April 13, 2020

Nebula mesh VPN on Ubuntu

Nebula mesh VPN on Ubuntu

If you want to securely connect machines on different networks together without the classic VPN star-topology then Nebula might be for you.

Start with your "lighthouse" server. This is the primary server that will facilitate communication between your machines. It's strongly suggested that this be a computer with a static IP. If you don't have one of those, you can use a digitalocean droplet like me, using my referral code: https://m.do.co/c/6656c10438cb

Let's download the latest stable release for your platform on this page:

Chances are pretty good that it will be 'nebula-linux-amd64.tar.gz', but if you are running something different you should already know that. At the time of writing the latest version is 1.2.0.

wget https://github.com/slackhq/nebula/releases/download/v1.2.0/nebula-linux-amd64.tar.gz

Make a new directory for it

sudo mkdir /opt/nebula

Untar the release into the folder

sudo tar -C /opt/nebula -xvf nebula-linux-amd64.tar.gz

Allow Nebula UDP traffic through the firewall

sudo ufw allow 4242/udp

Next we change into our nebula directory now

cd /opt/nebula

and create our network certificate authority, call it whatever you like.

./nebula-cert ca -name "Your Network Name Here"

You've now got two new files 'ca.key' and 'ca.cert'. The 'ca.key' file is particularly important. This is the key to your new kingdom, so when you're done here, move this somewhere safe (ideally off your server entirely) and keep it encrypted.

Now on to creating the keys for our devices!
The names can be anything you'd like, even FQDN according the official docs.

./nebula-cert sign -name "lighthouse" -ip ""

./nebula-cert sign -name "laptop" -ip "" -groups "laptop,home,ssh"

Last thing to do on the server is create our config. Let's grab the master example from here:

You'll need to make a few tweaks before we can run this. Be careful when making changes though as yaml is very fussy about spaces. We'll call our config

You need to make sure that these values are correct:
(change 'your-server' for your server name)
(change to your lighthouse public IP)

ca: /opt/nebula/ca.crt
cert: /opt/nebula/your-server.crt
key: /opt/nebula/your-server.key
static_host_map:  "": [""]
am_lighthouse: true
(NOTE:hosts section should be commented out for lighthouse only)

On your client(s):

Copy the all the files we've downloaded and generated (apart from the 'ca.key' file! Leave that alone) to your client(s), then make these changes on your config file:
(change 'your-client' for your clients name)

ca: /opt/nebula/ca.crt
cert: /opt/nebula/your-client.crt
key: /opt/nebula/your-client.key
am_lighthouse: false
(NOTE: hosts section should have the nebula ip of your lighthouse server if you are following this guide verbatim)

We can now run it on the server and then the client(s)...

sudo ./nebula -config /opt/nebula-config.yaml

You can now test that it's working with a simple ping from the client(s)!


On your lighthouse server again:

Assuming you've got responses to your ping coming back in now, all that's left to do is set this up as a service for at least your lighthouse.

sudo nano /usr/bin/nebula-start.sh

Paste in the contents below.


/opt/nebula/nebula -config /opt/nebula/nebula-config.yaml

Make this executable

sudo chmod +x /usr/bin/nebula-start.sh

Then we need to create a systemd service to run this on boot.

sudo nano /etc/systemd/system/nebula-start.service

Pasting in the contents below again.

Description=Start Nebula Mesh VPN as a service.
ExecStart=/bin/bash /usr/bin/nebula-start.sh

Finally, we need to change the permissions on the service, reload the daemon, enable and start the service then check the status to make sure that it's working.

sudo chmod 644 /etc/systemd/system/nebula-start.service

sudo systemctl daemon-reload

sudo systemctl enable nebula-start.service

sudo systemctl start nebula-start.service

sudo systemctl status nebula-start.service


The official guide can be found here: