I have several computers across three different locations. I was looking for a way to ensure that they could all talk to each other without setting up any port forwarding. And the solution I came across was Nebula. Essentially, this is a tool that allows you to create a virtual network that connects all of your machines together, where each machine has their own dedicated IP address. This works regardless of whether the machines are hidden behind a home network.
Steps:
Install nebula on all the nodes.
Choose a node that will act as a certificate authority. Create a directory,
such as $HOME/.nebula, and run the following command inside the directory:
# nebula-cert ca -name "Etrem Certificate Authority"
This creates the files ca.crt and ca.key, which will be used to sign
certificates for each node.
Choose one or more nodes to serve as lighthouses. They must have a static IP
address. Your regular nodes will essentially search for this lighthouse in order
to get information about how to reach the other nodes. In my case, I decided to
designate draco as a lighthouse, since it was the only node that faced the
open internet.
For each node, generate a certificate pair signed by the certificate authority:
# nebula-cert sign -name draco -ip 10.42.0.1/24
# nebula-cert sign -name auriga -ip 10.42.0.2/24
# nebula-cert sign -name landau -ip 10.42.0.3/24
Take the resulting NODE_NAME.key and NODE_NAME.crt files that were
created in the previous step, and copy them onto their respective hosts,
as well as the ca.crt file generated by the certificate authority. Place them
in the folder /etc/nebula/.
On the lighthouse node, create the configuration file at /etc/nebula/config.yml
and paste the following, filling in for the NODE_NAME and STATIC_IP_ADDRESS:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/NODE_NAME.crt
key: /etc/nebula/NODE_NAME.key
static_host_map:
"10.42.0.1": ["STATIC_IP_ADDRESS:4242"]
# You may add additional hosts that have a static public IP address
lighthouse:
am_lighthouse: true
serve_dns: false
interval: 60
listen:
host: 0.0.0.0
port: 4242
relay:
am_relay: true
use_relays: true
punchy:
punch: true
tun:
dev: nebula1
unsafe_routes: []
routes: []
logging:
level: info
firewall:
inbound:
- port: any
proto: any
host: any
outbound:
- port: any
proto: any
host: any
On regular nodes, the file will be mostly the same, except for the following changes:
lighthouse:
am_lighthouse: false
hosts:
- 10.42.0.1
relay:
relays: ["10.42.0.1"]
am_relay: false
use_relays: true
You can tinker with these settings and figure out what works best for you.
On your lighthouse node, install dnsmasq, and assign static IP addresses
to each of your nodes, as well as a private domain name, by adding the
following lines to /etc/dnsmasq.conf:
address=/draco.neb/10.42.0.1
address=/auriga.neb/10.42.0.2
address=/landau.neb/10.42.0.3
Enable the dnsmasq daemon on the lighthouse node.
On each regular node, create the following file at
/etc/systemd/resolved.conf.d/nebula.conf:
[Resolve]
DNS=10.42.0.1
Domains=~neb neb
This allows each regular node to resolve any private domain names you give it into their corresponding Nebula IP addresses. Configure each node to accept your SSH keys as appropriate. Test your new Nebula cluster to make sure it works.