diff --git a/nebula/ca.crt b/nebula/ca.crt new file mode 100644 index 0000000..cc878ec --- /dev/null +++ b/nebula/ca.crt @@ -0,0 +1,5 @@ +-----BEGIN NEBULA CERTIFICATE----- +CjoKCFdMRSwgQ28uKMqGr8IGMKqop+8IOiANZWDU6WbgoZooTcO2TjlJ7ccN+fCJ +RUjEVevW+cOxlkABEkC2srXg1IQWoK3Lq6jIlgwDAu2FumszyPWxQi+XvmzTlEjO +0WZetjjx+CooeHUuHIx1Acc6VwSmXDwfcqFq5zAL +-----END NEBULA CERTIFICATE----- diff --git a/nebula/ca.key b/nebula/ca.key new file mode 100644 index 0000000..a022d23 --- /dev/null +++ b/nebula/ca.key @@ -0,0 +1,4 @@ +-----BEGIN NEBULA ED25519 PRIVATE KEY----- +O9QzOi4KL7ToBFFCkD8IVr3bw0Bi4tV6e+ygDHiPr2kNZWDU6WbgoZooTcO2TjlJ +7ccN+fCJRUjEVevW+cOxlg== +-----END NEBULA ED25519 PRIVATE KEY----- diff --git a/nebula/config.yml b/nebula/config.yml new file mode 100644 index 0000000..eec4f1c --- /dev/null +++ b/nebula/config.yml @@ -0,0 +1,405 @@ +# This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections +# Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels) + +# PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml ": |" syntax. +pki: + # The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca' + ca: /etc/nebula/ca.crt + cert: /etc/nebula/host.crt + key: /etc/nebula/host.key + # blocklist is a list of certificate fingerprints that we will refuse to talk to + #blocklist: + # - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72 + # disconnect_invalid is a toggle to force a client to be disconnected if the certificate is expired or invalid. + #disconnect_invalid: true + + # initiating_version controls which certificate version is used when initiating handshakes. + # This setting only applies if both a v1 and a v2 certificate are configured, in which case it will default to `1`. + # Once all hosts in the mesh are configured with both a v1 and v2 certificate then this should be changed to `2`. + # After all hosts in the mesh are using a v2 certificate then v1 certificates are no longer needed. + # initiating_version: 1 + +# The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). +# A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel. +# The syntax is: +# "{nebula ip}": ["{routable ip/dns name}:{routable port}"] +# Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4242: +static_host_map: + "192.168.100.1": ["100.64.22.11:4242"] + +# The static_map config stanza can be used to configure how the static_host_map behaves. +#static_map: + # cadence determines how frequently DNS is re-queried for updated IP addresses when a static_host_map entry contains + # a DNS name. + #cadence: 30s + + # network determines the type of IP addresses to ask the DNS server for. The default is "ip4" because nodes typically + # do not know their public IPv4 address. Connecting to the Lighthouse via IPv4 allows the Lighthouse to detect the + # public address. Other valid options are "ip6" and "ip" (returns both.) + #network: ip4 + + # lookup_timeout is the DNS query timeout. + #lookup_timeout: 250ms + +lighthouse: + # am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes + # you have configured to be lighthouses in your network + am_lighthouse: false + # serve_dns optionally starts a dns listener that responds to various queries and can even be + # delegated to for resolution + #serve_dns: false + #dns: + # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP. + #host: 0.0.0.0 + #port: 53 + # interval is the number of seconds between updates from this node to a lighthouse. + # during updates, a node sends information about its current IP addresses to each node. + interval: 60 + # hosts is a list of lighthouse hosts this node should report to and query from + # IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES + # IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs + hosts: + - "192.168.100.1" + + # remote_allow_list allows you to control ip ranges that this node will + # consider when handshaking to another node. By default, any remote IPs are + # allowed. You can provide CIDRs here with `true` to allow and `false` to + # deny. The most specific CIDR rule applies to each remote. If all rules are + # "allow", the default will be "deny", and vice-versa. If both "allow" and + # "deny" IPv4 rules are present, then you MUST set a rule for "0.0.0.0/0" as + # the default. Similarly if both "allow" and "deny" IPv6 rules are present, + # then you MUST set