lighthouse
lighthouse:
am_lighthouse: false
serve_dns: true
dns:
host: 0.0.0.0
port: 53
interval: 60
hosts:
- '192.168.100.1'
remote_allow_list:
'172.16.0.0/12': false
'0.0.0.0/0': true
'10.0.0.0/8': false
'10.42.42.0/24': true
local_allow_list:
interfaces:
tun0: false
'docker.*': false
'10.0.0.0/8': true
lighthouse.am_lighthouse
Default: Falseam_lighthouse
is used to enable lighthouse functionality for a node. This should ONLY be true
on nodes you have
configured to be lighthouses in your network
lighthouse.serve_dns
Default: Falseserve_dns
optionally starts a DNS listener that responds to A
and TXT
queries and can even be delegated to for
name resolution by external DNS hosts.
The DNS listener can only respond to requests about hosts it's aware of. For this reason, it can only be enabled on Lighthouses.
A
records contain the Nebula IP for a host name and can be queried by any host that can reach the DNS listener,
regardless of whether it is communicating over the Nebula network.
TXT
records can only be queried over the Nebula network, and contain certificate information for the requested host IP
address.
For example, if 192.168.100.1
was your Lighthouse node running a DNS server and you wanted to find the Nebula IP
address of a host named web01
:
$ dig @192.168.100.1 +short web01 A
192.168.100.5
Or if you wanted to get certificate information about the host:
$ dig +short @192.168.100.1 192.168.100.5 TXT
"Name: web01" "Ips: [192.168.100.5/24]" "Subnets []" "Groups [servers web]" "NotBefore 2021-06-15 14:19:22 +0000 UTC" "NotAFter 2022-04-28 21:49:15 +0000 UTC" "PublicKey dde33784fb2bbada73f8bf4cafbf9271dc864b770b1e44002f81563856711f7c" "IsCA false" "Issuer 91f795c52f601d3110ee5232b22c13a89a76d3e3fb89bed3c21929c873cb6ec9"
To allow hosts to make queries against the DNS server over the Nebula network, don't forget to allow access in the firewall.
The below example config will allow any host on the network to query the lighthouse for DNS
firewall:
inbound:
- port: 53
proto: udp
group: any
lighthouse.dns
dns
is used to configure the address (host
) and port (port
) the DNS server should listen on. By listening on the
host's Nebula IP, you can make the DNS server accessible only on the Nebula network. Alternatively, listening on
0.0.0.0
will allow anyone that can reach the host to make queries.
The default value for dns.port
is 53
but you must set an IP address.
See the serve_dns
docs for more information.
lighthouse:
dns:
# The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.
host: 0.0.0.0
port: 53
lighthouse.interval
Default: 10interval
specifies how often a nebula host should report itself to a lighthouse. By default, hosts report themselves
to lighthouses once every 10 seconds. Use caution when changing this interval, as it may affect host discovery times in
a large nebula network.
lighthouse.hosts
This should be empty on lighthouse nodes
hosts
is a list of lighthouse hosts this node should report to and query from. The lighthouses listed here should be
referenced by their nebula IP, not by the IPs of their physical network interfaces.
lighthouse:
hosts:
- '192.168.100.1'
lighthouse.remote_allow_list
remote_allow_list
allows you to control ip ranges that this node will consider when handshaking to another node. By
default, any remote IPs are allowed. You can provide CIDRs here with true
to allow and false
to deny. The most
specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both
"allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. Similarly if both "allow"
and "deny" IPv6 rules are present, then you MUST set a rule for "::/0" as the default.
lighthouse:
remote_allow_list:
# Example to block IPs from this subnet from being used for remote IPs.
'172.16.0.0/12': false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
'0.0.0.0/0': true
'10.0.0.0/8': false
'10.42.42.0/24': true
lighthouse.local_allow_list
local_allow_list
allows you to filter which local IP addresses we advertise to the lighthouses. This uses the same
logic as remote_allow_list
, but additionally, you can specify an interfaces
map of regular expressions to match
against interface names. The regexp must match the entire name. All interface rules must be either true or false (and
the default will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses.
lighthouse:
local_allow_list:
# Example to block tun0 and all docker interfaces.
interfaces:
tun0: false
'docker.*': false
# Example to only advertise this subnet to the lighthouse.
'10.0.0.0/8': true