Skip to content

Deploy a Virtual Private Cloud or VPN with servers, local machines, and Raspberry Pis across different locations

In this guide we will check how to establish secure connections between servers and local machines across different locations. While traditional VPN solutions exist, many are either too complex or don't scale well. Enter Nebula, a powerful and flexible open-source VPN platform developed by Slack that offers a refreshingly simple approach to building secure overlay networks.

Understanding Nebula

Nebula is fundamentally different from traditional VPNs. Instead of creating a simple tunnel between two points, it establishes a mesh network where every node can communicate directly with every other node. This approach eliminates the bottleneck of traditional hub-and-spoke VPN architectures and provides better performance for distributed systems.

Prerequisites

Before we dive into the setup process, ensure you have: - Root or sudo access on all machines you want to connect - Basic understanding of networking concepts - A Linux, macOS, or Windows machine - The latest version of Nebula downloaded from the official repository

Setting Up the Lighthouse

The lighthouse is Nebula's answer to discovery and NAT traversal. It acts as a beacon that helps other nodes find each other. Let's begin by configuring our lighthouse server.

First, download the Nebula binary and make it executable:

wget https://github.com/slackhq/nebula/releases/download/v1.7.2/nebula-linux-amd64.tar.gz
tar -xzf nebula-linux-amd64.tar.gz
sudo mv nebula /usr/local/bin/

Next, we need to generate our certificates. Nebula uses a PKI system for authentication and encryption:

nebula-cert ca -name "My Nebula Network"
nebula-cert sign -name "lighthouse" -ip "192.168.100.1/24"

Create a configuration file for the lighthouse. Here's a basic example:

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/lighthouse.crt
  key: /etc/nebula/lighthouse.key

static_host_map:
  "192.168.100.1": ["lighthouse.example.com:4242"]

lighthouse:
  am_lighthouse: true
  interval: 60

listen:
  host: 0.0.0.0
  port: 4242

punchy:
  punch: true

tun:
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300

Adding Client Nodes

With our lighthouse configured, we can now add client nodes to our network. For each client, we'll need to generate a certificate:

nebula-cert sign -name "client1" -ip "192.168.100.2/24"

The client configuration will be similar to the lighthouse, but with some key differences:

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/client1.crt
  key: /etc/nebula/client1.key

static_host_map:
  "192.168.100.1": ["lighthouse.example.com:4242"]

lighthouse:
  hosts:
    - "192.168.100.1"

listen:
  host: 0.0.0.0
  port: 4242

punchy:
  punch: true

tun:
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300

Security Considerations

Nebula provides robust security features that should be configured appropriately:

firewall:
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: icmp
      host: any
    - port: 22
      proto: tcp
      host: any

This configuration allows all outbound traffic but restricts inbound connections to ICMP (ping) and SSH. Adjust these rules based on your specific needs.

Starting and Managing Nebula

To run Nebula as a service, create a systemd service file:

[Unit]
Description=Nebula VPN Service
After=network.target

[Service]
ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yml
Restart=always

[Install]
WantedBy=multi-user.target

Save this as /etc/systemd/system/nebula.service and enable it:

sudo systemctl enable nebula
sudo systemctl start nebula

Troubleshooting Common Issues

When setting up Nebula, you might encounter some common issues. Here are some troubleshooting steps:

  • If nodes can't communicate, check your firewall rules both in Nebula's configuration and on your host systems. Ensure UDP port 4242 (or your chosen port) is open.

  • For connectivity issues, verify that your certificates are properly signed and that the lighthouse is reachable from all clients. The nebula-cert list command can help verify certificate validity.

  • Use the -debug flag when starting Nebula to get detailed logging information:

nebula -config config.yml -debug

Final Thoughts

Building a VPN with Nebula provides a powerful way to create a secure and private network across distributed machines and servers. With its flexible, peer-to-peer architecture and strong security model, Nebula can handle everything from small networks to large-scale deployments.

By setting up Nebula, configuring nodes and lighthouses, and establishing firewall rules, you can create a highly secure and scalable VPN that’s tailored to your specific needs.