Methods to arrange your individual Nebula mesh VPN, step-by-step


Enlarge / Unfortunately, the nebula does not have its own gallery with impressive high-resolution astronomy photos.

Last week we reported on the launch of Slack Engineering's open source mesh VPN system, Nebula. Today we're going to take a closer look at how you can set up your own private Nebula Mesh network – along with a little more detail on why you want it (or not).

VPN mesh compared to conventional VPNs

Nebula's biggest selling point is that it is not just a VPN, but a distributed VPN network. A traditional VPN is much simpler than a mesh and uses a simple star topology: all clients connect to a server, and any additional routing is also done manually. All VPN traffic must flow through this central server, regardless of whether this makes sense in the larger scheme of things or not.

In contrast, a mesh network understands the layout of all of its member nodes and intelligently routes packets between them. If node A is right next to node Z, the mesh does not arbitrarily route all traffic through node M in the middle. It only sends them directly from A to Z, with no intermediaries or unnecessary overhead. We can examine the differences using a network flow diagram that shows patterns in a small virtual private network.

 With Nebula, connections can be made directly from home / in the office to the hotel and vice versa - and two PCs in the same LAN do not have to leave the LAN. "Src =" https: //cdn.arstechnica. net / wp-content / uploads / 2019/12 / Nebel-gegen-WireGuard-Topologie-final-640x388.png "width =" 640 "height =" 388 Enlarge / With Nebula, connections can go directly from home / in the office to the hotel and vice versa – and two PCs in the same LAN do not have to leave the LAN at all.

Jim Salter

All VPNs work partly using the bidirectional nature of network tunnels: As soon as a tunnel – also through Network Address Translation (NAT) – has been set up, it is bidirectional, regardless of the page that was originally reached , This applies to both mesh and traditional VPNs if there are two computers on different machines. The cloud server can then connect these two tunnels to create a connection with two hops if you have a public IP address for VPN connection requests you can transfer files from one network to another – even if both endpoints are behind NAT and no port forwarding is configured.

When Nebula becomes more efficient, two computers connected to Nebula are closer together than on the central cloud server. When a Nebula node wants to connect to another Nebula node, it queries a central server – as the Nebula calls a lighthouse – where that node is located. Once the location has been picked up by the lighthouse, the two nodes can find out among themselves what the best way to get to each other could be. They can usually communicate directly with each other instead of communicating through the router – even if they are in two different networks behind NAT, for which port forwarding is not activated.

In contrast, connections between any two PCs in a conventional VPN must be routed through the central server. This increases the monthly allocation of this server and can potentially reduce throughput and latency from peer to peer.

Direct connection via UDP Skullduggery

Nebula can – in most cases – set up a tunnel directly between two different NATted networks without having to configure the port forwarding on both sides. This is a little mind-boggling – you wouldn't normally expect two computers behind NAT to be able to contact each other without an intermediary. But Nebula is a pure UDP protocol and ready to cheat to achieve its goals.

When both computers reach the lighthouse, the lighthouse knows the source UDP port for the outgoing connection of each side. The lighthouse can then notify one node of the other's source UDP port and vice versa. This alone is not enough to get back through the NAT pinhole. However, if each side targets the other side's NAT pinhole and fakes the lighthouse's public IP address as the source, their packets will get through.

UDP is a stateless connection, and very few networks test and enforce border checking for UDP packets. Therefore, this spoofing of source addresses works in most cases. However, some advanced firewalls may check the headers of outgoing packets and delete them if they have impossible source addresses.

If only one side has a border verification firewall that deletes fake outbound packets, then everything is fine. However, if a border check is available, configured, and enabled at both ends, the fog either fails or has to resort to lighthouse routing.

We have tested this specifically and can confirm that a direct tunnel from one LAN to another works over the Internet, without port forwarding and without data traffic going through the lighthouse. We tested with one node behind an Ubuntu homebrew router, another behind a Netgear Nighthawk on the other side of the city, and a lighthouse running on a Linode instance. Running iftop on the lighthouse showed no noticeable data traffic, although a 20 Mbit / s iperf3 stream happily ran between the two networks. Currently, in most cases, direct point-to-point connections with fake source IP addresses should work.

Raise fog

To set up a fog network, you need at least two nodes, one of which should be a lighthouse. Lighthouse nodes must have a public IP address – preferably a static one. If you use a lighthouse behind a dynamic IP address, you will likely experience some inevitable frustrations when that dynamic address is updated.