a rule for "::/0" as the default. + #remote_allow_list: + # Example to block IPs from this subnet from being used for remote IPs. + #"172.16.0.0/12": false + + # A more complicated example, allow public IPs but only private IPs from a specific subnet + #"0.0.0.0/0": true + #"10.0.0.0/8": false + #"10.42.42.0/24": true + + # EXPERIMENTAL: This option may change or disappear in the future. + # Optionally allows the definition of remote_allow_list blocks + # specific to an inside VPN IP CIDR. + #remote_allow_ranges: + # This rule would only allow only private IPs for this VPN range + #"10.42.42.0/24": + #"192.168.0.0/16": true + + # local_allow_list allows you to filter which local IP addresses we advertise + # to the lighthouses. This uses the same logic as `remote_allow_list`, but + # additionally, you can specify an `interfaces` map of regular expressions + # to match against interface names. The regexp must match the entire name. + # All interface rules must be either true or false (and the default will be + # the inverse). CIDR rules are matched after interface name rules. + # Default is all local IP addresses. + #local_allow_list: + # Example to block tun0 and all docker interfaces. + #interfaces: + #tun0: false + #'docker.*': false + # Example to only advertise this subnet to the lighthouse. + #"10.0.0.0/8": true + + # advertise_addrs are routable addresses that will be included along with discovered addresses to report to the + # lighthouse, the format is "ip:port". `port` can be `0`, in which case the actual listening port will be used in its + # place, useful if `listen.port` is set to 0. + # This option is mainly useful when there are static ip addresses the host can be reached at that nebula can not + # typically discover on its own. Examples being port forwarding or multiple paths to the internet. + #advertise_addrs: + #- "1.1.1.1:4242" + #- "1.2.3.4:0" # port will be replaced with the real listening port + + # EXPERIMENTAL: This option may change or disappear in the future. + # This setting allows us to "guess" what the remote might be for a host + # while we wait for the lighthouse response. + #calculated_remotes: + # For any Nebula IPs in 10.0.10.0/24, this will apply the mask and add + # the calculated IP as an initial remote (while we wait for the response + # from the lighthouse). Both CIDRs must have the same mask size. + # For example, Nebula IP 10.0.10.123 will have a calculated remote of + # 192.168.1.123 + #10.0.10.0/24: + #- mask: 192.168.1.0/24 + # port: 4242 + +# Port Nebula will be listening on. The default here is 4242. For a lighthouse node, the port should be defined, +# however using port 0 will dynamically assign a port and is recommended for roaming nodes. +listen: + # To listen on only ipv4, use "0.0.0.0" + host: "::" + port: 4242 + # Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg) + # default is 64, does not support reload + #batch: 64 + # Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel + # Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default) + # Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide + # max, net.core.rmem_max and net.core.wmem_max + #read_buffer: 10485760 + #write_buffer: 10485760 + # By default, Nebula replies to packets it has no tunnel for with a "recv_error" packet. This packet helps speed up reconnection + # in the case that Nebula on either side did not shut down cleanly. This response can be abused as a way to discover if Nebula is running + # on a host though. This option lets you configure if you want to send "recv_error" packets always, never, or only to private network remotes. + # valid values: always, never, private + # This setting is reloadable. + #send_recv_error: always + # The so_sock option is a Linux-specific feature that allows all outgoing Nebula packets to be tagged with a specific identifier. + # This tagging enables IP rule-based filtering. For example, it supports 0.0.0.0/0 unsafe_routes, + # allowing for more precise routing decisions based on the packet tags. Default is 0 meaning no mark is set. + # This setting is reloadable. + #so_mark: 0 + +# Routines is the number of thread pairs to run that consume from the tun and UDP queues. +# Currently, this defaults to 1 which means we have 1 tun queue reader and 1 +# UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun +# device and SO_REUSEPORT on the UDP socket to allow multiple queues. +# This option is only supported on Linux. +#routines: 1 + +punchy: + # Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings + punch: true + + # respond means that a node you are trying to reach will connect back out to you if your hole punching fails + # this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT + # Default is false + #respond: true + + # delays a punch response for misbehaving NATs, default is 1 second. + #delay: 1s + + # set the delay before attempting punchy.respond. Default is 5 seconds. respond must be true to take effect. + #respond_delay: 5s + +# Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes +# IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously! +#cipher: aes + +# Preferred ranges is used to define a hint about the local network ranges, which speeds up discovering the fastest +# path to a network adjacent nebula node. +# This setting is reloadable. +#preferred_ranges: ["172.16.0.0/24"] + +# sshd can expose informational and administrative functions via ssh. This can expose informational and administrative +# functions, and allows manual tweaking of various network settings when debugging or testing. +#sshd: + # Toggles the feature + #enabled: true + # Host and port to listen on, port 22 is not allowed for your safety + #listen: 127.0.0.1:2222 + # A file containing the ssh host private key to use + # A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null + #host_key: ./ssh_host_ed25519_key + # Authorized users and their public keys + #authorized_users: + #- user: steeeeve + # keys can be an array of strings or single string + #keys: + #- "ssh public key string" + # Trusted SSH CA public keys. These are the public keys of the CAs that are allowed to sign SSH keys for access. + #trusted_cas: + #- "ssh public key string" + +# EXPERIMENTAL: relay support for networks that can't establish direct connections. +relay: + # Relays are a list of Nebula IP's that peers can use to relay packets to me. + # IPs in this list must have am_relay set to true in their configs, otherwise + # they will reject relay requests. + #relays: + #- 192.168.100.1 + #- + # Set am_relay to true to permit other hosts to list my IP in their relays config. Default false. + am_relay: false + # Set use_relays to false to prevent this instance from attempting to establish connections through relays. + # default true + use_relays: true + +# Configure the private interface. Note: addr is baked into the nebula certificate +tun: + # When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root) + disabled: false + # Name of the device. If not set, a default will be chosen by the OS. + # For macOS: if set, must be in the form `utun[0-9]+`. + # For NetBSD: Required to be set, must be in the form `tun[0-9]+` + dev: nebula1 + # Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert + drop_local_broadcast: false + # Toggles forwarding of multicast packets + drop_multicast: false + # Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500 + tx_queue: 500 + # Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic + mtu: 1300 + + # Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here + routes: + #- mtu: 8800 + # route: 10.0.0.0/16 + + # Unsafe routes allows you to route traffic over nebula to non-nebula nodes + # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula + # Supports weighted ECMP if you define a list of gateways, this can be used for load balancing or redundancy to hosts outside of nebula + # NOTES: + # * You will only see a single gateway in the routing table if you are not on linux + # * If a gateway is not reachable through the overlay another gateway will be selected to send the traffic through, ignoring weights + # + # unsafe_routes: + # # Multiple gateways without defining a weight defaults to a weight of 1, this will balance traffic equally between the three gateways + # - route: 192.168.87.0/24 + # via: + # - gateway: 10.0.0.1 + # - gateway: 10.0.0.2 + # - gateway: 10.0.0.3 + # # Multiple gateways with a weight, this will balance traffic accordingly + # - route: 192.168.87.0/24 + # via: + # - gateway: 10.0.0.1 + # weight: 10 + # - gateway: 10.0.0.2 + # weight: 5 + # + # NOTE: The nebula certificate of the "via" node(s) *MUST* have the "route" defined as a subnet in its certificate + # `via`: single node or list of gateways to use for this route + # `mtu`: will default to tun mtu if this option is not specified + # `metric`: will default to 0 if this option is not specified + # `install`: will default to true, controls whether this route is installed in the systems routing table. + # This setting is reloadable. + unsafe_routes: + #- route: 172.16.1.0/24 + # via: 192.168.100.99 + # mtu: 1300 + # metric: 100 + # install: true + + # On linux only, set to true to manage unsafe routes directly on the system route table with gateway routes instead of + # in nebula configuration files. Default false, not reloadable. + #use_system_route_table: false + # Buffer size for reading routes updates. 0 means default system buffer size. (/proc/sys/net/core/rmem_default). + # If using massive routes updates, for example BGP, you may need to increase this value to avoid packet loss. + # SO_RCVBUFFORCE is used to avoid having to raise the system wide max + #use_system_route_table_buffer_size: 0 + +# Configure logging level +logging: + # panic, fatal, error, warning, info, or debug. Default is info and is reloadable. + #NOTE: Debug mode can log remotely controlled/untrusted data which can quickly fill a disk in some + # scenarios. Debug logging is also CPU intensive and will decrease performance overall. + # Only enable debug logging while actively investigating an issue. + level: info + # json or text formats currently available. Default is text + format: text + # Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false + #disable_timestamp: true + # timestamp format is specified in Go time format, see: + # https://golang.org/pkg/time/#pkg-constants + # default when `format: json`: "2006-01-02T15:04:05Z07:00" (RFC3339) + # default when `format: text`: + # when TTY attached: seconds since beginning of execution + # otherwise: "2006-01-02T15:04:05Z07:00" (RFC3339) + # As an example, to log as RFC3339 with millisecond precision, set to: + #timestamp_format: "2006-01-02T15:04:05.000Z07:00" + +#stats: + #type: graphite + #prefix: nebula + #protocol: tcp + #host: 127.0.0.1:9999 + #interval: 10s + + #type: prometheus + #listen: 127.0.0.1:8080 + #path: /metrics + #namespace: prometheusns + #subsystem: nebula + #interval: 10s + + # enables counter metrics for meta packets + # e.g.: `messages.tx.handshake` + # NOTE: `message.{tx,rx}.recv_error` is always emitted + #message_metrics: false + + # enables detailed counter metrics for lighthouse packets + # e.g.: `lighthouse.rx.HostQuery` + #lighthouse_metrics: false + +# Handshake Manager Settings +#handshakes: + # Handshakes are sent to all known addresses at each interval with a linear backoff, + # Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout + # A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out + #try_interval: 100ms + #retries: 20 + + # query_buffer is the size of the buffer channel for querying lighthouses + #query_buffer: 64 + + # trigger_buffer is the size of the buffer channel for quickly sending handshakes + # after receiving the response for lighthouse queries + #trigger_buffer: 64 + + +# Nebula security group configuration +firewall: + # Action to take when a packet is not allowed by the firewall rules. + # Can be one of: + # `drop` (default): silently drop the packet. + # `reject`: send a reject reply. + # - For TCP, this will be a RST "Connection Reset" packet. + # - For other protocols, this will be an ICMP port unreachable packet. + outbound_action: drop + inbound_action: drop + + # THIS FLAG IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE. (Defaults to false.) + # This setting only affects nebula hosts exposing unsafe_routes. When set to false, each inbound rule must contain a + # `local_cidr` if the intention is to allow traffic to flow to an unsafe route. When set to true, every firewall rule + # will apply to all configured unsafe_routes regardless of the actual destination of the packet, unless `local_cidr` + # is explicitly defined. This is usually not the desired behavior and should be avoided! + #default_local_cidr_any: false + + conntrack: + tcp_timeout: 12m + udp_timeout: 3m + default_timeout: 10m + + # The firewall is default deny. There is no way to write a deny rule. + # Rules are comprised of a protocol, port, and one or