Go to file
Wade Simmons a22c134bf5
Update dependencies, November 2021 (#564)
*Direct Dependencies*

    Updated  github.com/anmitsu/go-shlex                648efa6222...38f4b401e2
    Updated  github.com/flynn/noise                     https://github.com/flynn/noise/compare/4bdb43be3117...v1.0.0
    Updated  github.com/golang/protobuf                 https://github.com/golang/protobuf/compare/v1.5.0...v1.5.2
    Updated  github.com/kardianos/service               https://github.com/kardianos/service/compare/v1.1.0...v1.2.0
    Updated  github.com/miekg/dns                       https://github.com/miekg/dns/compare/v1.1.25...v1.1.43
    Updated  github.com/nbrownus/go-metrics-prometheus  https://github.com/nbrownus/go-metrics-prometheus/compare/6e6d5173d99c...974a6260965f
    Updated  github.com/prometheus/client_golang        https://github.com/prometheus/client_golang/compare/v1.2.1...v1.11.0
    Updated  github.com/rcrowley/go-metrics             https://github.com/rcrowley/go-metrics/compare/cac0b30c2563...cf1acfcdf475
    Updated  github.com/sirupsen/logrus                 https://github.com/sirupsen/logrus/compare/v1.4.2...v1.8.1
    Updated  github.com/songgao/water                   https://github.com/songgao/water/compare/fd331bda3f4b...2b4b6d7c09d8
    Updated  github.com/stretchr/testify                https://github.com/stretchr/testify/compare/v1.6.1...v1.7.0
    Updated  github.com/vishvananda/netlink             https://github.com/vishvananda/netlink/compare/00009fb8606a...v1.1.0
    Updated  golang.org/x/crypto                        https://github.com/golang/crypto/compare/0c34fe9e7dc2...089bfa567519
    Updated  golang.org/x/net                           https://github.com/golang/net/compare/e18ecbb05110...4a448f8816b3
    Updated  golang.org/x/sys                           https://github.com/golang/sys/compare/f84b799fce68...4dd72447c267
    Updated  google.golang.org/protobuf                 v1.26.0...v1.27.1
    Updated  gopkg.in/yaml.v2                           v2.2.7...v2.4.0

