config.yml 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. # This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections
  2. # Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels)
  3. # PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml ": |" syntax.
  4. pki:
  5. # The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
  6. ca: /etc/nebula/ca.crt
  7. cert: /etc/nebula/host.crt
  8. key: /etc/nebula/host.key
  9. #blocklist is a list of certificate fingerprints that we will refuse to talk to
  10. #blocklist:
  11. # - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
  12. # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
  13. # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
  14. # The syntax is:
  15. # "{nebula ip}": ["{routable ip/dns name}:{routable port}"]
  16. # Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4242:
  17. static_host_map:
  18. "192.168.100.1": ["100.64.22.11:4242"]
  19. lighthouse:
  20. # am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes
  21. # you have configured to be lighthouses in your network
  22. am_lighthouse: false
  23. # serve_dns optionally starts a dns listener that responds to various queries and can even be
  24. # delegated to for resolution
  25. #serve_dns: false
  26. #dns:
  27. # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.
  28. #host: 0.0.0.0
  29. #port: 53
  30. # interval is the number of seconds between updates from this node to a lighthouse.
  31. # during updates, a node sends information about its current IP addresses to each node.
  32. interval: 60
  33. # hosts is a list of lighthouse hosts this node should report to and query from
  34. # IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES
  35. # IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs
  36. hosts:
  37. - "192.168.100.1"
  38. # remote_allow_list allows you to control ip ranges that this node will
  39. # consider when handshaking to another node. By default, any remote IPs are
  40. # allowed. You can provide CIDRs here with `true` to allow and `false` to
  41. # deny. The most specific CIDR rule applies to each remote. If all rules are
  42. # "allow", the default will be "deny", and vice-versa. If both "allow" and
  43. # "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the
  44. # default.
  45. #remote_allow_list:
  46. # Example to block IPs from this subnet from being used for remote IPs.
  47. #"172.16.0.0/12": false
  48. # A more complicated example, allow public IPs but only private IPs from a specific subnet
  49. #"0.0.0.0/0": true
  50. #"10.0.0.0/8": false
  51. #"10.42.42.0/24": true
  52. # local_allow_list allows you to filter which local IP addresses we advertise
  53. # to the lighthouses. This uses the same logic as `remote_allow_list`, but
  54. # additionally, you can specify an `interfaces` map of regular expressions
  55. # to match against interface names. The regexp must match the entire name.
  56. # All interface rules must be either true or false (and the default will be
  57. # the inverse). CIDR rules are matched after interface name rules.
  58. # Default is all local IP addresses.
  59. #local_allow_list:
  60. # Example to block tun0 and all docker interfaces.
  61. #interfaces:
  62. #tun0: false
  63. #'docker.*': false
  64. # Example to only advertise this subnet to the lighthouse.
  65. #"10.0.0.0/8": true
  66. # Port Nebula will be listening on. The default here is 4242. For a lighthouse node, the port should be defined,
  67. # however using port 0 will dynamically assign a port and is recommended for roaming nodes.
  68. listen:
  69. # To listen on both any ipv4 and ipv6 use "[::]"
  70. host: 0.0.0.0
  71. port: 4242
  72. # Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)
  73. # default is 64, does not support reload
  74. #batch: 64
  75. # Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel
  76. # Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)
  77. # Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide
  78. # max, net.core.rmem_max and net.core.wmem_max
  79. #read_buffer: 10485760
  80. #write_buffer: 10485760
  81. # EXPERIMENTAL: This option is currently only supported on linux and may
  82. # change in future minor releases.
  83. #
  84. # Routines is the number of thread pairs to run that consume from the tun and UDP queues.
  85. # Currently, this defaults to 1 which means we have 1 tun queue reader and 1
  86. # UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun
  87. # device and SO_REUSEPORT on the UDP socket to allow multiple queues.
  88. #routines: 1
  89. punchy:
  90. # Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings
  91. punch: true
  92. # respond means that a node you are trying to reach will connect back out to you if your hole punching fails
  93. # this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT
  94. # Default is false
  95. #respond: true
  96. # delays a punch response for misbehaving NATs, default is 1 second, respond must be true to take effect
  97. #delay: 1s
  98. # Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes
  99. # IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously!
  100. #cipher: chachapoly
  101. # Preferred ranges is used to define a hint about the local network ranges, which speeds up discovering the fastest
  102. # path to a network adjacent nebula node.
