Nebula VPN routes between hosts privately, flexibly, and effectively


Last month, Slack's technical department, an instant messaging platform commonly used for community and small business organizations, released a new distributed VPN mesh tool called Nebula. Nebula is free and open source software available under the MIT license.

It is difficult to get the fog to the point. According to the Slack development team, they asked themselves, "What's the easiest way to securely connect tens of thousands of computers hosted by multiple cloud service providers in dozens of locations around the world?" And (developing) fog was the best answer they had. It is a portable, scalable overlay network tool that can run on most major platforms such as Linux, MacOS and Windows. Support for some mobile devices is planned for the near future.

Data transmitted by nebulae is fully encrypted using the noise protocol framework, which is also used in modern, security-oriented projects such as Signal and WireGuard. Unlike traditional VPN technologies – including WireGuard – Nebula automatically and dynamically detects available routes between nodes and routes traffic between any two nodes in the most efficient way, instead of forcing everything through a central distribution point.

Getting into Nebula is not too difficult, although the documentation is somewhat sparse. The Github repository for Nebula provides binary files for Windows, Linux and MacOS as well as a sample configuration file. The configuration files consist of pki static_host_map lighthouse listen do and firewall sections.

  • The first three sections of config.yml define crypto assets, well-known hosts and "lighthouses" – fog nodes that are available via normally routable networks.

    Jim Salter

  • "Lists" and "do" define device attributes for the local fog node, including bound IP and port.

    Jim Salter

  • The firewall section of config.yml is one that will fire you if you are not careful. The default is "Deny". So if you have not set any admission rules, no traffic will go to your nodes.

    Jim Salter

Nebula describes a publicly accessible node in the network as a "lighthouse". Lighthouse nodes should be available through underlying network connections without the fog operating, and they are an entry point for new nodes joining the network. Once a node joins the network, it no longer has to route all traffic through a lighthouse. The nodes automatically determine the most efficient path between them. If there is no lighthouse node in the middle, this is fine. Even if the data traffic has to penetrate NAT "in the wrong way", there is no problem, since every node behind NAT tunnels is created and kept open for all nodes it knows.

  • This diagram shows the "real" network connectivity between nodes in our test network. Nat0 and Nat1 are in the same subnet and can be reached directly. doublenat can reach nat0 and nat1 via NAT, but they cannot. All can get to the lighthouse via one or more NAT connections.

    Jim Salter

  • As soon as all nodes are connected to the Nebula network, they can reach each other directly despite the NAT barriers between them – the differences between one real subnet and another disappear.

    Jim Salter

  • We tested the connection speeds while Nebula was running – and it is obvious that every node is optimally connected instead of routing everything over normal network paths.

    Jim Salter

We tested this by connecting four nodes together in a small fog network: a lighthouse node on Digital Ocean, which we creatively called lighthouse and three member nodes in a small office. Two of our member nodes ( nat0 and nat1 ) are in the main LAN of the office, and the third member node, doublenat is in a separate subnet, connected behind the node nat0 .

It was not long before it was confirmed that Nebula's promise to automatically find the best route worked as advertised. When running an iperf3 network speed test from nat1 to doublenat a throughput of 674 Mbit / s was achieved, which made it painfully clear that packets were not routed through lighthouse is located in Digital Ocean's New York data center, several hundred miles away. Instead, Doublenat punched a tunnel out through the Network Address Translation (NAT) layer directly to nat1 and the two hosts can use this tunnel to communicate directly.

We can already hear some of you screaming: "Can I use it to escape obnoxious networks with arrogant firewalls?" and the answer – sorry! – is "probably not." Like WireGuard, Nebula only works over UDP – overzealous firewalls that do not allow WireGuard connections also do not allow Nebula. This also severely limits its value as an exfiltration tool, as a large amount of outgoing traffic on any UDP port hurts like a thumb for all network analysis tools, even if the firewall allows it.

We believe that the greatest potential value for using Nebula through a more traditional VPN tool like WireGuard is to find the most efficient routes wherever they are. If Nebula is running on your laptop, your home PC, and a digital ocean droplet, the laptop is communicating at LAN speeds when it is at home and at Internet speeds when it is on the go.

Listing image from NSSDC Photo Gallery


Please enter your comment!
Please enter your name here