Nebula (slackhq/nebula) for non-root user

overtime

Does anybody know if there is any chance of running a Nebula node on an Opalstack shared server?

This is really just an intellectual curiosity more than anything else. The Opalstack server is already a public IP, so it kind of defeats the point of adding it to a Nebula mesh.

I found this service file below that requires CAP_NET_ADMIN and CAP_NET_BIND_SERVICE privileges for the process.

Then I realised that Opalstack appears to disable systemctl --user calls.

Anyway 🙂 Any takers?

# Systemd unit file for Nebula
#

[Unit]
Description=Nebula
Wants=basic.target
After=basic.target network.target
Before=sshd.service

[Service]
ExecStartPre=/home/username/local/nebula/nebula -test -config /home/username/.config/nebula/config.yaml
ExecStart=/home/username/local/nebula/nebula -config /home/username/.config/nebula/config.yaml
ExecReload=/bin/kill -HUP $MAINPID

RuntimeDirectory=nebula
ConfigurationDirectory=nebula
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=full
User=nebula
Group=nebula

SyslogIdentifier=nebula

Restart=always
RestartSec=2
TimeoutStopSec=5
StartLimitInterval=0
LimitNOFILE=131072

Nice=-1

[Install]
WantedBy=multi-user.target

sean

overtime If you can successfully run the commands shown in the service file then you should be able to get it running here.

If it needs to run in the background then you can do it via the daemonize command, eg:

daemonize -c ~/apps/nebula -a -e ~/logs/apps/nebula/error.log -o ~/logs/apps/nebula/output.log  -p ~/logs/apps/nebula/pid ~/apps/nebula/nebula -config ~/.config/nebula/config.yaml

I've looked that the Nebula config and I think you'll need to make the following changes:

Change the pki section to point to files within your own home directory.
Change the port numbers (4242 in the example) to your own port assignment. To get a port assignment, create a new "Nginx Proxy Port" app at https://my.opalstack.com/apps/.
Change the public IP (100.64.22.11 in the example) to your Opalstack server IP (shown at https://my.opalstack.com/).

You'll also need to contact our support team to get your port opened up in the firewall.

All of that being said, I'm not familiar with Nebula and don't really know if this will get you a functioning setup but those are the initial steps that I would try.

overtime

Thank you @sean and sorry for the late reply. I really appreciate your support!

If you can successfully run the commands shown in the service file then you should be able to get it running here.

I think this might be a dead end. Nebula needs to create a utun device to run, which normally requires root. My hope was that by declaring a systemd user unit that required CAP_NET_ADMIN and CAP_NET_BIND_SERVICE I could work around root, but I doubt this would fly on a shared host 🙂

Like I said earlier, this is more of an intellectual curiosity than a need at this point.

BTW, if you are familiar with Tailscale, Nebula is identical in purpose, but uses a different PKI architecture and is fully OSS. Can be quite handy for placing a number of hosts on the same virtual "overlay" network.