A scalable overlay networking tool with a focus on performance, simplicity and security
Go to file
John Maguire f31bab5f1a
Add support for SSH CAs (#1098)
- Accept certs signed by trusted CAs
- Username must match the cert principal if set
- Any username can be used if cert principal is empty
- Don't allow removed pubkeys/CAs to be used after reload
2024-04-30 10:50:17 -04:00
.github update to go1.22 (#981) 2024-04-29 16:44:42 -04:00
cert chore: fix function name in comment (#1111) 2024-04-30 09:43:38 -05:00
cidr At the end 2024-02-05 10:23:10 -06:00
cmd switch off deprecated elliptic.Marshal (#1108) 2024-04-30 10:02:49 -04:00
config SIGHUP is only useful when config was loaded from a file (#1030) 2023-12-06 10:13:38 -05:00
dist Remove Arch nebula.service file (#1132) 2024-04-30 07:45:23 -04:00
e2e add gvisor based service library (#965) 2023-11-21 11:50:18 -05:00
examples Add support for SSH CAs (#1098) 2024-04-30 10:50:17 -04:00
firewall switch to new sync/atomic helpers in go1.19 (#728) 2022-10-31 13:37:41 -04:00
header Add relay e2e tests and output some mermaid sequence diagrams (#691) 2022-06-27 12:33:29 -05:00
iputil firewall reject packets: cleanup error cases (#957) 2023-11-13 12:43:51 -06:00
noiseutil add test for GOEXPERIMENT=boringcrypto (#861) 2023-05-08 13:27:01 -04:00
overlay Unsafe route reload (#1083) 2024-03-28 15:17:28 -05:00
service update to go1.22 (#981) 2024-04-29 16:44:42 -04:00
sshd Add support for SSH CAs (#1098) 2024-04-30 10:50:17 -04:00
test chore: remove refs to deprecated io/ioutil (#987) 2023-10-31 10:35:13 -04:00
udp Fix UDP listener on IPv4-only Linux (#787) 2024-01-30 15:08:14 -05:00
util Return full error context from ContextualError.Error() (#1069) 2024-01-31 15:31:46 -05:00
wintun switch to new sync/atomic helpers in go1.19 (#728) 2022-10-31 13:37:41 -04:00
.gitignore Add nebula-cert.exe and cert files to .gitignore (#722) 2022-12-20 16:52:51 -05:00
AUTHORS Public Release 2019-11-19 17:00:20 +00:00
CHANGELOG.md v1.8.2 (#1058) 2024-01-08 15:40:04 -05:00
LICENSE Public Release 2019-11-19 17:00:20 +00:00
LOGGING.md Don't log invalid certificates (#1116) 2024-04-29 15:21:00 -05:00
Makefile update to go1.22 (#981) 2024-04-29 16:44:42 -04:00
README.md Update Arch Linux package link (#1024) 2023-12-27 10:38:24 -06:00
SECURITY.md add SECURITY.md (#864) 2023-05-09 11:25:21 -04:00
allow_list.go Use generics for CIDRTrees to avoid casting issues (#1004) 2023-11-02 17:05:08 -05:00
allow_list_test.go Use generics for CIDRTrees to avoid casting issues (#1004) 2023-11-02 17:05:08 -05:00
bits.go Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
bits_test.go Move util to test, contextual errors to util (#575) 2021-11-10 21:47:38 -06:00
boring.go add boringcrypto Makefile targets (#856) 2023-05-04 15:42:45 -04:00
calculated_remote.go Use generics for CIDRTrees to avoid casting issues (#1004) 2023-11-02 17:05:08 -05:00
calculated_remote_test.go add calculated_remotes (#759) 2023-03-13 15:09:08 -04:00
connection_manager.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
connection_manager_test.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
connection_state.go Clean up a hostinfo to reduce memory usage (#955) 2023-11-02 16:53:59 -05:00
control.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
control_test.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
control_tester.go Simplify getting a hostinfo or starting a handshake with one (#954) 2023-08-21 18:51:45 -05:00
dns_server.go Fix errant capitalisation in DNS TXT response (#1127) 2024-04-30 09:58:56 -04:00
dns_server_test.go Allow `::` in lighthouse.dns.host config (#1115) 2024-04-11 21:44:36 -05:00
firewall.go Remove tcp rtt tracking from the firewall (#1114) 2024-04-11 21:44:22 -05:00
firewall_test.go Remove tcp rtt tracking from the firewall (#1114) 2024-04-11 21:44:22 -05:00
go.mod Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 (#1086) 2024-04-30 10:30:18 -04:00
go.sum Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 (#1086) 2024-04-30 10:30:18 -04:00
handshake_ix.go Don't log invalid certificates (#1116) 2024-04-29 15:21:00 -05:00
handshake_manager.go avoid deadlock in lighthouse queryWorker (#1112) 2024-04-11 17:00:01 -04:00
handshake_manager_test.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
hostmap.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
hostmap_test.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
hostmap_tester.go Fix relay (#827) 2023-03-30 11:09:20 -05:00
inside.go Remove tcp rtt tracking from the firewall (#1114) 2024-04-11 21:44:22 -05:00
inside_bsd.go Immediately forward packets from self to self on FreeBSD (#808) 2023-01-23 15:51:54 -06:00
inside_generic.go Immediately forward packets from self to self on FreeBSD (#808) 2023-01-23 15:51:54 -06:00
interface.go Added firewall.rules.hash metric (#1010) 2023-11-28 11:56:47 -05:00
lighthouse.go Fix re-entrant `GetOrHandshake` issues (#1044) 2023-12-19 11:58:31 -06:00
lighthouse_test.go Send the lh update worker into its own routine instead of taking over the reload routine (#935) 2023-07-27 14:38:10 -05:00
logger.go Move util to test, contextual errors to util (#575) 2021-11-10 21:47:38 -06:00
main.go Support reloading preferred_ranges (#1043) 2024-04-03 22:14:51 -05:00
message_metrics.go Have lighthouses ack updates to reduce test packet traffic (#851) 2023-05-05 14:44:03 -05:00
metadata.go Update dependencies - 2022-04 (#664) 2022-04-18 12:12:25 -04:00
nebula.pb.go Have lighthouses ack updates to reduce test packet traffic (#851) 2023-05-05 14:44:03 -05:00
nebula.proto Have lighthouses ack updates to reduce test packet traffic (#851) 2023-05-05 14:44:03 -05:00
noise.go Relay (#678) 2022-06-21 13:35:23 -05:00
notboring.go add boringcrypto Makefile targets (#856) 2023-05-04 15:42:45 -04:00
outside.go Remove tcp rtt tracking from the firewall (#1114) 2024-04-11 21:44:22 -05:00
outside_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
pki.go Combine ca, cert, and key handling (#952) 2023-08-14 21:32:40 -05:00
punchy.go Rehandshaking (#838) 2023-05-04 15:16:37 -05:00
punchy_test.go add punchy.respond_delay config option (#721) 2023-03-29 14:32:35 -05:00
relay_manager.go Fix relay migration (#964) 2023-09-05 09:29:27 -04:00
remote_list.go Fix reconfig freeze attempting to send to an unbuffered, unread channel (#886) 2023-05-31 16:05:46 -04:00
remote_list_test.go Dns static lookerupper (#796) 2023-05-09 11:22:08 -04:00
ssh.go Add support for SSH CAs (#1098) 2024-04-30 10:50:17 -04:00
stats.go add boringcrypto Makefile targets (#856) 2023-05-04 15:42:45 -04:00
timeout.go Generic timerwheel (#804) 2023-01-18 10:56:42 -06:00
timeout_test.go Generic timerwheel (#804) 2023-01-18 10:56:42 -06:00