The best lighthouse option is a cheap VM from the cloud provider of your choice. The $ 5 / month deals on Linode or Digital Ocean are more than enough to handle the expected traffic and CPU usage. It's quick and easy to open an account and set up an account. We recommend the latest Ubuntu LTS version for the operating system of your new lighthouse. at the time of printing this is April 18.


Nebula doesn't actually have an installer. There are only two blank command line tools in a tarball, regardless of your operating system. For this reason, we will not give any operating system-specific instructions here: The commands and arguments are the same under Linux, MacOS or Windows. Simply download the corresponding tarball from the Nebula release page, open it (Windows users need 7zip for this) and save the commands wherever you want.

  • Download the right tar.gz for your operating system and architecture. ("Normal computers" will be an amd64 architecture.)

    Jim Salter

  • All you get for Linux, Windows, or MacOS are two command line utilities. If you were expecting a failed installer, you're out of luck.

    Jim Salter

  • After the complete configuration, each node needs five files – the CA certificate (not the key!), The node's own certificate and the node's own key, a configuration file and the Nebel-CLI app itself.

    Jim Salter

On Linux or MacOS systems, we recommend creating a / opt / nebula folder for your Nebula commands, keys, and configurations. If you don't have an / opt yet, you can create it. On Windows, C: Program Files Nebula is probably more useful.

Configuration of the certification body and key generation

First of all you have to create a certification body with the nebula-cert program. Fortunately, the fog makes this an amazingly simple process:

root @ lighthouse: / opt / nebula # ./nebula-cert ca -name "My Shiny Nebula Mesh Network"

You actually created a certificate and key for the entire network. With this key you can sign keys for each node yourself. In contrast to the CA certificate, node certificates must contain the Nebula IP address for each node when they are created. So think briefly about which subnet you want to use for your nebula mesh. It should be a private subnet – so it doesn't conflict with the Internet resources you may need – and it should be a strange subnet so it doesn't conflict with the LANs you are currently on.

Nice, round numbers like 192.168.0.x, 192.168.1.x, 192.168.254.x and 10.0.0.x should be correct, because the chances are very good that you will stay in a hotel, the house a friend, etc. using one of these subnets. We used 192.168.98.x – but you can also make any. Your lighthouse occupies .1 in the subnet you selected and you assign new addresses to the nodes when they create their keys. Now let's set up the keys for our lighthouse and our nodes:

root @ lighthouse: / opt / nebula # ./nebula-cert sign -name "lighthouse" -ip ""
root @ lighthouse: / opt / nebula # ./nebula-cert sign -name "banshee" -ip ""
root @ lighthouse: / opt / nebula # ./nebula-cert sign -name "locutus" -ip ""

After you have generated all of your keys, you should take them out of your lighthouse for security reasons. You only need the ca.key file if you actually sign new keys and not to run Nebula yourself. Ideally, you should move ca.key completely from your working directory to a safe place – maybe even to a safe place that is not connected to Nebula at all – and only restore it temporarily if and how you need it. Also note that the lighthouse itself does not necessarily have to be the machine on which Nebula-Cert is executed. If you feel paranoid, it is even better to do CA tasks from a completely separate box and copy the keys and certificates as you create them.

Each Nebula node requires a copy of ca.crt, the CA certificate. It also needs its own .key and .crt that match the name you specified above. However, you don't need a key or certificate from another node – the nodes can exchange them dynamically as needed – and for security reasons, you shouldn't keep all .key and .crt files in one place. (If you lose one, you can always later generate another from your certification authority that uses the same name and the same Nebula IP address.)

Configure fog with config.yml

Nebula's Github repository provides a sample config.yml with pretty much all of the options under the sun and lots of comments, and we recommend anyone looking at doing all sorts of things. However, if you just want to make a difference, it may be easier to start with a drastically simplified configuration that only contains what you need.

Lines that begin with a hashtag are commented out and not interpreted.

