How to set up your own Nebula mesh VPN, step by step, Ars Technica

no, sean, it’s not just an exfil tool –

Itching to get your own Nebula mesh VPN up and running? We’ve got you covered.

Jim Salter -Dec (************************************************************************************************************, **************************************************************************** (1:) ******************************************************************************************************** (UTC UTC)

(****************************************Enlarge/Nebula, sadly, does not come with its own gallery of awesome high-res astronomy photos.**************last week, we coveredthe launch of Slack Engineering’s open source mesh VPN system, Nebula. Today, we’re going to dive a little deeper into how you can set up your own Nebula private mesh network — along with a little more detail about why you might (or might not) want to. VPN mesh versus traditional VPNsThe largest selling point of Nebula is that it’s not “just” a VPN, it’s a distributed VPN mesh. A conventional VPN is much simpler than a mesh and uses a simple star topology: all clients connect to a server, and any additional routing is done manually on top of that. All VPN traffic has to flow through that central server, whether it makes sense in the grander scheme of things or not.In sharp contrast, a mesh network understands the layout of all its member nodes and routes packets between them intelligently. If node A is right next to node Z, the mesh won’t arbitrarily route all of its traffic through node M in the middle — it’ll just send them from A to Z directly, without middlemen or unnecessary overhead. We can examine the differences with a network flow diagram demonstrating patterns in a small virtual private network.

(**********************, **********************

**************************** Enlarge************************** /With Nebula, connections can go directly from home / office to hotel and vice versa —And two PCs on the same LAN don’t need to leave the LAN at all.************** (Jim Salter) ****************All VPNs work in part by exploiting the bi-directional nature of network tunnels. Once a tunnel has been established — even through Network Address Translation (NAT) —it’s bidirectional, regardless of which side initially reached out. This is true for both mesh and conventional VPNs — if two machines on different networks punch tunnels outbound to a cloud server, the cloud server can then tie those two tunnels together, providing a link with two hops. As long as you’ve got that one public IP answering to VPN connection requests, you can get files from one network to another — even if both endpoints are behind NAT with no port forwarding configured.

Where Nebula becomes more efficient is when two Nebula-connected machines are closer to each other than they are to the central cloud server. When a Nebula node wants to connect to another Nebula node, it’ll query a central server — what Nebula calls a lighthouse — to ask where that node can be found. Once the location has been gotten from the lighthouse, the two nodes can work out between themselves what the best route to one another might be. Typically, they’ll be able to communicate with one another directly rather than going through the router — even if they’re behind NAT on two different networks, neither of which has port forwarding enabled.

by contrast, connections between (any) Two PCs on a traditional VPN must pass through its central server — adding bandwidth to that server’s monthly allotment and potentially degrading both throughput and latency from peer to peer. Direct connection through UDP skullduggeryNebula can — in most cases — establish a tunnel directly between two different NATted networks, without the need to configure port forwarding on either side. This is a little brain-breaking — normally, you wouldn’t expect two machines behind NAT to be able to contact each other without an intermediary. But Nebula is a UDP-only protocol, and it’s willing to cheat to achieve its goals.If both machines reach the lighthouse, the lighthouse knows the source UDP port for each side’s outbound connection. The lighthouse can then inform one node of the other’s source UDP port, and vice versa. By itself, this isn’t enough to make it back through the NAT pinhole — but if each side targets the other’s NAT pinhole andspoofs the lighthouse’s public IP address as being the source, their packets will make it through.UDP is a stateless connection, and very few networks bother to check for and enforce boundary validation on UDP packets — so this source-address spoofing works, more often than not. However, some more advanced firewalls may check the headers on outbound packets and drop them if they have impossible source addresses.If only one side has a boundary-validating firewall that drops spoofed outbound packets, you’re fine. But if both ends have boundary validation available, configured, and enabled, Nebula will either fail or be forced to fall back to routing through the lighthouse.We specifically tested this and can confirm that a direct tunnel from one LAN to another across the Internet worked, with no port forwarding and no traffic routed through the lighthouse. We tested with one node behind an Ubuntu homebrew router, another behind a Netgear Nighthawk on the other side of town, and a lighthouse running on a Linode instance. Running iftopon the lighthouse showed no perceptible traffic, even though a (Mbps) ************************************** iperf3stream was cheerfully running between the two networks. So right now, in most (cases, direct point-to-point connections using forged source IP addresses should work.Setting Nebula upTo set up a Nebula mesh, you’ll need at least two nodes, one of which should be a lighthouse . Lighthouse nodes must have a public IP address — preferably, a static one. If you use a lighthouse behind a dynamic IP address, you’ll likely end up with some unavoidable frustration if and when that dynamic address updates.

The best lighthouse option is a cheap VM at the cloud provider of your choice. The $ 5 / mo offerings at Linode or Digital Oceanare more than enough to handle the traffic and CPU levels you should expect, and it’s quick and easy to open an account and get one set up. We recommend the latest Ubuntu LTS release for your new lighthouse’s operating system; at press time that’s (****************************************************************************************************************.Installation Nebula doesn’t actually have an installer; it’s just two bare command line tools in a tarball, regardless of your operating system. For that reason, we’re not going to give operating system specific instructions here: the commands and arguments are the same on Linux, MacOS, or Windows. Just download the appropriate tarball from the Nebulareleasepage, open it up (Windows users will need

************************** 7zipfor this), and dump the commands inside wherever you’d like them to be.

(***********************************************

Download the right tar.gz for your OS and architecture here. (“Normal computers” will be amd architecture.