README.md

What is Nebula?

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Further documentation can be found here.

You can read more about Nebula here.

You can also join the NebulaOSS Slack group here.

Supported Platforms

Desktop and Server

Check the releases page for downloads or see the Distribution Packages section.

  • Linux - 64 and 32 bit, arm, and others
  • Windows
  • MacOS
  • Freebsd

Distribution Packages

Mobile

Technical Overview

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.

Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration.

Nebula was created to provide a mechanism for groups of hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

Getting started (quickly)

To set up a Nebula network, you'll need:

1. The Nebula binaries or Distribution Packages for your specific platform. Specifically you'll need nebula-cert and the specific nebula binary for each platform you use.

2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.

Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.

Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.

3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.

./nebula-cert ca -name "Myorganization, Inc"

This will create files named ca.key and ca.cert in the current directory. The ca.key file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.

4. Nebula host keys and certificates generated from that certificate authority

This assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.

./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
./nebula-cert sign -name "host3" -ip "192.168.100.10/24"

5. Configuration files for each host

Download a copy of the nebula example configuration.

  • On the lighthouse node, you'll need to ensure am_lighthouse: true is set.

  • On the individual hosts, ensure the lighthouse is defined properly in the static_host_map section, and is added to the lighthouse hosts section.

6. Copy nebula credentials, configuration, and binaries to each host

For each host, copy the nebula binary to the host, along with config.yml from step 5, and the files ca.crt, {host}.crt, and {host}.key from step 4.

DO NOT COPY ca.key TO INDIVIDUAL NODES.

7. Run nebula on each host

./nebula -config /path/to/config.yml

Building Nebula from source

Make sure you have go installed and clone this repo. Change to the nebula directory.

To build nebula for all platforms: make all

To build nebula for a specific platform (ex, Windows): make bin-windows

See the Makefile for more details on build targets

Curve P256 and BoringCrypto

The default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using nebula-cert ca -curve P256 to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes.

In addition, Nebula can be built using the BoringCrypto GOEXPERIMENT by running either of the following make targets:

make bin-boringcrypto
make release-boringcrypto

This is not the recommended default deployment, but may be useful based on your compliance requirements.

Credits

Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.