Infrastructure
Install:
$ sudo mkdir -p /opt/nebula/certs
$ sudo eget -s linux/amd64 --download-only "slackhq/nebula" --to /opt/nebula && cd /opt/nebula
$ sudo tar -xzvf nebula-linux-amd64.tar.gz && sudo rm nebula-linux-amd64.tar.gz
$ sudo mv nebula-cert certs && cd certs
Make certs for the lighthouse, teamserver and proxy (redirector):
$ sudo ./nebula-cert ca -name 'hax0r1337, Inc.'
$ sudo ./nebula-cert sign -name lighthouse -ip "10.10.13.1/24"
$ sudo ./nebula-cert sign -name teamserver -ip "10.10.13.2/24" -groups "teamservers"
$ sudo ./nebula-cert sign -name proxy1 -ip "10.10.13.37/24" -groups "proxies"
Configs:
Lighthouse
Teamserver
Proxy
lighthouse.yml
pki:
ca: /opt/nebula/certs/ca.crt
cert: /opt/nebula/certs/lighthouse.crt
key: /opt/nebula/certs/lighthouse.key
static_host_map:
"10.10.13.1": ["<LIGHTHOUSE_IP>:4242"]
lighthouse:
am_lighthouse: true
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
tun:
disabled: false
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
unsafe_routes:
logging:
level: info
format: text
firewall:
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 4789
proto: any
host: any
- port: 22
proto: any
cidr: 10.10.13.0/24
teamserver.yml
pki:
ca: /opt/nebula/certs/ca.crt
cert: /opt/nebula/certs/teamserver.crt
key: /opt/nebula/certs/teamserver.key
static_host_map:
"10.10.13.1": ["<LIGHTHOUSE_IP>:4242"]
lighthouse:
am_lighthouse: false
interval: 60
hosts:
- "10.10.13.1"
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
tun:
disabled: false
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
unsafe_routes:
logging:
level: info
format: text
firewall:
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: any
proto: tcp
group: proxies
- port: 80
proto: any
host: any
- port: 443
proto: any
host: any
- port: 4789
proto: any
host: any