*Indirect Dependencies*

    Updated  github.com/alecthomas/units                         https://github.com/alecthomas/units/compare/c3de453c63f4...f65c72e2690d
    Updated  github.com/cespare/xxhash                           https://github.com/cespare/xxhash/compare/v2.1.1...v2.1.2
    Updated  github.com/go-logfmt/logfmt                         https://github.com/go-logfmt/logfmt/compare/v0.4.0...v0.5.0
    Updated  github.com/json-iterator/go                         https://github.com/json-iterator/go/compare/v1.1.7...v1.1.11
    Updated  github.com/julienschmidt/httprouter                 https://github.com/julienschmidt/httprouter/compare/v1.2.0...v1.3.0
    Updated  github.com/konsorten/go-windows-terminal-sequences  https://github.com/konsorten/go-windows-terminal-sequences/compare/v1.0.2...v1.0.3
    Updated  github.com/mwitkow/go-conntrack                     https://github.com/mwitkow/go-conntrack/compare/cc309e4a2223...2f068394615f
    Updated  github.com/pkg/errors                               https://github.com/pkg/errors/compare/v0.8.1...v0.9.1
    Updated  github.com/prometheus/client_model                  https://github.com/prometheus/client_model/compare/d1d2010b5bee...v0.2.0
    Updated  github.com/prometheus/common                        https://github.com/prometheus/common/compare/v0.7.0...v0.32.1
    Updated  github.com/prometheus/procfs                        https://github.com/prometheus/procfs/compare/v0.0.8...v0.7.3
    Updated  github.com/vishvananda/netns                        https://github.com/vishvananda/netns/compare/0a2b9b5464df...50045581ed74
    Updated  golang.org/x/sync                                   https://github.com/golang/sync/compare/67f06af15bc9...036812b2e83c
    Updated  golang.org/x/term                                   https://github.com/golang/term/compare/7de9c90e9dd1...03fcf44c2211
    Updated  golang.org/x/text                                   https://github.com/golang/text/compare/v0.3.3...v0.3.6
    Added    cloud.google.com/go                                 v0.65.0
    Added    cloud.google.com/go/bigquery                        v1.8.0
    Added    cloud.google.com/go/datastore                       v1.1.0
    Added    cloud.google.com/go/pubsub                          v1.3.1
    Added    cloud.google.com/go/storage                         v1.10.0
    Added    dmitri.shuralyov.com/gpu/mtl                        666a987793e9
    Added    github.com/BurntSushi/toml                          https://github.com/BurntSushi/toml/tree/v0.3.1
    Added    github.com/BurntSushi/xgb                           https://github.com/BurntSushi/xgb/tree/27f122750802
    Added    github.com/census-instrumentation/opencensus-proto  https://github.com/census-instrumentation/opencensus-proto/tree/v0.2.1
    Added    github.com/chzyer/logex                             https://github.com/chzyer/logex/tree/v1.1.10
    Added    github.com/chzyer/readline                          https://github.com/chzyer/readline/tree/2972be24d48e
    Added    github.com/chzyer/test                              https://github.com/chzyer/test/tree/a1ea475d72b1
    Added    github.com/client9/misspell                         https://github.com/client9/misspell/tree/v0.3.4
    Added    github.com/cncf/udpa/go                             https://github.com/cncf/udpa/go/tree/269d4d468f6f
    Added    github.com/envoyproxy/go-control-plane              https://github.com/envoyproxy/go-control-plane/tree/v0.9.4
    Added    github.com/envoyproxy/protoc-gen-validate           https://github.com/envoyproxy/protoc-gen-validate/tree/v0.1.0
    Added    github.com/go-gl/glfw                               https://github.com/go-gl/glfw/tree/e6da0acd62b1
    Added    github.com/go-gl/glfw/v3.3/glfw                     https://github.com/go-gl/glfw/v3.3/glfw/tree/6f7a984d4dc4
    Added    github.com/go-kit/log                               https://github.com/go-kit/log/tree/v0.1.0
    Added    github.com/golang/glog                              https://github.com/golang/glog/tree/23def4e6c14b
    Added    github.com/golang/groupcache                        https://github.com/golang/groupcache/tree/8c9f03a8e57e
    Added    github.com/golang/mock                              https://github.com/golang/mock/tree/v1.4.4
    Added    github.com/google/btree                             https://github.com/google/btree/tree/v1.0.0
    Added    github.com/google/martian                           https://github.com/google/martian/tree/v2.1.0+incompatible
    Added    github.com/google/martian                           https://github.com/google/martian/tree/v3.0.0
    Added    github.com/google/pprof                             https://github.com/google/pprof/tree/1a94d8640e99
    Added    github.com/google/renameio                          https://github.com/google/renameio/tree/v0.1.0
    Added    github.com/googleapis/gax-go                        https://github.com/googleapis/gax-go/tree/v2.0.5
    Added    github.com/hashicorp/golang-lru                     https://github.com/hashicorp/golang-lru/tree/v0.5.1
    Added    github.com/ianlancetaylor/demangle                  https://github.com/ianlancetaylor/demangle/tree/5e5cf60278f6
    Added    github.com/jpillora/backoff                         https://github.com/jpillora/backoff/tree/v1.0.0
    Added    github.com/jstemmer/go-junit-report                 https://github.com/jstemmer/go-junit-report/tree/v0.9.1
    Added    github.com/rogpeppe/go-internal                     https://github.com/rogpeppe/go-internal/tree/v1.3.0
    Added    go.opencensus.io                                    v0.22.4
    Added    golang.org/x/exp                                    https://github.com/golang/exp/tree/6cc2880d07d6
    Added    golang.org/x/image                                  https://github.com/golang/image/tree/cff245a6509b
    Added    golang.org/x/mobile                                 https://github.com/golang/mobile/tree/d2bd2a29d028
    Added    golang.org/x/oauth2                                 https://github.com/golang/oauth2/tree/f6687ab2804c
    Added    golang.org/x/time                                   https://github.com/golang/time/tree/555d28b269f0
    Added    google.golang.org/api                               v0.30.0
    Added    google.golang.org/appengine                         v1.6.6
    Added    google.golang.org/genproto                          8632dd797987
    Added    google.golang.org/grpc                              v1.31.0
    Added    gopkg.in/errgo.v2                                   v2.1.0
    Added    honnef.co/go/tools                                  v0.0.1-2020.1.4
    Added    rsc.io/binaryregexp                                 v0.2.0
    Added    rsc.io/quote                                        v3.1.0
    Added    rsc.io/sampler                                      v1.3.0
    Removed  github.com/flynn/go-shlex                           https://github.com/flynn/go-shlex/tree/3f9db97f8568
2021-11-04 10:25:13 -04:00
.github/workflows Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
cert refactor: use X25519 instead of ScalarBaseMult (#533) 2021-10-12 12:03:43 -04:00
cidr Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
cmd Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
config Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
dist Remove obsolete systemd unit settings (take 2) (#438) 2021-04-07 12:02:40 -05:00
e2e Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
examples Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00
firewall Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
header Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
iputil Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
sshd Fix single command ssh exec (#483) 2021-06-07 17:06:59 -05:00
udp Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
util Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
.gitignore Support for 1.0.0 release 2019-11-19 10:31:59 -08:00
AUTHORS Public Release 2019-11-19 17:00:20 +00:00
CHANGELOG.md Fix race between punchback and lighthouse handler reset (#566) 2021-11-03 21:54:27 -05:00
LICENSE Public Release 2019-11-19 17:00:20 +00:00
Makefile Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
README.md Add link to further documentation (#563) 2021-11-02 20:55:34 -05:00
allow_list.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
allow_list_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
bits.go Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
bits_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
cert.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
connection_manager.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
connection_manager_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
connection_state.go Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
control.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
control_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
control_tester.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
dns_server.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
dns_server_test.go Public Release 2019-11-19 17:00:20 +00:00
firewall.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
firewall_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
go.mod Update dependencies, November 2021 (#564) 2021-11-04 10:25:13 -04:00
go.sum Update dependencies, November 2021 (#564) 2021-11-04 10:25:13 -04:00
handshake.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
handshake_ix.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
handshake_manager.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
handshake_manager_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
hostmap.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
hostmap_test.go Refactor remotes and handshaking to give every address a fair shot (#437) 2021-04-14 13:50:09 -05:00
inside.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
interface.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
lighthouse.go Fix race between punchback and lighthouse handler reset (#566) 2021-11-03 21:54:27 -05:00
lighthouse_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
logger.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
logger_test.go enforce the use of goimports (#248) 2020-06-30 18:53:30 -04:00
main.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
message_metrics.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
metadata.go Public Release 2019-11-19 17:00:20 +00:00
nebula.pb.go More LH cleanup (#429) 2021-04-01 10:23:31 -05:00
nebula.proto More LH cleanup (#429) 2021-04-01 10:23:31 -05:00
noise.go Correct typos in noise.go (#205) 2020-03-30 11:23:55 -07:00
outside.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
outside_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
punchy.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
punchy_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
remote_list.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
remote_list_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
ssh.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
stats.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
timeout.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
timeout_system.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
timeout_system_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
timeout_test.go Rework some things into packages (#489) 2021-11-03 20:54:04 -05:00
tun_android.go Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
tun_common.go Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00
tun_darwin.go Add a context object in nebula.Main to clean up on error (#550) 2021-11-02 13:14:26 -05:00
tun_disabled.go Don't use a global logger (#423) 2021-03-26 09:46:30 -05:00
tun_freebsd.go Add a context object in nebula.Main to clean up on error (#550) 2021-11-02 13:14:26 -05:00
tun_ios.go Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
tun_linux.go Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00
tun_linux_test.go Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
tun_test.go Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00
tun_tester.go Bump to go1.17 (#553) 2021-10-21 16:24:11 -05:00
tun_windows.go Add an ability to specify metric for unsafe routes (#474) 2021-11-03 21:53:28 -05:00

