Nebula on Fedora

 June 30, 2022

In the last year, I moved more and more data and services to hardware that I can directly control. A direct consequence of this is that I started to run more hardware at my house. This change has been very positive, but it is suboptimal when not at home. All services I run are secure and could be shared directly on the web, but I prefer a more cautious approach. For this reason, I decided to create a VPN.

My first VPN choice was Wireguard. In theory, it should have been a very sensible solution due to its security and protocol optimization. Reality is different, though, and creating a mesh network with Wireguard becomes very complex.

The first alternative I evaluated was Tailscale. I knew this service due to its popularity in the Linux community, so I decided to look at it. Starting from the fact that I was not even considering a third-party managed VPN, my interest quickly moved to headscale. With a little bit of more profound analysis, I realized that many Tailscale clients (even open-source ones) do not support well the usage of servers different from Tailscale’s, so this brought me to drop this option.

My attention shifted then to Nebula, a VPN system based on the Noise Protocol (the same one that Wireguard uses), but to create peer-to-peer networks. Since the beginning, I’ve enjoyed Nebula’s configuration simplicity, even if I suffered a little bit from the absence of complete documentation. After having installed it manually on multiple devices and appreciating its features, I decided to package it in Fedora so that it’s easier to install for myself and all the other Fedora users.

Since early June, the nebula package is now available in Fedora 36+, containing the latest version of Nebula.

Overall, Nebula works very well in my use case. The only feature I’ve not tried so far is the UDP hole punching to overcome NATs since I always try to connect to public destinations.

As for problematic features, the only one that I’ve not yet figured out how to make it work without damaging my machines' configuration is the Nebula DNS. My understanding is that Nebula DNS would need to bind on port 53 on the lighthouse, and the other nodes would need to connect to the lighthouse port 53. In my Fedora setup, this might prove not as easy as I’d like, but probably I’m missing some configuration.

If there is interest in the topic, I’ll do updates over time because I think Nebula is a very promising VPN, thanks to its reliability and simplicity.

 Fedora, Networking, Security, Self-hosting

 Nebula, VPN, WireGuard

Say something

Comments

Michael on 2023-04-06 06:14:07 UTC said:

Hello Fale,

I had already sent feedback from a few days ago, which I am attaching here, but apparently that didn’t work. That’s why I’m trying again.

Greetings Michael

Hello Fale,

Thank you for the article. I also use Nebula and am very satisfied with it. Currently I do all the configuration of all my clients on foot. I’ve also looked for Ansible solutions but I haven’t found a really good solution yet. Now I wanted to ask you how you manage it, because you are an Ansible professional. I would like to do the entire administration over the Nebula network itself for my clients. Especially with the firewall management and the associated groups, which have to be in the certificates. I would be very happy if you could maybe write another blog article about this.

Thank you very much for now and of course for your blog in general.

Greetings Michael

Fabio Alessandro Locati on 2023-04-08 15:11:28 UTC said:

Hi Micheal, Thanks a lot for your comment and for re-trying to send it. It seems like there was an “empty” comment at the end of March. I think there is a bug in the code that manages comments, but I’m not sure where it is, since it seems to be something random that I’ve never been able to reproduce.

As for your question, I have a very simple Ansible playbook to sync Nebula configuration. Since you seem interested in the topic, I’ll try to publish an article on it in the coming weeks :).

Joe on 2023-09-08 18:15:26 UTC said:

Hi Fale,

Thanks for your work packaging this for Fedora. Are there any plans to include this in the EPEL repos as well so it can be used with RHEL?

Fabio Alessandro Locati on 2023-09-09 10:28:53 UTC said:

Hi Joe, I plan to bring Nebula to EPEL, but at the moment it would be very complex due to the way the number of dependencies involved. A change might occur in the short term, and at that point it would be much easier to do so. Once it is clear if that change occurs, I’ll proceed with a more specific plan about Nebula in EPEL.