  103. # NOTE: the previous option "local_range" only allowed definition of a single range
  104. # and has been deprecated for "preferred_ranges"
  105. #preferred_ranges: ["172.16.0.0/24"]
  106. # sshd can expose informational and administrative functions via ssh this is a
  107. #sshd:
  108. # Toggles the feature
  109. #enabled: true
  110. # Host and port to listen on, port 22 is not allowed for your safety
  111. #listen: 127.0.0.1:2222
  112. # A file containing the ssh host private key to use
  113. # A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
  114. #host_key: ./ssh_host_ed25519_key
  115. # A file containing a list of authorized public keys
  116. #authorized_users:
  117. #- user: steeeeve
  118. # keys can be an array of strings or single string
  119. #keys:
  120. #- "ssh public key string"
  121. # Configure the private interface. Note: addr is baked into the nebula certificate
  122. tun:
  123. # When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root)
  124. disabled: false
  125. # Name of the device
  126. dev: nebula1
  127. # Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert
  128. drop_local_broadcast: false
  129. # Toggles forwarding of multicast packets
  130. drop_multicast: false
  131. # Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500
  132. tx_queue: 500
  133. # Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic
  134. mtu: 1300
  135. # Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here
  136. routes:
  137. #- mtu: 8800
  138. # route: 10.0.0.0/16
  139. # Unsafe routes allows you to route traffic over nebula to non-nebula nodes
  140. # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula
  141. # NOTE: The nebula certificate of the "via" node *MUST* have the "route" defined as a subnet in its certificate
  142. unsafe_routes:
  143. #- route: 172.16.1.0/24
  144. # via: 192.168.100.99
  145. # mtu: 1300 #mtu will default to tun mtu if this option is not sepcified
  146. # TODO
  147. # Configure logging level
  148. logging:
  149. # panic, fatal, error, warning, info, or debug. Default is info
  150. level: info
  151. # json or text formats currently available. Default is text
  152. format: text
  153. # Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false
  154. #disable_timestamp: true
  155. # timestamp format is specified in Go time format, see:
  156. # https://golang.org/pkg/time/#pkg-constants
  157. # default when `format: json`: "2006-01-02T15:04:05Z07:00" (RFC3339)
  158. # default when `format: text`:
  159. # when TTY attached: seconds since beginning of execution
  160. # otherwise: "2006-01-02T15:04:05Z07:00" (RFC3339)
  161. # As an example, to log as RFC3339 with millisecond precision, set to:
  162. #timestamp_format: "2006-01-02T15:04:05.000Z07:00"
  163. #stats:
  164. #type: graphite
  165. #prefix: nebula
  166. #protocol: tcp
  167. #host: 127.0.0.1:9999
  168. #interval: 10s
  169. #type: prometheus
  170. #listen: 127.0.0.1:8080
  171. #path: /metrics
  172. #namespace: prometheusns
  173. #subsystem: nebula
  174. #interval: 10s
  175. # enables counter metrics for meta packets
  176. # e.g.: `messages.tx.handshake`
  177. # NOTE: `message.{tx,rx}.recv_error` is always emitted
  178. #message_metrics: false
  179. # enables detailed counter metrics for lighthouse packets
  180. # e.g.: `lighthouse.rx.HostQuery`
  181. #lighthouse_metrics: false
  182. # Handshake Manager Settings
  183. #handshakes:
  184. # Handshakes are sent to all known addresses at each interval with a linear backoff,
  185. # Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout
  186. # A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out
  187. #try_interval: 100ms
  188. #retries: 20
  189. # trigger_buffer is the size of the buffer channel for quickly sending handshakes
  190. # after receiving the response for lighthouse queries
  191. #trigger_buffer: 64
  192. # Nebula security group configuration
  193. firewall:
  194. conntrack:
  195. tcp_timeout: 12m
  196. udp_timeout: 3m
  197. default_timeout: 10m
  198. max_connections: 100000
  199. # The firewall is default deny. There is no way to write a deny rule.
  200. # Rules are comprised of a protocol, port, and one or more of host, group, or CIDR
  201. # Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr)
  202. # - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).
  203. # code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`
  204. # proto: `any`, `tcp`, `udp`, or `icmp`
  205. # host: `any` or a literal hostname, ie `test-host`
  206. # group: `any` or a literal group name, ie `default-group`
  207. # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
  208. # cidr: a CIDR, `0.0.0.0/0` is any.
  209. # ca_name: An issuing CA name
  210. # ca_sha: An issuing CA shasum
  211. outbound:
  212. # Allow all outbound traffic from this node
  213. - port: any
  214. proto: any
  215. host: any
  216. inbound:
  217. # Allow icmp between any nebula hosts
  218. - port: any
  219. proto: icmp
  220. host: any
  221. # Allow tcp/443 from any host with BOTH laptop and home group
  222. - port: 443
  223. proto: tcp
  224. groups:
  225. - laptop
  226. - home