As the Nebula repo states:
*Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, and Windows. (Also: keep this quiet, but we have an early prototype running on iOS). It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.
Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.
You can read more about Nebula here*
-
The nebula nodes communicate with each other over
UDPtunnel. -
The identity is established using the certificates.
-
The initial communication is established via special node called lighthouse. Only the lighthouse should have public IP - so it can be reached before any tunnel gets created.
-
The certificates can be generated anywhere and then copied to the future nodes. Can also be generated in-place. Nevertheless, the certificate of the organization-level is required for issuing the certificates for the idividual nodes so it is better to issue the certificates in one place
-
The nebula binaries are located in
/opt/nebula/ -
The certificates/config files are located in
/etc/nebula -
The organization name is
izak-nebula -
The project @DigitalOcean for the lighthouse node is called
nebula -
The lighthouse node VPS @DigitalOcean is called nebula-lighthouse
The IPs are set at the moment of creating the certificates
- Create the certificate-key files for the organization. These files must be present in the CWD when the certificates for the individual nodes get created in the subsequent steps. The oganization level key file is NOT required on ANY node for the nebula to operate. This file should stay safe in a single place, ideally offline.
/opt/nebula/nebula-cert ca -name 'izak-nebula'- Create the certificates for the individual nodes. This information is not
really that sensitive, and is stored in the script
issue-certs.sh
doctl(CLI DigitalOcean interface)
- Create ssh-keys specifically for connecting with the droplet. *Skip this step if the keys were created previously
ssh-keygen -f .ssh/id_rsa_nebula_lighthouse- Import the ssh keys into the DigitalOcean account
doctl compute ssh-key import nebula-lighthouse --public-key-file ~/.ssh/id_rsa_nebula_lighthouse.pub
- Create a minimalist droplet with the ssh key added:
doctl compute droplet create nebula-lighthouse --image debian-10-x64 --size s-1vcpu-1gb --region lon1 --ssh-keys $(doctl compute ssh-key list | grep nebula | awk '{print $3}')- Make sure you can connect to the droplet:
ssh -i ~/.ssh/id_rsa_nebula_lighthouse root@$(doctl compute droplet list | grep nebula | awk '{print $3}')- Download the
nebulabinaries
ssh -i ~/.ssh/id_rsa_nebula_lighthouse root@$(doctl compute droplet list | grep nebula | awk '{print $3}') mkdir /opt/nebula/
ssh -i ~/.ssh/id_rsa_nebula_lighthouse root@$(doctl compute droplet list | grep nebula | awk '{print $3}') wget https://github.com/slackhq/nebula/releases/download/v1.2.0/nebula-linux-amd64.tar.gz -O /tmp/nebula-linux-amd64.tar.gz
ssh -i ~/.ssh/id_rsa_nebula_lighthouse root@$(doctl compute droplet list | grep nebula | awk '{print $3}') tar -xf /tmp/nebula-linux-amd64.tar.gz -C /opt/nebula/-
Edit the
lighthouse-config.ymlby putting the desired internal nebula network ip as a key and the droplet's public IP inside the list forstatic_host_map. -
Copy the certificate files to the nodes. Do not copy
ca.keyto any node.
For the lighthouse it should be:
ssh -i ~/.ssh/id_rsa_nebula_lighthouse root@$(doctl compute droplet list | grep nebula | awk '{print $3}') mkdir /etc/nebula/
scp -i ~/.ssh/id_rsa_nebula_lighthouse ca.crt lighthouse.crt lighthouse.key lighthouse-config.yml root@$(doctl compute droplet list | grep nebula | awk '{print $3}'):/etc/nebula/For the regular nodes the nebula installation (linux-amd64, linux-armv6, linux-armv7), generating the config file, generating the systemd service file, enabling and starting the service is automated with the script install-nebula-node.sh. Still, the certificate files must be copied to the node manually