Good point. So, turns out I did in fact make a basic setup error - failing to verify my provider’s firewall allowed traffic on UDP 4242. After correcting that, the tunnel to the lighthouse works, but the clients still fail trying to see each other.
I’m guessing it’s some quirk of my home network, I’ll have to check router settings maybe… (It’s running freshtomato, don’t know if that matters.) I don’t think it’s a NixOS-side config question any longer, but for completeness, I’ll post my configuration. I even tried (temporarily) disabling the HOSTY
firewall completely, with no improvement.
Config follows:
CA keys were generated with
nebula-cert ca -encrypt -name CA -out-qr CA.png -argon-memory 10485760 -duration 100h
plus passphrase, of course. Aggressive expiration was for testing purposes, I still have a couple days left.
HOSTX
is the lighthouse, hosted on hetzner cloud with the publicly routable IP HOSTX_PUBLIC_IP
.
# HOSTX's config
{
services.nebula.networks.NAME = {
enable = true;
ca = "/etc/nebula/CA.crt";
# nebula-cert sign -ca-crt CA.crt -ca-key CA.key -name HOSTX -ip '192.168.100.1/24'
cert = "/etc/nebula/HOSTX.crt";
key = "/etc/nebula/HOSTX.key";
isLighthouse = true;
settings = {
punchy = {
punch = true;
respond = true;
};
};
};
}
HOSTY
is a NixOS client
# HOSTY's config
{
services.nebula.networks.NAME = {
enable = true;
ca = "/etc/nebula/CA.crt";
# nebula-cert sign -ca-crt CA.crt -ca-key CA.key -name HOSTY -ip '192.168.100.2/24'
cert = "/etc/nebula/HOSTY.crt";
key = "/etc/nebula/HOSTY.key";
lighthouses = [ "192.168.100.1" ];
staticHostMap = {
"192.168.100.1" = [ "HOSTX_PUBLIC_IP:4242" ];
};
settings = {
punchy = {
punch = true;
respond = true;
};
};
};
}
CA.crt
and the respective client key/cert pairs were sent to both machines from the signing host.
HOSTZ
is an android client using the official nebula app, which generated its own key pair for me, so I simply copied the public key (HOSTZ.pub
, below) to my signing host, signed it with the CA:
nebula-cert sign -ca-crt CA.crt -ca-key CA.key -name HOSTZ -ip '192.168.100.3/24' -in-pub HOSTZ.pub
after which I copied HOSTZ.crt
back to the client. Then, I added a single entry under Lighthouses/Static Hosts, identical to the staticHostMap
above.
Since I’ve already set up SSH from HOSTZ
(android) to HOSTY
(nixos) in the past, which does work without using nebula (when the machines are on the same network), I decided to use that as a quick test of connectivity.
From termux running on HOSTZ
I attempted to run:
ssh USER@192.168.100.2
which resulted in (HOSTY
journal):
TIME HOSTY nebula[433028]: time="TIME" level=info msg="Handshake message sent" handshake="map[stage:1 style:ix_psk0]" initiatorIndex=3933893443 localIndex=3933893443 remoteIndex=0 udpAddrs="[HOSTZ_PUBLIC_IP:PORT]" vpnIp=192.168.100.3
TIME HOSTY nebula[433028]: time="TIME" level=info msg="Handshake timed out" durationNs=5609451322 handshake="map[stage:1 style:ix_psk0]" initiatorIndex=3933893443 localIndex=3933893443 remoteIndex=0 udpAddrs="[HOSTZ_PUBLIC_IP:PORT]" vpnIp=192.168.100.3
and symmetrical messages show in the HOSTZ
logs in the nebula app.