port 4242. A simple configuration may look like:

  environment.systemPackages = with pkgs; [ nebula ];
  services.nebula.networks.mesh = {
    enable = false;
    isLighthouse = true;
    cert = "/etc/nebulanode.crt";
    key = "/etc/nebula/node.key";
    ca = "/etc/nebula/ca.crt";
  };

Because you're likely using a VPS server for your lighthouse, there is a chance you'll be unable to use NixOS on that node. Check the package manager of your distribution for the nebula package, and go through the Quick Start guide: https://nebula.defined.net/docs/guides/quick-start/

Here is a quick process for making a certificate authority (ca) and a certificate for a lighthouse node, called "beacon".

> mkdir ~/mesh && cd ~/mesh
> nebula-cert ca -name mesh
> nebula-cert sign -ca-crt ./ca.crt -ca-key ./ca.key -name beacon -ip 10.0.0.1
> ls
ca.crt  ca.key  node.crt  node.key

Of these four files produced, you should do as much as you can to keep ca.key secure.

(...more coming soon...)