3ae242fa5f
* Add nss-lookup to the systemd wants to ensure DNS is running before starting nebula * Add Ansible & example service scripts * Fix #797 * Align Ansible scripts and examples Co-authored-by: John Maguire <contact@johnmaguire.me> |
||
---|---|---|
.. | ||
ansible | ||
README.md | ||
Vagrantfile | ||
requirements.yml |
README.md
Quickstart Guide
This guide is intended to bring up a vagrant environment with 1 lighthouse and 2 generic hosts running nebula.
Creating the virtualenv for ansible
Within the quickstart/
directory, do the following
# make a virtual environment
virtualenv venv
# get into the virtualenv
source venv/bin/activate
# install ansible
pip install -r requirements.yml
Bringing up the vagrant environment
A plugin that is used for the Vagrant environment is vagrant-hostmanager
To install, run
vagrant plugin install vagrant-hostmanager
All hosts within the Vagrantfile are brought up with
vagrant up
Once the boxes are up, go into the ansible/
directory and deploy the playbook by running
ansible-playbook playbook.yml -i inventory -u vagrant
Testing within the vagrant env
Once the ansible run is done, hop onto a vagrant box
vagrant ssh generic1.vagrant
or specifically
ssh vagrant@<ip-address-in-vagrant-file
(password for the vagrant user on the boxes is vagrant
)
Some quick tests once the vagrant boxes are up are to ping from generic1.vagrant
to generic2.vagrant
using
their respective nebula ip address.
vagrant@generic1:~$ ping 10.168.91.220
PING 10.168.91.220 (10.168.91.220) 56(84) bytes of data.
64 bytes from 10.168.91.220: icmp_seq=1 ttl=64 time=241 ms
64 bytes from 10.168.91.220: icmp_seq=2 ttl=64 time=0.704 ms
You can further verify that the allowed nebula firewall rules work by ssh'ing from 1 generic box to the other.
ssh vagrant@<nebula-ip-address>
(password for the vagrant user on the boxes is vagrant
)
See /etc/nebula/config.yml
on a box for firewall rules.
To see full handshakes and hostmaps, change the logging config of /etc/nebula/config.yml
on the vagrant boxes from
info to debug.
You can watch nebula logs by running
sudo journalctl -fu nebula
Refer to the nebula src code directory's README for further instructions on configuring nebula.
Troubleshooting
Is nebula up and running?
Run and verify that
ifconfig
shows you an interface with the name nebula1
being up.
vagrant@generic1:~$ ifconfig nebula1
nebula1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1300
inet 10.168.91.210 netmask 255.128.0.0 destination 10.168.91.210
inet6 fe80::aeaf:b105:e6dc:936c prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 2 bytes 168 (168.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 600 (600.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Connectivity
Are you able to ping other boxes on the private nebula network?
The following are the private nebula ip addresses of the vagrant env
generic1.vagrant [nebula_ip] 10.168.91.210
generic2.vagrant [nebula_ip] 10.168.91.220
lighthouse1.vagrant [nebula_ip] 10.168.91.230
Try pinging generic1.vagrant to and from any other box using its nebula ip above.
Double check the nebula firewall rules under /etc/nebula/config.yml to make sure that connectivity is allowed for your use-case if on a specific port.
vagrant@lighthouse1:~$ grep -A21 firewall /etc/nebula/config.yml
firewall:
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
inbound:
- proto: icmp
port: any
host: any
- proto: any
port: 22
host: any
- proto: any
port: 53
host: any
outbound:
- proto: any
port: any
host: any