README.md

What is Nebula?

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Further documentation can be found here.

You can read more about Nebula here.

You can also join the NebulaOSS Slack group here.

Supported Platforms

Desktop and Server

Check the releases page for downloads or see the Distribution Packages section.

  • Linux - 64 and 32 bit, arm, and others
  • Windows
  • MacOS
  • Freebsd

Distribution Packages

  • Arch Linux
    $ sudo pacman -S nebula
    
  • Fedora Linux
    $ sudo dnf copr enable jdoss/nebula
    $ sudo dnf install nebula
    

Mobile

Technical Overview

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.

Nebula uses elliptic curve Diffie-Hellman key exchange, and AES-256-GCM in its default configuration.

Nebula was created to provide a mechanism for groups hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

Getting started (quickly)

To set up a Nebula network, you'll need:

1. The Nebula binaries or Distribution Packages for your specific platform. Specifically you'll need nebula-cert and the specific nebula binary for each platform you use.

2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.

Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.

Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.

3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.

./nebula-cert ca -name "Myorganization, Inc"

This will create files named ca.key and ca.cert in the current directory. The ca.key file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.

4. Nebula host keys and certificates generated from that certificate authority

This assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.

./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
./nebula-cert sign -name "host3" -ip "192.168.100.10/24"

5. Configuration files for each host

Download a copy of the nebula example configuration.

  • On the lighthouse node, you'll need to ensure am_lighthouse: true is set.

  • On the individual hosts, ensure the lighthouse is defined properly in the static_host_map section, and is added to the lighthouse hosts section.

6. Copy nebula credentials, configuration, and binaries to each host

For each host, copy the nebula binary to the host, along with config.yaml from step 5, and the files ca.crt, {host}.crt, and {host}.key from step 4.

DO NOT COPY ca.key TO INDIVIDUAL NODES.

7. Run nebula on each host

./nebula -config /path/to/config.yaml

Building Nebula from source

Download go and clone this repo. Change to the nebula directory.

To build nebula for all platforms: make all

To build nebula for a specific platform (ex, Windows): make bin-windows

See the Makefile for more details on build targets

Credits

Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.