nebula/examples/quickstart-vagrant
Fabio Alessandro Locati 3ae242fa5f
Add nss-lookup to the systemd wants (#791)
* Add nss-lookup to the systemd wants to ensure DNS is running before starting nebula

* Add Ansible & example service scripts

* Fix #797

* Align Ansible scripts and examples

Co-authored-by: John Maguire <contact@johnmaguire.me>
2022-12-19 14:42:07 -05:00
..
ansible Add nss-lookup to the systemd wants (#791) 2022-12-19 14:42:07 -05:00
README.md Remove firewall.conntrack.max_connections from examples (#684) 2022-06-23 10:29:54 -05:00
Vagrantfile Public Release 2019-11-19 17:00:20 +00:00
requirements.yml Public Release 2019-11-19 17:00:20 +00:00

README.md

Quickstart Guide

This guide is intended to bring up a vagrant environment with 1 lighthouse and 2 generic hosts running nebula.

Creating the virtualenv for ansible

Within the quickstart/ directory, do the following

# make a virtual environment
virtualenv venv

# get into the virtualenv
source venv/bin/activate

# install ansible
pip install -r requirements.yml

Bringing up the vagrant environment

A plugin that is used for the Vagrant environment is vagrant-hostmanager

To install, run

vagrant plugin install vagrant-hostmanager

All hosts within the Vagrantfile are brought up with

vagrant up

Once the boxes are up, go into the ansible/ directory and deploy the playbook by running

ansible-playbook playbook.yml -i inventory -u vagrant

Testing within the vagrant env

Once the ansible run is done, hop onto a vagrant box

vagrant ssh generic1.vagrant

or specifically

ssh vagrant@<ip-address-in-vagrant-file (password for the vagrant user on the boxes is vagrant)

Some quick tests once the vagrant boxes are up are to ping from generic1.vagrant to generic2.vagrant using their respective nebula ip address.

vagrant@generic1:~$ ping 10.168.91.220
PING 10.168.91.220 (10.168.91.220) 56(84) bytes of data.
64 bytes from 10.168.91.220: icmp_seq=1 ttl=64 time=241 ms
64 bytes from 10.168.91.220: icmp_seq=2 ttl=64 time=0.704 ms

You can further verify that the allowed nebula firewall rules work by ssh'ing from 1 generic box to the other.

ssh vagrant@<nebula-ip-address> (password for the vagrant user on the boxes is vagrant)

See /etc/nebula/config.yml on a box for firewall rules.

To see full handshakes and hostmaps, change the logging config of /etc/nebula/config.yml on the vagrant boxes from info to debug.

You can watch nebula logs by running

sudo journalctl -fu nebula

Refer to the nebula src code directory's README for further instructions on configuring nebula.

Troubleshooting

Is nebula up and running?

Run and verify that

ifconfig

shows you an interface with the name nebula1 being up.

vagrant@generic1:~$ ifconfig nebula1
nebula1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1300
        inet 10.168.91.210  netmask 255.128.0.0  destination 10.168.91.210
        inet6 fe80::aeaf:b105:e6dc:936c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 2  bytes 168 (168.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11  bytes 600 (600.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Connectivity

Are you able to ping other boxes on the private nebula network?

The following are the private nebula ip addresses of the vagrant env

generic1.vagrant [nebula_ip] 10.168.91.210
generic2.vagrant [nebula_ip] 10.168.91.220 
lighthouse1.vagrant [nebula_ip] 10.168.91.230

Try pinging generic1.vagrant to and from any other box using its nebula ip above.

Double check the nebula firewall rules under /etc/nebula/config.yml to make sure that connectivity is allowed for your use-case if on a specific port.

vagrant@lighthouse1:~$ grep -A21 firewall /etc/nebula/config.yml 
firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m

  inbound:
    - proto: icmp
      port: any
      host: any
    - proto: any
      port: 22
      host: any
    - proto: any
      port: 53
      host: any

  outbound:
    - proto: any
      port: any
      host: any