Remove firewall.conntrack.max_connections from examples (#684)
2022-06-23 10:29:54 -05:00
Quickstart Guide

This guide is intended to bring up a vagrant environment with 1 lighthouse and 2 generic hosts running nebula.

Creating the virtualenv for ansible

Within the quickstart/ directory, do the following

# make a virtual environment
virtualenv venv

# get into the virtualenv
source venv/bin/activate

# install ansible
pip install -r requirements.yml

Bringing up the vagrant environment

A plugin that is used for the Vagrant environment is vagrant-hostmanager

To install, run

vagrant plugin install vagrant-hostmanager

All hosts within the Vagrantfile are brought up with

vagrant up

Once the boxes are up, go into the ansible/ directory and deploy the playbook by running

ansible-playbook playbook.yml -i inventory -u vagrant

Testing within the vagrant env

Once the ansible run is done, hop onto a vagrant box

vagrant ssh generic1.vagrant

or specifically

ssh vagrant@<ip-address-in-vagrant-file (password for the vagrant user on the boxes is vagrant)

Some quick tests once the vagrant boxes are up are to ping from generic1.vagrant to generic2.vagrant using their respective nebula ip address.

vagrant@generic1:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=241 ms
64 bytes from icmp_seq=2 ttl=64 time=0.704 ms

You can further verify that the allowed nebula firewall rules work by ssh'ing from 1 generic box to the other.

ssh vagrant@<nebula-ip-address> (password for the vagrant user on the boxes is vagrant)

See /etc/nebula/config.yml on a box for firewall rules.

To see full handshakes and hostmaps, change the logging config of /etc/nebula/config.yml on the vagrant boxes from info to debug.

You can watch nebula logs by running

sudo journalctl -fu nebula

Refer to the nebula src code directory's README for further instructions on configuring nebula.


Is nebula up and running?

Run and verify that


shows you an interface with the name nebula1 being up.

vagrant@generic1:~$ ifconfig nebula1
nebula1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1300
        inet  netmask  destination
        inet6 fe80::aeaf:b105:e6dc:936c  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 2  bytes 168 (168.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11  bytes 600 (600.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Are you able to ping other boxes on the private nebula network?

The following are the private nebula ip addresses of the vagrant env

generic1.vagrant [nebula_ip]
generic2.vagrant [nebula_ip] 
lighthouse1.vagrant [nebula_ip]

Try pinging generic1.vagrant to and from any other box using its nebula ip above.

Double check the nebula firewall rules under /etc/nebula/config.yml to make sure that connectivity is allowed for your use-case if on a specific port.

vagrant@lighthouse1:~$ grep -A21 firewall /etc/nebula/config.yml 
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m

    - proto: icmp
      port: any
      host: any
    - proto: any
      port: 22
      host: any
    - proto: any
      port: 53
      host: any

    - proto: any
      port: any
      host: any