Jim Salter

Linux, Windows, or MacOS, all you’re getting are two command-line utilities. If you were expecting a fancy installer, you’re out of luck.

Jim Salter

Once fully configured, each node needs five files — the CA certificate (notthe key!), the node’s own cert and key, a config file, and the nebula CLI app itself.

Jim Salter

On Linux or MacOS systems, we recommend creating an / opt / nebulafolder for your Nebula commands, keys, and configs — if you don’t have an / opt yet, that’s okay, just create it, too. On Windows, C: Program Files Nebula is probably a more sensible location. Certificate Authority configuration and key generation

Nebula, sadly, does not come with its own gallery of awesome high-res astronomy photos.

The first thing you’ll need to do is create a Certificate Authority using the nebula-cert program. Nebula, thankfully, makes this a mind-bogglingly simple process:root @ lighthouse: / opt / nebula # ./nebula-cert ca -name “My Shiny Nebula Mesh Network”

What you’ve actually done is create a certificate and key for the entire network. Using that key, you can sign keys for each node itself. Unlike the CA certificate, node certificates need to have the Nebula IP address for each node baked into them when they’re created. So stop for a minute and think about what subnet you’d like to use for your Nebula mesh. It should be a private subnet — so it does not conflict with any Internet resources you might need to use — and it should be an (oddball) one so that it won’t conflict with any LANs you happen to be on.

Nice, round numbers like (**************************************************************************************************. ************************************************************************************************ .x,

**************************************************************************************

Note that the lighthouse: hosts************************************************ list uses the (nebula) IP of the lighthouse node, not its real-world public IP! The only place real-world IP addresses should show up is in the (static_host_map) ******************************************************** (section.) Starting nebula on each nodeI hope you Windows and Mac types weren't expecting some sort of GUI — or an applet in the dock or system tray, or a preconfigured service or daemon — because you're not getting one. Grab a terminal — a command prompt run as Administrator, for you Windows folks — and run nebula against its config file. Minimize the terminal / command prompt window after you run it.
root @ lighthouse: / opt / nebula # ./nebula -config ./config.yml
That's all you get. If you left the logging set at info the way we have it in our sample config files, you'll see a bit of informational stuff scroll up as your nodes come online and begin figuring out how to contact one another.If you're a Linux or Mac user, you might also consider using thescreenutility to hide nebula away from your normal console or terminal (and keep it from closing when that session terminates).
Figuring out how to get Nebula to start automatically is, unfortunately, an exercise we'll need to leave for the user — it's different from distro to distro on Linux (mostly depending on whether you're using systemd or init). Advanced Windows users should look into running Nebula as a custom service, and Mac folks should call Senior Technology Editor Lee Hutchinson on his home phone and ask him for help directly. Conclusion
Nebula is a pretty cool project. We love that it's open source, that it uses the Noise platform for crypto, that it's available on all three major desktop platforms, and that it's easy ... ish to set up and use.

With that said, Nebula in its current form is really not for people afraid to get their hands dirty on the command line — not just once, butalways. We have a feeling that some real UI and service scaffolding will show up eventually — but until it does, as compelling as it is, it's not ready for "normal users."

Right now, Nebula's probably best used by sysadmins and hobbyists who are determined to take advantage of its dynamic routing and don 't mind the extremely visible nuts and bolts and lack of anything even faintly like a friendly interface. We definitelywe don't recommend it in its current form to "normal users" —whether that means yourself or somebody you need to support.

Unless you really, really need that dynamic point-to-point routing, a more conventional VPN like WireGuardis almost certainly a better bet for the moment.************************* (The Good) (***************************************************************** (Free and open source software, released under the MIT license
Cross platform — looks and operates exactly the same on Windows, Mac, and Linux******************************** (Reasonably fast — our Ryzen 7) X managed 1.7Gbps from itself to one of its own VMs across Nebula(Point-to-point tunneling means near-zero bandwidth needed at lighthouses) ********************************************** Dynamic routing opens interesting possibilities for portable systemsSimple, accessible logging makes Nebula troubleshooting a bit easier than WireGuard troubleshooting
The Bad Bad No Android or iOS support yet
************************************** (No service / daemon wrapper included) ********************************************** (No UI, launcher, applet, etc) **********************************************The Ugly(***************************************************************** Did we mention the complete lack of scaffolding? Please don't ask non-technical people to use this yet
(The Windows port requires the OpenVPN project's) ********************************************************** (tap-windows6) driver — which is, unfortunately, notoriously buggy and cantankerous"Reasonably fast" is relative — most PCs should saturate gigabit links easily enough, but WireGuard is at least twice as fast as Nebula on Linux              


               (****************************************************************** (**********************************************************(************************************************************ Read More