Commit Graph

75 Commits

Author SHA1 Message Date
Wade Simmons 50b24c102e
v1.9.0 (#1137)
Update CHANGELOG for Nebula v1.9.0

Co-authored-by: John Maguire <john@defined.net>
2024-05-08 10:31:24 -04:00
John Maguire f31bab5f1a
Add support for SSH CAs (#1098)
- Accept certs signed by trusted CAs
- Username must match the cert principal if set
- Any username can be used if cert principal is empty
- Don't allow removed pubkeys/CAs to be used after reload
2024-04-30 10:50:17 -04:00
John Maguire f7db0eb5cc
Remove Vagrant example (#1129) 2024-04-30 09:40:24 -05:00
Andrew Kraut df78158cfa
Create service script for open-rc (#711) 2024-04-30 09:53:00 -04:00
Nate Brown a99618e95c
Don't log invalid certificates (#1116) 2024-04-29 15:21:00 -05:00
Nate Brown cc8b3cc961 Add config option for local_cidr control 2024-02-15 11:46:45 -06:00
Nate Brown f346cf4109 At the end 2024-02-05 10:23:10 -06:00
Nate Brown 072edd56b3
Fix re-entrant `GetOrHandshake` issues (#1044) 2023-12-19 11:58:31 -06:00
Tristan Rice 1083279a45
add gvisor based service library (#965)
* add service/ library
2023-11-21 11:50:18 -05:00
Nate Brown 3356e03d85
Default `pki.disconnect_invalid` to true and make it reloadable (#859) 2023-11-13 12:39:38 -06:00
John Maguire 87b628ba24
Fix truncated comment in config.yml (#999) 2023-10-27 08:39:34 -04:00
c0repwn3r 03e70210a5
Add support for NetBSD (#916) 2023-07-27 13:44:47 -05:00
Nate Brown 1e3c155896
Attempt to notify systemd of service readiness on linux (#929) 2023-07-24 11:30:18 -05:00
John Maguire 7e380bde7e
Document new DNS config options (#879) 2023-07-10 15:19:05 -04:00
John Maguire 8ba5d64dbc
Add support for naming FreeBSD tun devices (#903) 2023-06-22 12:13:31 -04:00
Ilya Lukyanov 1701087035
Add destination CIDR checking (#507) 2023-05-09 10:37:23 -05:00
Nate Brown a9cb2e06f4
Add ability to respect the system route table for unsafe route on linux (#839) 2023-05-09 10:36:55 -05:00
Nate Brown 397fe5f879
Add ability to skip installing unsafe routes on the os routing table (#831) 2023-04-10 12:32:37 -05:00
Nate Brown 3cb4e0ef57
Allow listen.host to contain names (#825) 2023-04-05 11:29:26 -05:00
Wade Simmons 3e5c7e6860
add punchy.respond_delay config option (#721) 2023-03-29 14:32:35 -05:00
Wade Simmons e1af37e46d
add calculated_remotes (#759)
* add calculated_remotes

This setting allows us to "guess" what the remote might be for a host
while we wait for the lighthouse response. For networks that hard
designed with in mind, it can help speed up handshake performance, as well as
improve resiliency in the case that all lighthouses are down.

Example:

    lighthouse:
      # ...

      calculated_remotes:
        # For any Nebula IPs in 10.0.10.0/24, this will apply the mask and add
        # the calculated IP as an initial remote (while we wait for the response
        # from the lighthouse). Both CIDRs must have the same mask size.
        # For example, Nebula IP 10.0.10.123 will have a calculated remote of
        # 192.168.1.123

        10.0.10.0/24:
          - mask: 192.168.1.0/24
            port: 4242

* figure out what is up with this test

* add test

* better logic for sending handshakes

Keep track of the last light of hosts we sent handshakes to. Only log
handshake sent messages if the list has changed.

Remove the test Test_NewHandshakeManagerTrigger because it is faulty and
makes no sense. It relys on the fact that no handshake packets actually
get sent, but with these changes we would send packets now (which it
should!)

