Categories: IT

OpenVPN to nebula

Table of Contents

I have been using OpenVPN for my remote access for a while now and while it works well enough the newer options are very attractive and solve a couple of issues with OpenVPN. I have four use cases for my VPN which are:

  1. Connecting remote sites back to my central server.
  2. Managing remote sites from central site.
  3. Access central services while roaming.
  4. Protecting my traffic while on untrusted sites roaming.

After looking at the different options I decided nebula was the most interesting, something I could host myself (as I was doing with OpenVPN) and should be able to address my four use cases (I think).

OpenVPN configuration

Before getting to nebula, I thought it would be worth mentioning how I achieve the use cases with OpenVPN. For Point 1. the central server operates as an OpenVPN server so the remote servers simply connect back to that. Point 2. uses this same connection and devices at the central site simply need to add the route for the VPN network to manage the remote servers. Point 3. adding routes through OpenVPN for my roaming devices gives easy access when I am away. and last of all Point 4. can be achieved by using the DNS option in OpenVPN I can set my central DNS server and by adding a default route all traffic is pushed over the VPN.

Other nice features I was using with OpenVPN

  • Push commands for a lot of options means that end devices can use a simple config that I can load once and forget.
  • Push commands can also be only applied to certain devices so DNS to roaming devices and not remote servers.
  • TLS Authentication uses a shared public key to secure initial handshake which increases security and reduces DoS susceptibility.

Nebula configuration

So in OpenVPN I am using a central server for everything to pass through while nebula has lighthouses that help clients connect directly to each other giving a mesh or overlay network. This means that clients are not limited by the central server speeds and you can quite easily have multiple lighthouses to give redundancy to the network (I believe this is doable in OpenVPN but not as easy). Lighthouses also now support falling back to the central server style model with a relay option if needed (which is great if you forget to open the inbound port on your firewall, IT STILL WORKS!!). One really nice feature that you won’t see talked about often is the simple firewall built into nebula which allows you to easily group hosts for simple deny/allow lists, you can even turn the nebula adapter off on say a lighthouse so other devices on the VPN cannot connect to the lighthouse inside the VPN (interesting trust models here).

Ok enough hyping up nebula, lets see how it fits our use cases.

  1. No problem.
  2. Again not an issue here, I can even access remote sites when roaming if the central site is down (perfect time for maintenance).
  3. If everything is on the nebula VPN then I can access them directly but I have had to setup routing through the central server as I have a couple devices nebula does not play well with (looking at you Ubuntu nebula snap running on LXC!).
  4. This one I am still figuring out as I have not tested adding a default route inside nebula, there is DNS options but from my understanding that is only for addresses inside the VPN. If everything you access is inside nebula then it is a non issue (still a little while away from that it seems).

Yet to be figured out

One thing I am sad to loose from OpenVPN is the push config feature, having a minimum config that I know will always work but I can tweak (and revert) from only one side of the VPN is really really great, I have locked my self out of a remote site too many times. So updating multiple nebula config’s is something I will have to juggle in the future (finally time to learn Ansible?). And I wish it was TOML instead of YAML but nebula does have a handy little test feature to make sure your config is valid so swings and roundabouts.

As I mentioned in Point 4. in the Nebula section there is still a couple of things I need to investigate more being:

  • DNS over VPN on connection (See UPDATE)
  • Default route over VPN

While I do that and gain more confidence in nebula I still have OpenVPN as my “production” VPN but I could also solve Point 4. with a Wireguard tunnel for each of my roaming devices. But now I am just sounding like some crazy VPN guy and I actually support people running OpenVPN all the time so it’s good to learn the lessons before I need to there.

Nebula is also not packaged in every distribution yet (maybe I should find out what it takes to be a maintainer) with the following of my normal distributions packing it; Fedora, ArchLinux, Ubuntu (snap) and Nix. I am sure there is more but I would love to see it on pfSense/OPNSense and cellular routers.

Other solutions worth mentioning

Below are a couple of other VPN technologies worth looking into if you are trying to find the right one for your use case!

  • Wireguard (manual point to point links, simple and powerful)
  • TailScale (very similar to nebula with more features, particularly around enterprise)
  • HeadScale (Open Source TailScale, closer to nebula in terms of features)
  • ZeroTier (Closed source but mesh network style)
  • IPSec (People do use it but I find it painful to setup)

UPDATE

I have figured out DNS in nebula DNS