# This is the sample Nebula configuration file from Ars Technica.

# Each node needs a copy of the CA certificate.
ONLY with your own certificate and key.
ca: /opt/nebula/ca.crt
cert: /opt/nebula/lighthouse.crt
key: /opt/nebula/lighthouse.key

# how to find one or more lighthouse nodes
# Every node does NOT have to be listed here!
# format "Nebula IP": [“public IP or hostname:port”] #
"": [“”]

Interval: 60

# If you are a lighthouse, say you are a lighthouse
am_lighthouse: true

# If you are a lighthouse, this section should be empty
# or commented out. If you're not a lighthouse, list it
# Lighthouse node here, one per line, below
# Format:
# – ""

# means "all interfaces", which you probably want
Port: 4242

# "punchy" basically means "send keepalive packets frequently"
# To prevent your router from running, close your NAT tunnel.
punchy: true

# "punch_back" allows the other node to try to contact you,
# if you have trouble accessing it. Useful for stubborn
# Networks with symmetrical NAT etc.
punch_back: true

to do:
# reasonable default settings. Don't monkey with these unless
# You are SURE that you know what you are doing.
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300

Level: Info
Format: text

# You NEED this firewall area.
# Nebula has its own firewall in addition to everything
# Your system is set up and everything is denied by default.
# If you do not specify any rules here, you will be discarded
# all the traffic and curse and wonder why you can't ping
# one knot from another.
tcp_timeout: 120h
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000

# since everything is preset, refuse all rules
# SPECIFY are actually allowed rules here.
– Port: any
proto: any
Host: any

– Port: any
proto: any
Host: any

Warning: Our CMS mangles some spaces in this code. So don't try to copy and paste them directly. Instead, use functional copies of Github suitable for whitespaces: config.lighthouse.yaml and config.node.yaml.

There is no big difference between lighthouse and normal node configurations. If the node should not be a lighthouse, simply set am_lighthouse to false and remove the leading hashtag from the line # – "", whereby the node points to the lighthouse to which it is to report.

Note that the lighthouse: hosts list uses the fog IP of the lighthouse node, not the real world public IP! The only place where real IP addresses should appear is in the static_host_map section.

Starting fog on every node

I hope you did not expect Windows and Mac types to have a GUI or applet in the Dock or Taskbar, or a pre-configured service or daemon, because you don't have one. Get a terminal – a command prompt that runs as an administrator for Windows users – and run the fog using the configuration file. Minimize the Terminal / Command Prompt window after you run it.

root @ lighthouse: / opt / nebula # ./nebula -config ./config.yml

That's all you get. If you leave the log record at info as we have it in our sample configuration files, you will see that a little bit of information rolls up when your nodes go online and find out how to get in touch.

If you are a Linux or Mac user, you can also use the on-screen utility to hide the mist from your normal console or terminal (and to prevent it from closing after this session ends) ,

Unfortunately, it is an exercise we have to leave to the user to figure out how to start Nebula automatically – it differs from distribution to distribution on Linux (mostly depending on whether you are using systemd or init). Advanced Windows users should run Nebula as a custom service. Mac users should call senior technology editor Lee Hutchinson and ask for help directly.


Nebula is a pretty cool project. We love that it is open source, that it uses the Noise platform for crypto, that it is available on all three major desktop platforms, and that it is easy to set up and use.

Nevertheless, the fog in its current form is not for people who are afraid of getting their hands dirty on the command line – not just once, but always. We have a feeling that real UI and service scaffolds will emerge at some point – but as long as it's not so convincing, it's not ready for "normal users".

At the moment Nebula is probably best used by sysadmins and hobbyists who are determined to use its dynamic routing and do not care about the extremely visible nuts and bolts and the lack of anything that is a bit like a user-friendly Surface is. We definitely don't recommend it in its current form to "normal users" – whether you yourself or someone you need to support.

Unless you really need this dynamic point-to-point routing, a more traditional VPN like WireGuard is almost certainly the better choice right now.

The Good

  • Free and open source software, released under the MIT license
  • Cross-platform – looks and works the same under Windows, Mac and Linux.
  • Quite quickly – our Ryzen 7 3700X managed 1.7 Gbit / s by itself on one of its own VMs in Nebula
  • Point-to-point tunneling means that a bandwidth close to zero is required for lighthouses.
  • Dynamic routing opens up interesting possibilities for portable systems
  • Simple, accessible logging makes troubleshooting in Nebula a little easier than troubleshooting in WireGuard

The Bad

  • No Android or iOS support yet
  • No service / daemon wrapper included
  • No user interface, launcher, applet, etc.

The Ugly One

  • Did we mention the complete lack of scaffolding? Please ask non-technical people to continue using this.
  • The Windows port requires the tap-windows6 driver of the OpenVPN project – which is unfortunately notoriously flawed and cumbersome.
  • "Quite fast" is relative – most PCs should use Gigabit connections lightly enough, but WireGuard is at least twice as fast as Nebula on Linux


Please enter your comment!
Please enter your name here