* use atomic.Pointer

* cleanup to make it clearer

* fix typo in example
2023-03-13 15:09:08 -04:00
Wade Simmons 6e0ae4f9a3
firewall: add option to send REJECT replies (#738)
* firewall: add option to send REJECT replies

This change allows you to configure the firewall to send REJECT packets
when a packet is denied.

    firewall:
      # Action to take when a packet is not allowed by the firewall rules.
      # Can be one of:
      #   `drop` (default): silently drop the packet.
      #   `reject`: send a reject reply.
      #     - For TCP, this will be a RST "Connection Reset" packet.
      #     - For other protocols, this will be an ICMP port unreachable packet.
      outbound_action: drop
      inbound_action: drop

These packets are only sent to established tunnels, and only on the
overlay network (currently IPv4 only).

    $ ping -c1 192.168.100.3
    PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
    From 192.168.100.3 icmp_seq=2 Destination Port Unreachable

    --- 192.168.100.3 ping statistics ---
    2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms

    $ nc -nzv 192.168.100.3 22
    (UNKNOWN) [192.168.100.3] 22 (?) : Connection refused

This change also modifies the smoke test to capture tcpdump pcaps from
both the inside and outside to inspect what is going on over the wire.
It also now does TCP and UDP packet tests using the Nmap version of
ncat.

* calculate seq and ack the same was as the kernel

The logic a bit confusing, so we copy it straight from how the kernel
does iptables `--reject-with tcp-reset`:

- https://github.com/torvalds/linux/blob/v5.19/net/ipv4/netfilter/nf_reject_ipv4.c#L193-L221

* cleanup
2023-03-13 15:08:40 -04:00
Caleb Jasik f0ac61c1f0
Add `nebula.plist` based on the homebrew nebula LaunchDaemon plist (#762) 2023-03-13 13:16:46 -05:00
John Maguire b5a85a6eb8
Update example config with IPv6 note for allow lists (#742) 2022-12-20 16:50:02 -05:00
Fabio Alessandro Locati 3ae242fa5f
Add nss-lookup to the systemd wants (#791)
* Add nss-lookup to the systemd wants to ensure DNS is running before starting nebula

* Add Ansible & example service scripts

* Fix #797

* Align Ansible scripts and examples

Co-authored-by: John Maguire <contact@johnmaguire.me>
2022-12-19 14:42:07 -05:00
John Maguire ec48298fe8
Update config to show aes cipher instead of chacha (#788) 2022-12-07 11:38:56 -06:00
Alexander Averyanov 022ae83a4a
Fix typo: my -> may (#758) 2022-11-28 13:59:57 -05:00
brad-defined 38e495e0d2
Remove EXPERIMENTAL text from routines example config. (#702) 2022-06-30 11:20:41 -04:00
brad-defined 78a0255c91
typeos (#700) 2022-06-29 11:19:20 -04:00
Wade Simmons 7b9287709c
add listen.send_recv_error config option (#670)
By default, Nebula replies to packets it has no tunnel for with a `recv_error` packet. This packet helps speed up re-connection
in the case that Nebula on either side did not shut down cleanly. This response can be abused as a way to discover if Nebula is running
on a host though. This option lets you configure if you want to send `recv_error` packets always, never, or only to private network remotes.
valid values: always, never, private

This setting is reloadable with SIGHUP.
2022-06-27 12:37:54 -04:00
John Maguire a0b280621d
Remove firewall.conntrack.max_connections from examples (#684) 2022-06-23 10:29:54 -05:00
brad-defined 1a7c575011
Relay (#678)
Co-authored-by: Wade Simmons <wsimmons@slack-corp.com>
2022-06-21 13:35:23 -05:00
Nate Brown d85e24f49f
Allow for self reported ips to the lighthouse (#650) 2022-04-04 12:35:23 -05:00
Chad Harp 1915fab619
tun_darwin (#163)
- Remove water and replace with syscalls for tun setup
- Support named interfaces
- Set up routes with syscalls instead of os/exec

