Nebula: A Scalable, Secure, and Simple Overlay Networking Tool

Introduction

Nebula, from Slackhq, is a scalable overlay networking tool with a focus on performance, simplicity, and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, running on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of machines.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling. What makes Nebula different from existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Installation

Nebula is available across a wide range of platforms, including desktop, server, and mobile devices.

Desktop and Server

You can find the latest binaries on the releases page or use package managers:

• Arch Linux

  sudo pacman -S nebula
  

• Fedora Linux

  sudo dnf install nebula
  

• Debian Linux

  sudo apt install nebula
  

• Alpine Linux

  sudo apk add nebula
  

• macOS Homebrew

  brew install nebula
  

• Docker

  docker pull nebulaoss/nebula
  

Mobile

• iOS
• Android

Examples

To set up a Nebula network, you'll need a few key components. Here's a quick guide:

1. Nebula Binaries: Obtain the nebula-cert and nebula binaries for your specific platform.
2. Lighthouse Node (Optional, but Recommended): At least one discovery node with a routable IP address. Lighthouses allow nodes to find each other globally and can use UDP hole punching. They require very few compute resources.
3. Nebula Certificate Authority (CA): Create a CA to be the root of trust for your network.

   ./nebula-cert ca -name "Myorganization, Inc"
   

   This will generate ca.key and ca.cert. Keep ca.key secure, as it signs the certificates for individual nodes.

4. Host Keys and Certificates: Generate keys and certificates for each node in your network, signed by your CA.

   ./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
   ./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
   ./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
   ./nebula-cert sign -name "host3" -ip "192.168.100.10/24"
   

5. Configuration Files: Download a copy of the example configuration and adapt it. Ensure am_lighthouse: true is set for the lighthouse node and configure the static_host_map for other hosts.
6. Copy Credentials and Binaries: Copy the nebula binary, config.yml, ca.crt, {host}.crt, and {host}.key to each host. DO NOT COPY ca.key TO INDIVIDUAL NODES.
7. Run Nebula: Start Nebula on each host.

   ./nebula -config /path/to/config.yml
   

For more detailed instructions, refer to the full documentation here.

Why Use Nebula?

Nebula offers a robust solution for mutually authenticated peer-to-peer software-defined networks (SDN), based on the Noise Protocol Framework. It uses certificates to assert a node's IP address, name, and membership within user-defined groups, allowing for provider-agnostic traffic filtering between nodes. Discovery nodes (lighthouses) facilitate peer discovery and optionally use UDP hole punching to establish connections from behind most firewalls or NATs.

With Nebula, users can move data between nodes across any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme. Security is ensured by Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration. Nebula was created to enable groups of hosts to communicate securely, even across the internet, while providing expressive firewall definitions similar in style to cloud security groups.

Links

• GitHub Repository: slackhq/nebula
• Official Documentation: Nebula Docs
• Medium Article: Read more about Nebula
• Slack Community: Join the NebulaOSS Slack group