Deploy a Virtual Private Cloud or VPN with servers, local machines, and Raspberry Pis across different locations
In this guide we will check how to establish secure connections between servers and local machines across different locations. While traditional VPN solutions exist, many are either too complex or don't scale well. Enter Nebula, a powerful and flexible open-source VPN platform developed by Slack that offers a refreshingly simple approach to building secure overlay networks.
Understanding Nebula
Nebula is fundamentally different from traditional VPNs. Instead of creating a simple tunnel between two points, it establishes a mesh network where every node can communicate directly with every other node. This approach eliminates the bottleneck of traditional hub-and-spoke VPN architectures and provides better performance for distributed systems.
Prerequisites
Before we dive into the setup process, ensure you have: - Root or sudo access on all machines you want to connect - Basic understanding of networking concepts - A Linux, macOS, or Windows machine - The latest version of Nebula downloaded from the official repository
Setting Up the Lighthouse
The lighthouse is Nebula's answer to discovery and NAT traversal. It acts as a beacon that helps other nodes find each other. Let's begin by configuring our lighthouse server.
First, download the Nebula binary and make it executable:
wget https://github.com/slackhq/nebula/releases/download/v1.7.2/nebula-linux-amd64.tar.gz
tar -xzf nebula-linux-amd64.tar.gz
sudo mv nebula /usr/local/bin/
Next, we need to generate our certificates. Nebula uses a PKI system for authentication and encryption:
nebula-cert ca -name "My Nebula Network"
nebula-cert sign -name "lighthouse" -ip "192.168.100.1/24"
Create a configuration file for the lighthouse. Here's a basic example:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/lighthouse.crt
key: /etc/nebula/lighthouse.key
static_host_map:
"192.168.100.1": ["lighthouse.example.com:4242"]
lighthouse:
am_lighthouse: true
interval: 60
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
tun:
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
Adding Client Nodes
With our lighthouse configured, we can now add client nodes to our network. For each client, we'll need to generate a certificate:
nebula-cert sign -name "client1" -ip "192.168.100.2/24"
The client configuration will be similar to the lighthouse, but with some key differences:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/client1.crt
key: /etc/nebula/client1.key
static_host_map:
"192.168.100.1": ["lighthouse.example.com:4242"]
lighthouse:
hosts:
- "192.168.100.1"
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
tun:
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
Security Considerations
Nebula provides robust security features that should be configured appropriately:
firewall:
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 22
proto: tcp
host: any
This configuration allows all outbound traffic but restricts inbound connections to ICMP (ping) and SSH. Adjust these rules based on your specific needs.
Starting and Managing Nebula
To run Nebula as a service, create a systemd service file:
[Unit]
Description=Nebula VPN Service
After=network.target
[Service]
ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yml
Restart=always
[Install]
WantedBy=multi-user.target
Save this as /etc/systemd/system/nebula.service
and enable it:
sudo systemctl enable nebula
sudo systemctl start nebula
Troubleshooting Common Issues
When setting up Nebula, you might encounter some common issues. Here are some troubleshooting steps:
-
If nodes can't communicate, check your firewall rules both in Nebula's configuration and on your host systems. Ensure UDP port 4242 (or your chosen port) is open.
-
For connectivity issues, verify that your certificates are properly signed and that the lighthouse is reachable from all clients. The
nebula-cert list
command can help verify certificate validity. -
Use the
-debug
flag when starting Nebula to get detailed logging information:
nebula -config config.yml -debug
Final Thoughts
Building a VPN with Nebula provides a powerful way to create a secure and private network across distributed machines and servers. With its flexible, peer-to-peer architecture and strong security model, Nebula can handle everything from small networks to large-scale deployments.
By setting up Nebula, configuring nodes and lighthouses, and establishing firewall rules, you can create a highly secure and scalable VPN that’s tailored to your specific needs.