more of host, group, or CIDR + # Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr) AND (local cidr) + # - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available). + # code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any` + # proto: `any`, `tcp`, `udp`, or `icmp` + # host: `any` or a literal hostname, ie `test-host` + # group: `any` or a literal group name, ie `default-group` + # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass + # cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. + # local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This can be used to filter destinations when using unsafe_routes. + # By default, this is set to only the VPN (overlay) networks assigned via the certificate networks field unless `default_local_cidr_any` is set to true. + # If there are unsafe_routes present in this config file, `local_cidr` should be set appropriately for the intended us case. + # ca_name: An issuing CA name + # ca_sha: An issuing CA shasum + + outbound: + # Allow all outbound traffic from this node + - port: any + proto: any + host: any + + inbound: + # Allow icmp between any nebula hosts + - port: any + proto: icmp + host: any + + # Allow tcp/443 from any host with BOTH laptop and home group + - port: 443 + proto: tcp + groups: + - laptop + - home + + # Expose a subnet (unsafe route) to hosts with the group remote_client + # This example assume you have a subnet of 192.168.100.1/24 or larger encoded in the certificate + - port: 8080 + proto: tcp + group: remote_client + local_cidr: 192.168.100.1/24 diff --git a/nebula/操作概述.md b/nebula/操作概述.md new file mode 100644 index 0000000..8dfdb9e --- /dev/null +++ b/nebula/操作概述.md @@ -0,0 +1,136 @@ +# 操作概述 + +--- + +## Nebula 网络的架构 + +1. 灯塔节点 (lighthouse) +2. 证书授权 (certificate authority) +3. 终端节点 (host) + +### 灯塔节点 + +灯塔节点即中心节点,用于追踪所有其他节点,帮助其他节点建立连接。 + +### 证书授权 (CA) + +CA 由 2 个文件组成 :一个 CA 证书,以及关联的私匙 (private key)。 +CA 证书对整个网络公开,并被网络中所有终端信任 ; CA 私匙 则不公开,在不使用 Nebula 网络是可保持离线。 + +### 终端节点 + +终端节点即 Nubula 网络的单个普通节点,CA 用于验证加入网络中的每一个终端。 +一个终端证书包含名称、IP、组成员、其他终端细节等,终端不能修改自己的证书,修改即失去有效性,这可以杜绝假冒发生。 +每个终端都有自己的私匙,用于在创建隧道时使自身的标识符生效。 + +--- + +## 软件下载 + +Nebula 软件包包含 2 部分:nebula-cert 和 nebula binary, 支持各种平台:Linux, Windows, macOS, FreeBSD, iOS, Android, Docker +自 1.7.0 版本,Nebula 内置 CA 私匙加密功能,在生成 CA 时传递 -encrypt 参数即可达到加密目的。 + +## CA + +创建 Nebula 网络的第一步是 生成组织的 CA + +```shell +./nebula-cert ca -name "Myorganization, Inc" +``` + +该指令生成 ca.key 和 ca.cert 两个文件,ca.key 用来签署其他终端的证书,需要妥善保管,建议强加密。 +默认创建的 CA 有一年有效期,传递 --duration XXhXXmXXs 参数可指定有效期限,如 -duration 17531h 有效期限为 2 年。 + +--- + +## 快速构建 Nebula 网络 + +1. 创建灯塔节点 + +灯塔节点是整个 Nebula 网络中唯一需要固定 IP 地址的终端,灯塔节点对终端配置要求不高。 +灯塔节点需要对互联网开放 UDP/4242 端口,保证不被内部防火墙阻塞。 + +2. 生成各终端的证书和密钥 + +命令需要指定终端名称和 IP 地址,还可以指定组(用于隧道的通行规则) + +```shell +./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24" +./nebula-cert sign -name "laptop" -ip "192.168.100.5/24" -groups "laptop,ssh" +./nebula-cert sign -name "server" -ip "192.168.100.9/24" -groups "servers" +``` + +3. 配置 Nebula + +下载示例配置文件,相应修改后作为各终端的配置文件。 + +**灯塔节点** + +```yaml +static_host_map: + +lighthouse: + am_lighthouse: true +``` + +灯塔节点配置文件中的 static_host_map 应当为空,即网络中的灯塔节点是唯一的。 + +**终端节点** + +```yaml +static_host_map: + '192.168.100.1': ['198.51.100.1:4242'] + +lighthouse: + am_lighthouse: false + interval: 60 + hosts: + - '192.168.100.1' +``` + +终端节点配置文件中中必须在 static_host_map 节和 lighthouse 节 的 hosts 中定义灯塔节点的公网 IP,以及隧道 IP 。 + +4. 防火墙配置 + +在配置文件中设定防火墙的数据流向规则。 + +```yaml +firewall: + outbound: + # Allow all outbound traffic from this node + - port: any + proto: any + host: any + + inbound: + # Allow icmp between any nebula hosts + - port: any + proto: icmp + host: any +``` + +5. 将生成的 4 个文件放入各终端,启动网络 + +将 CA、终端证书、密钥、配置文件放入一个目录(自定义),比如 + +```shell +mv config-lighthouse.yaml /etc/nebula/config.yaml +mv ca.crt /etc/nebula/ca.crt +mv lighthouse.crt /etc/nebula/host.crt +mv lighthouse.key /etc/nebula/host.key +``` + +启动 Nebula ,在参数中指定配置文件位置 + +```shell +./nebula -config /etc/nebula/config.yaml +``` + +6. 验证连通性 + +--- + +## Windows 注册服务 + +1. 使用系统自带 sc 命令 +2. 使用 nssm 注册工具 \ No newline at end of file diff --git a/nebula/杂记.md b/nebula/杂记.md new file mode 100644 index 0000000..288e127 --- /dev/null +++ b/nebula/杂记.md @@ -0,0 +1,7 @@ +# 各种 + +## 私有地址 IPV4 + +10.0.0.0/8 +172.16.0.0/12 +192.168.0.0/16 \ No newline at end of file