I've figured it out with some assistence from an old Issue thread in their github https://github.com/slackhq/nebula/issues/214#issuecomment-675220635
What I want to do:
I want to use Nebula to connect to hosts in my LAN from outside, which is basically what a normal VPN does, but with less bs involved since my home network setup is a bit complicated for unrelated reasons, to run a classic VPN on my network I would need to get a network engineer certification to figure it out, and I'm not smart enough.
Some background info:
- cloud server has public IP 123.123.123.123 (a fake IP I'm using in this example instead of the real one I used, for obvious reasons)
- OpenWrt LAN network is 192.168.11.0/24
- Nebula's own virtual network is 192.168.20.0/24
---OpenWrt router setup---
Installed the nebula and nebula-certs packages in OpenWrt (I actually recompiled from source a whole new master snapshot firmware with these packages included, but that's just how I roll, don't judge).
Created the /etc/nebula folder and copied the default config.yml from here https://github.com/slackhq/nebula/blob/master/examples/config.yml
created the main certs
nebula-cert ca -name "albydomain Inc"
created the certs for the "lighthouse" (the server with public IP, that is used by every other node to find each other)
nebula-cert sign -name "lighthouse1" -ip "192.168.20.1/24"
create the certs for the OpenWrt device that will share the LAN
nebula-cert sign -name "openwrt-router" -ip "192.168.20.2/24" -subnets "192.168.11.0/24"
create the certs for a test setup on a PC
nebula-cert sign -name "testPC1" -ip "192.168.20.10/24"
now I have a bunch of files in /etc/nebula, so I copy over ca.crt, lighthouse1.crt and lighthouse1.key, testPC1.crt and testPC1.key
On the OpenWrt router this is the parts of the default config I changed in the /etc/nebula/config.yml
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/openwrt-router.crt
key: /etc/nebula/openwrt-router.key
static_host_map:
"192.168.20.1": ["123.123.123.123:4242"]
hosts:
- "192.168.20.1"
inbound:
- port: any
proto: any
host: any
I created a firewall zone in OpenWrt to masquerade and forward traffic from the raw nebula1 interface (no need to create an "unmanaged" interface in /etc/config/interfaces and then assign that to a firewall zone anymore in 21.02, you can just add unmanaged interfaces to firewall like this)
config zone
option name 'nebula'
option masq '1'
list device 'nebula1'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'nebula'
option dest 'lan'
and then restart the service to make it read the config and be ready to connect to the lighthouse
service nebula restart
---Virtual Cloud Server setup---
on the virtual server with public IP that will be my lighthouse I have installed Debian 11, and enabled certificate login on ssh (and disabled password login)
I then installed ufw package for easy firewall management since I have to open port 4242 on the lighthouse for Nebula service.
ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 4242
ufw enable
note that if you have your ssh at a nonstandard port (default is 22, you need to open that port too)
and I downloaded the linux package from the github releases page https://github.com/slackhq/nebula/releases
aka https://github.com/slackhq/nebula/releases/download/v1.4.0/nebula-linux-amd64.tar.gz
then extracted it in the folder /opt/nebula (it's the "standard" folder for non-packaged software installed manually)
I moved the ca.crt, lighthouse1.crt and lighthouse1.key from the OpenWrt device to the cloud server, in that folder.
Then I added again the same default config file, and this is the parts of the default config I changed in the /opt/nebula/config.yml
pki:
ca: /opt/nebula/ca.crt
cert: /opt/nebula/lighthouse1.crt
key: /opt/nebula/lighthouse1.key
lighthouse:
am_lighthouse: true
#static_host_map:
# "192.168.100.1": ["100.64.22.11:4242"]
# hosts:
# - "192.168.100.1"
unsafe_routes:
- route: 192.168.11.0/24
via: 192.168.20.2
mtu: 1500 #mtu will default to tun mtu if this option is not sepcified
inbound:
- port: any
proto: any
host: any
nebula can be started manually on the server with
/opt/nebula/nebula -config /opt/nebula/config.yml
but this isn't the most amazing thing to do, I want it as a service, possibly a systemd service, so the init system will take care of restarting it if crashes and also start it on boot.
so I downloaded the service file for systemd from the examples/service_scripts folder https://github.com/slackhq/nebula/tree/master/examples/service_scripts
(there is also an init script for people that value "init freedom" or others that are using a distro like Alpine or Gentoo that uses OpenRC instead of systemd)
So I download it with
wget https://raw.githubusercontent.com/slackhq/nebula/master/examples/service_scripts/nebula.service
And of course I must edit this line to point to the right path for my server
ExecStart=/opt/nebula/nebula -config /opt/nebula/config.yml
so now copy the service file in systemd folder for services, enable it and start with systemd
cp nebula.service /etc/systemd/system/
systemctl enable nebula.service
systemctl status nebula.service
---TestPC setup---
download the nebula package for your architecture and OS, move the ca.crt, testPC1.crt and testPC1.key to the test PC, then add the default config file and make the following changes (the path for ca.crt and other key files might differ in Windows or MacOS, I used another Linux system so for me it's again stuff in the /opt/nebula folder)
pki:
ca: /opt/nebula/ca.crt
cert: /opt/nebula/testPC1.crt
key: /opt/nebula/testPC1.key
static_host_map:
"192.168.20.1": ["123.123.123.123:4242"]
hosts:
- "192.168.20.1"
unsafe_routes:
- route: 192.168.11.0/24
via: 192.168.20.2
mtu: 1500 #mtu will default to tun mtu if this option is not sepcified
inbound:
- port: any
proto: any
host: any