Nebula (from Slack) creates a mesh network that overlays any other network. Nodes on this network can be on separate physical networks, including behind NAT, and still communicate with each other through Nebula.

Nebula requires one node to be discoverable on the internet - the "lighthouse". All other nodes use the lighthouse to register with the network. Nodes do not route to each other via the lighthouse, however. They negotiate the shortest path, be that through UDP punching, or via the LAN (if on the same LAN).

Nodes can be assigned to one or more security group, and these groups are used to create firewall rules permitting or denying traffic between nodes as the case may be.

This repo contains an Ansible playbook for setting up a Nebula lighthouse, and PowerShell helper scripts for deployment under Windows.

Each Nebula network depends on creation of a single certificate authority key pair. This can be generated on any computer that has access to the nebula-cert binary:

nebula-cert ca -name "Office primary" -duration "8760h" -out-crt 2021_office_ca.crt -out-key 2021_office_ca.key

This creates the CA public key 2021_office_ca.crt and the highly sensitive CA private key 2021_office_ca.key. Store the private key securely (e.g. in a password manager) and keep it offline when not needed.

The CA public key is needed by the Ansible playbook that provisions the lighthouse. The default duration of the CA key pair is 365 days – this can be overridden with the -duration flag on creation though it's best not to lengthen the lifespan. Instead, plan for future certificate renewal (and make a note in your calendar!).

The certificate pair is only required for signing certificates for nodes, so it does not need to reside (e.g.) on the lighthouse.

Design your IP address schema before you implement your Nebula network. This cannot easily be changed once you're underway. Choose a private network range that's unlikely to clash with anything in your environment. If you travel and want to use Nebula from (e.g.) hotel WiFi, use your psychic powers to determine what IP addresses to avoid. You might try, e.g., 192.168.92.0/22, to give you a maximum of 1022 nodes.

The Ansible playbook can run against most Debian- or Red Hat-derived instances. The lighthouse requires very few resources, so you can use a tiny cloud instance or potentially add as an additional capability of some other server, with minimal impact. The lighthouse simply requires a public IP, with a reachable UDP port.

Refer to the playbook README for more information.

The Install-Nebula.ps1 PowerShell script sets up a Windows computer ready to run Nebula. After running the script, it is necessary to place the three certificate files in the correct location (see Certificates section below) and then start the Nebula Network Service.

The PowerShell script generates a standard configuration file, which allows ping from anywhere, and RDP from the user's defined group. For any other requirements, manually edit the text-based configuration file the script stores at C:\Users\[username]\AppData\Roaming\Nebula\node.yaml.

The script also installs a required TAP driver (a Windows driver for virtual networks from the OpenVPN project) and assigns the "Private" profile to this adapter once installed, modifying the relevant registry key under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\.

Apps for Android and iOS devices are available on the respective app stores. Certificate installation and generation is somewhat manual, at the time of writing.

The security of Nebula is based on certificates. Each node requires its own public/private key pair, based on the Nebula network's certificate authority. Node certificates encode (amongst other things) the node's name and unique IP address within the overlay network. Hence, the name and IP can only be changed by generating new certificates.

Certificates also contain the security groups to which the node belongs. These groups are used within firewall rules.

The New-KeyPair.ps1 PowerShell script takes some of the work out of generating new certificates for Windows nodes. It creates the certificates and bundles them up in a zip file with the root CA public certificate.

The mobile apps do not yet have an automated workflow for configuration. Set up a new static host in the app, referring to the lighthouse.

When using a mobile app, the Nebula app generates a keypair. First transmit the CA public key to the app (e.g. via email and copy and paste). Once that is loaded, the app can generate a public key.

Pass this public key to nebula-cert with the -in-pub flag. You will need the CA public and private certificates available for this. E.g.:

.\ nebula-cert sign -ca-crt 2021_office_ca.crt -ca-key 2021_office_ca.key -name "My-iPhone" -ip "192.168.93.5/22" -in-pub from-the-app.crt -groups fred

Send the generated certificate back to the app and paste into the "Certificate PEM Contents" section.

Please feel free to fork and submit pull requests. Due to "life", I regret I am unable to provide support using this repo or Nebula in general.