Nebula mesh VPN on Ubuntu
If you want to securely connect machines on different networks together without the classic VPN star-topology then Nebula might be for you.
Start with your "lighthouse" server. This is the primary server that will facilitate communication between your machines. It's strongly suggested that this be a computer with a static IP. If you don't have one of those, you can use a digitalocean droplet like me, using my referral code: https://m.do.co/c/6656c10438cb
Let's download the latest stable release for your platform on this page:
Chances are pretty good that it will be 'nebula-linux-amd64.tar.gz', but if you are running something different you should already know that. At the time of writing the latest version is 1.2.0.
Make a new directory for it
sudo mkdir /opt/nebula
Untar the release into the folder
sudo tar -C /opt/nebula -xvf nebula-linux-amd64.tar.gz
Allow Nebula UDP traffic through the firewall
sudo ufw allow 4242/udp
Next we change into our nebula directory now
and create our network certificate authority, call it whatever you like.
./nebula-cert ca -name "Your Network Name Here"
You've now got two new files 'ca.key' and 'ca.cert'. The 'ca.key' file is particularly important. This is the key to your new kingdom, so when you're done here, move this somewhere safe (ideally off your server entirely) and keep it encrypted.
Now on to creating the keys for our devices!
The names can be anything you'd like, even FQDN according the official docs.
./nebula-cert sign -name "lighthouse" -ip "192.168.49.1/24" ./nebula-cert sign -name "laptop" -ip "192.168.49.2/24" -groups "laptop,home,ssh"
Last thing to do on the server is create our config. Let's grab the master example from here:
You'll need to make a few tweaks before we can run this. Be careful when making changes though as yaml is very fussy about spaces. We'll call our config
You need to make sure that these values are correct:
(change 'your-server' for your server name)
(change 22.214.171.124 to your lighthouse public IP)
static_host_map: "192.168.49.1": ["126.96.36.199:4242"]
(NOTE:hosts section should be commented out for lighthouse only)
On your client(s):
Copy the all the files we've downloaded and generated (apart from the 'ca.key' file! Leave that alone) to your client(s), then make these changes on your config file:
(change 'your-client' for your clients name)
(NOTE: hosts section should have the nebula ip of your lighthouse server
192.168.49.1 if you are following this guide verbatim)
We can now run it on the server and then the client(s)...
sudo ./nebula -config /opt/nebula-config.yaml
You can now test that it's working with a simple ping from the client(s)!
On your lighthouse server again:
Assuming you've got responses to your ping coming back in now, all that's left to do is set this up as a service for at least your lighthouse.
sudo nano /usr/bin/nebula-start.sh
Paste in the contents below.
#!/bin/bash /opt/nebula/nebula -config /opt/nebula/nebula-config.yaml
Make this executable
sudo chmod +x /usr/bin/nebula-start.sh
Then we need to create a systemd service to run this on boot.
sudo nano /etc/systemd/system/nebula-start.service
Pasting in the contents below again.
Description=Start Nebula Mesh VPN as a service.
Finally, we need to change the permissions on the service, reload the daemon, enable and start the service then check the status to make sure that it's working.
sudo chmod 644 /etc/systemd/system/nebula-start.service sudo systemctl daemon-reload sudo systemctl enable nebula-start.service sudo systemctl start nebula-start.service sudo systemctl status nebula-start.service
The official guide can be found here: