صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
vpn
/
nebula
mirrorاز https://github.com/slackhq/nebula.git
2
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
درخت: f22b4b584d
شاخه‌ها تگ‌ها
nebula
/
examples
/
config.yaml

config.yaml 6.5 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 
  1. # This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections
    2. 

  2. 

  3. 

  4. # PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml ": |" syntax.
    5. 

  5. pki:
    6. 

  6.   ca: /etc/nebula/ca.crt
    7. 

  7.   cert: /etc/nebula/host.crt
    8. 

  8.   key: /etc/nebula/host.key
    9. 

  9.   #blacklist is a list of certificate fingerprints that we will refuse to talk to
    10. 

  10.   #blacklist:
    11. 

  11.   #  - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
    12. 

  12. 

  13. # The static host map defines a set of hosts with with fixed IP addresses on the internet (or any network).
    14. 

  14. # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
    15. 

  15. # The syntax is:
    16. 

  16. #   "{nebula ip}": ["{routable ip/dns name}:{routable port}"]
    17. 

  17. # Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4242:
    18. 

  18. static_host_map:
    19. 

  19.   "192.168.100.1": ["100.64.22.11:4242"]
    20. 

  20. 

  21. 

  22. lighthouse:
    23. 

  23.   # am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes
    24. 

  24.   # you have configured to be lighthouses in your network
    25. 

  25.   am_lighthouse: false
    26. 

  26.   # serve_dns optionally starts a dns listener that responds to various queries and can even be
    27. 

  27.   # delegated to for resolution
    28. 

  28.   #serve_dns: false
    29. 

  29.   # interval is the number of seconds between updates from this node to a lighthouse.
    30. 

  30.   # during updates, a node sends information about its current IP addresses to each node.
    31. 

  31.   interval: 60
    32. 

  32.   # hosts is a list of lighthouse hosts this node should report to and query from
    33. 

  33.   # IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES
    34. 

  34.   hosts:
    35. 

  35.     - "192.168.100.1"
    36. 

  36. 

  37. # Port Nebula will be listening on. The default here is 4242. For a lighthouse node, the port should be defined,
    38. 

  38. # however using port 0 will dynamically assign a port and is recommended for roaming nodes.
    39. 

  39. listen:
    40. 

  40.   host: 0.0.0.0
    41. 

  41.   port: 4242
    42. 

  42.   # Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)
    43. 

  43.   # default is 64, does not support reload
    44. 

  44.   #batch: 64
    45. 

  45.   # Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel
    46. 

  46.   # Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)
    47. 

  47.   # Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide
    48. 

  48.   # max, net.core.rmem_max and net.core.wmem_max
    49. 

  49.   #read_buffer: 10485760
    50. 

  50.   #write_buffer: 10485760
    51. 

  51. 

  52. 

  53. # Local range is used to define a hint about the local network range, which speeds up discovering the fastest
    54. 

  54. # path to a network adjacent nebula node.
    55. 

  55. #local_range: "172.16.0.0/24"
    56. 

  56. 

  57. # Handshake mac is an optional network-wide handshake authentication step that is used to prevent nebula from
    58. 

  58. # responding to handshakes from nodes not in possession of the shared secret. This is primarily used to prevent
    59. 

  59. # detection of nebula nodes when someone is scanning a network.
    60. 

  60. #handshake_mac:
    61. 

  61.   #key: "DONOTUSETHISKEY"
    62. 

  62.   # You can define multiple accepted keys
    63. 

  63.   #accepted_keys:
    64. 

  64.     #- "DONOTUSETHISKEY"
    65. 

  65.     #- "dontusethiseither"
    66. 

  66. 

  67. # sshd can expose informational and administrative functions via ssh this is a
    68. 

  68. #sshd:
    69. 

  69.   # Toggles the feature
    70. 

  70.   #enabled: true
    71. 

  71.   # Host and port to listen on, port 22 is not allowed for your safety
    72. 

  72.   #listen: 127.0.0.1:2222
    73. 

  73.   # A file containing the ssh host private key to use
    74. 

  74.   # A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
    75. 

  75.   #host_key: ./ssh_host_ed25519_key
    76. 

  76.   # A file containing a list of authorized public keys
    77. 

  77.   #authorized_users:
    78. 

  78.     #- user: steeeeve
    79. 

  79.       # keys can be an array of strings or single string
    80. 

  80.       #keys:
    81. 

  81.         #- "ssh public key string"
    82. 

  82. 

  83. # Configure the private interface. Note: addr is baked into the nebula certificate
    84. 

  84. tun:
    85. 

  85.   # Name of the device
    86. 

  86.   dev: nebula1
    87. 

  87.   # Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert
    88. 

  88.   drop_local_broadcast: false
    89. 

  89.   # Toggles forwarding of multicast packets
    90. 

  90.   drop_multicast: false
    91. 

  91.   # Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500
    92. 

  92.   tx_queue: 500
    93. 

  93.   # Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic
    94. 

  94.   mtu: 1300
    95. 

  95.   # Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here
    96. 

  96.   routes:
    97. 

  97.     #- mtu: 8800
    98. 

  98.     #  route: 10.0.0.0/16
    99. 

  99. 

  100. # TODO
    101. 

  101. # Configure logging level
    102. 

  102. logging:
    103. 

  103.   # panic, fatal, error, warning, info, or debug. Default is info
    104. 

  104.   level: info
    105. 

  105.   # json or text formats currently available. Default is text
    106. 

  106.   format: text
    107. 

  107. 

  108. #stats:
    109. 

  109.   #type: graphite
    110. 

  110.   #prefix: nebula
    111. 

  111.   #protocol: tcp
    112. 

  112.   #host: 127.0.0.1:9999
    113. 

  113.   #interval: 10s
    114. 

  114. 

  115.   #type: prometheus
    116. 

  116.   #listen: 127.0.0.1:8080
    117. 

  117.   #path: /metrics
    118. 

  118.   #namespace: prometheusns
    119. 

  119.   #subsystem: nebula
    120. 

  120.   #interval: 10s
    121. 

  121. 

  122. # Nebula security group configuration
    123. 

  123. firewall:
    124. 

  124.   conntrack:
    125. 

  125.     tcp_timeout: 120h
    126. 

  126.     udp_timeout: 3m
    127. 

  127.     default_timeout: 10m
    128. 

  128.     max_connections: 100000
    129. 

  129. 

  130.   # The firewall is default deny. There is no way to write a deny rule.
    131. 

  131.   # Rules are comprised of a protocol, port, and one or more of host, group, or CIDR
    132. 

  132.   # Logical evaluation is roughly: port AND proto AND ca_sha AND ca_name AND (host OR group OR groups OR cidr)
    133. 

  133.   # - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).
    134. 

  134.   #   code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`
    135. 

  135.   #   proto: `any`, `tcp`, `udp`, or `icmp`
    136. 

  136.   #   host: `any` or a literal hostname, ie `test-host`
    137. 

  137.   #   group: `any` or a literal group name, ie `default-group`
    138. 

  138.   #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
    139. 

  139.   #   cidr: a CIDR, `0.0.0.0/0` is any.
    140. 

  140.   #   ca_name: An issuing CA name
    141. 

  141.   #   ca_sha: An issuing CA shasum
    142. 

  142. 

  143.   outbound:
    144. 

  144.     # Allow all outbound traffic from this node
    145. 

  145.     - port: any
    146. 

  146.       proto: any
    147. 

  147.       host: any
    148. 

  148. 

  149.   inbound:
    150. 

  150.     # Allow icmp between any nebula hosts
    151. 

  151.     - port: any
    152. 

  152.       proto: icmp
    153. 

  153.       host: any
    154. 

  154. 

  155.     # Allow tcp/443 from any host with BOTH laptop and home group
    156. 

  156.     - port: 443
    157. 

  157.       proto: tcp
    158. 

  158.       groups:
    159. 

  159.         - laptop
    160. 

  160.         - home
    161.