Co-authored-by: Wade Simmons <wade@wades.im>
2021-11-09 20:24:24 -05:00
Donatas Abraitis b358bbab80
Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00
Donatas Abraitis 32e2619323
Teardown tunnel automatically if peer's certificate expired (#370) 2021-10-20 13:23:33 -05:00
Wade Simmons ea2c186a77
remote_allow_ranges: allow inside CIDR specific remote_allow_lists (#540)
This allows you to configure remote allow lists specific to different
subnets of the inside CIDR. Example:

    remote_allow_ranges:
      10.42.42.0/24:
        192.168.0.0/16: true

This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to
have private IPs (and thus don't connect over public IPs).

The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list.
2021-10-19 10:54:30 -04:00
Wade Simmons afda79feac
documented "preferred_ranges" (#541)
Document the preferred config variable, and deprecate "local_range".
2021-10-19 10:53:36 -04:00
Ben Yanke 9f34c5e2ba
Typo Fix (#523) 2021-09-16 00:12:08 -05:00
Nathan Brown 710df6a876
Refactor remotes and handshaking to give every address a fair shot (#437) 2021-04-14 13:50:09 -05:00
John Maguire 20bef975cd
Remove obsolete systemd unit settings (take 2) (#438) 2021-04-07 12:02:40 -05:00
Nathan Brown 7073d204a8
IPv6 support for outside (udp) (#369) 2021-03-18 20:37:24 -05:00
Joe Doss 13471f5792
Remove obsolete systemd unit settings. (#412) 2021-03-18 12:29:36 -07:00
Wade Simmons 27d9a67dda
Proper multiqueue support for tun devices (#382)
This change is for Linux only.

Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues.

To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction).

Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged.

Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 15:01:14 -05:00
John Maguire 2bce222550
List possible cipher options in example config (#385) 2021-02-19 21:46:42 -06:00
Brian Kelly 5c23676a0f
Added line to systemd config template to start Nebula before sshd (#317)
During shutdown, this will keep Nebula alive until after sshd is finished. This cleanly terminates ssh clients accessing a server over a Nebula tunnel.
2020-10-29 21:43:02 -04:00
CzBiX ef498a31da
Add disable_timestamp option (#288) 2020-09-09 07:42:11 -04:00
forfuncsake 9b8b3c478b
Support startup without a tun device (#269)
This commit adds support for Nebula to be started without creating
a tun device. A node started in this mode still has a full "control
plane", but no effective "data plane". Its use is suited to a
lighthouse that has no need to partake in the mesh VPN.

Consequently, creation of the tun device is the only reason nebula
neesd to be started with elevated privileged, so this example
lighthouse can also be run as a non-root user.
2020-08-10 09:15:55 -04:00
forfuncsake 25964b54f6
Use inclusive terminology for cert blocking (#272) 2020-08-06 11:17:47 +10:00
Wade Simmons 4756c9613d
trigger handshakes when lighthouse reply arrives (#246)
Currently, we wait until the next timer tick to act on the lighthouse's
reply to our HostQuery. This means we can easily add hundreds of
milliseconds of unnecessary delay to the handshake. To fix this, we
can introduce a channel to trigger an outbound handshake without waiting
for the next timer tick.

A few samples of cold ping time between two hosts that require a
lighthouse lookup:

    before (v1.2.0):

    time=156 ms
    time=252 ms
    time=12.6 ms
    time=301 ms
    time=352 ms
    time=49.4 ms
    time=150 ms
    time=13.5 ms
    time=8.24 ms
    time=161 ms
    time=355 ms

    after:

    time=3.53 ms
    time=3.14 ms
    time=3.08 ms
    time=3.92 ms
    time=7.78 ms
    time=3.59 ms
    time=3.07 ms
    time=3.22 ms
    time=3.12 ms
    time=3.08 ms
    time=8.04 ms

I recommend reviewing this PR by looking at each commit individually, as
some refactoring was required that makes the diff a bit confusing when
combined together.
2020-07-22 10:35:10 -04:00