{"id":13440400,"url":"https://github.com/slackhq/nebula","last_synced_at":"2026-02-06T21:03:21.950Z","repository":{"id":37453939,"uuid":"222172014","full_name":"slackhq/nebula","owner":"slackhq","description":"A scalable overlay networking tool with a focus on performance, simplicity and security","archived":false,"fork":false,"pushed_at":"2026-01-29T22:20:46.000Z","size":3421,"stargazers_count":16833,"open_issues_count":112,"forks_count":1099,"subscribers_count":242,"default_branch":"master","last_synced_at":"2026-01-30T05:21:23.716Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/slackhq.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-11-16T23:26:23.000Z","updated_at":"2026-01-30T05:08:26.000Z","dependencies_parsed_at":"2023-10-26T09:37:17.867Z","dependency_job_id":"22ea55c0-f099-43f5-9f66-5bd5f5eec439","html_url":"https://github.com/slackhq/nebula","commit_stats":{"total_commits":316,"total_committers":56,"mean_commits":5.642857142857143,"dds":0.7056962025316456,"last_synced_commit":"397fe5f8797e3386db3db99376b716da2566e7b8"},"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/slackhq/nebula","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2Fnebula","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2Fnebula/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2Fnebula/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2Fnebula/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/slackhq","download_url":"https://codeload.github.com/slackhq/nebula/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slackhq%2Fnebula/sbom","scorecard":{"id":503177,"data":{"date":"2025-08-11","repo":{"name":"github.com/slackhq/nebula","commit":"7da79685fff9b34c30b3c6786ebf4b97b091daa1"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.8,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Maintained","score":10,"reason":"11 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/gofmt.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/smoke-extra.yml:1","Warn: no topLevel permission defined: .github/workflows/smoke.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":6,"reason":"binaries present in source code","details":["Warn: binary detected: dist/windows/wintun/bin/amd64/wintun.dll:1","Warn: binary detected: dist/windows/wintun/bin/arm/wintun.dll:1","Warn: binary detected: dist/windows/wintun/bin/arm64/wintun.dll:1","Warn: binary detected: dist/windows/wintun/bin/x86/wintun.dll:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:112"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gofmt.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/gofmt.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gofmt.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/gofmt.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:163: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-extra.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/smoke-extra.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-extra.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/smoke-extra.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/smoke.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/smoke.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/slackhq/nebula/test.yml/master?enable=pin","Warn: containerImage not pinned by hash: .github/workflows/smoke/Dockerfile:1: pin your Docker image by updating ubuntu:jammy to ubuntu:jammy@sha256:1aa979d85661c488ce030ac292876cf6ed04535d3a237e49f61542d8e5de5ae0","Warn: containerImage not pinned by hash: docker/Dockerfile:1: pin your Docker image by updating gcr.io/distroless/static:latest to gcr.io/distroless/static:latest@sha256:2e114d20aa6371fd271f854aa3d6b2b7d2e70e797bb3ea44fb677afec60db22c","Warn: goCommand not pinned by hash: .github/workflows/gofmt.yml:26","Warn: downloadThenRun not pinned by hash: .github/workflows/smoke-extra.yml:32","Info:   0 out of  29 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   5 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.9.6 not signed: https://api.github.com/repos/slackhq/nebula/releases/233507685","Warn: release artifact v1.9.5 not signed: https://api.github.com/repos/slackhq/nebula/releases/189424129","Warn: release artifact v1.9.4 not signed: https://api.github.com/repos/slackhq/nebula/releases/174187537","Warn: release artifact v1.9.3 not signed: https://api.github.com/repos/slackhq/nebula/releases/159240257","Warn: release artifact v1.9.2 not signed: https://api.github.com/repos/slackhq/nebula/releases/158678353","Warn: release artifact v1.9.6 does not have provenance: https://api.github.com/repos/slackhq/nebula/releases/233507685","Warn: release artifact v1.9.5 does not have provenance: https://api.github.com/repos/slackhq/nebula/releases/189424129","Warn: release artifact v1.9.4 does not have provenance: https://api.github.com/repos/slackhq/nebula/releases/174187537","Warn: release artifact v1.9.3 does not have provenance: https://api.github.com/repos/slackhq/nebula/releases/159240257","Warn: release artifact v1.9.2 does not have provenance: https://api.github.com/repos/slackhq/nebula/releases/158678353"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T22:32:38.419Z","repository_id":37453939,"created_at":"2025-08-19T22:32:38.420Z","updated_at":"2025-08-19T22:32:38.420Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29175835,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T20:14:21.878Z","status":"ssl_error","status_checked_at":"2026-02-06T20:14:21.443Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:22.440Z","updated_at":"2026-02-06T21:03:21.944Z","avatar_url":"https://github.com/slackhq.png","language":"Go","funding_links":[],"categories":["Go","HarmonyOS","Proxy and VPN","Install from Source","VPNs","Uncategorized","其他_安全与渗透","others","Utilities :wrench:","Software","VPN","Tools","Transport-layer defenses","Networking"],"sub_categories":["Windows Manager","Python","Network Tools","Self-hosted VPNs","Uncategorized","网络服务_其他","VPN","Overlay and Virtual Private Networks (VPNs)","Observability"],"readme":"## What is Nebula?\nNebula is a scalable overlay networking tool with a focus on performance, simplicity and security.\nIt lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android.\nIt can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.\n\nNebula incorporates a number of existing concepts like encryption, security groups, certificates,\nand tunneling.\nWhat makes Nebula different to existing offerings is that it brings all of these ideas together,\nresulting in a sum that is greater than its individual parts.\n\nFurther documentation can be found [here](https://nebula.defined.net/docs/).\n\nYou can read more about Nebula [here](https://medium.com/p/884110a5579).\n\nYou can also join the NebulaOSS Slack group [here](https://join.slack.com/t/nebulaoss/shared_invite/zt-39pk4xopc-CUKlGcb5Z39dQ0cK1v7ehA).\n\n## Supported Platforms\n\n#### Desktop and Server\n\nCheck the [releases](https://github.com/slackhq/nebula/releases/latest) page for downloads or see the [Distribution Packages](https://github.com/slackhq/nebula#distribution-packages) section.\n\n- Linux - 64 and 32 bit, arm, and others\n- Windows\n- MacOS\n- Freebsd\n\n#### Distribution Packages\n\n- [Arch Linux](https://archlinux.org/packages/extra/x86_64/nebula/)\n    ```sh\n    sudo pacman -S nebula\n    ```\n\n- [Fedora Linux](https://src.fedoraproject.org/rpms/nebula)\n    ```sh\n    sudo dnf install nebula\n    ```\n\n- [Debian Linux](https://packages.debian.org/source/stable/nebula)\n    ```sh\n    sudo apt install nebula\n    ```\n\n- [Alpine Linux](https://pkgs.alpinelinux.org/packages?name=nebula)\n    ```sh\n    sudo apk add nebula\n    ```\n\n- [macOS Homebrew](https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/n/nebula.rb)\n    ```sh\n    brew install nebula\n    ```\n\n- [Docker](https://hub.docker.com/r/nebulaoss/nebula)\n    ```sh\n    docker pull nebulaoss/nebula\n    ```\n\n#### Mobile\n\n- [iOS](https://apps.apple.com/us/app/mobile-nebula/id1509587936?itsct=apps_box\u0026amp;itscg=30200)\n- [Android](https://play.google.com/store/apps/details?id=net.defined.mobile_nebula\u0026pcampaignid=pcampaignidMKT-Other-global-all-co-prtnr-py-PartBadge-Mar2515-1)\n\n## Technical Overview\n\nNebula is a mutually authenticated peer-to-peer software-defined network based on the [Noise Protocol Framework](https://noiseprotocol.org/).\nNebula uses certificates to assert a node's IP address, name, and membership within user-defined groups.\nNebula's user-defined groups allow for provider agnostic traffic filtering between nodes.\nDiscovery nodes (aka lighthouses) allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs.\nUsers can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.\n\nNebula uses Elliptic-curve Diffie-Hellman (`ECDH`) key exchange and `AES-256-GCM` in its default configuration.\n\nNebula was created to provide a mechanism for groups of hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.\n\n## Getting started (quickly)\n\nTo set up a Nebula network, you'll need:\n\n#### 1. The [Nebula binaries](https://github.com/slackhq/nebula/releases) or [Distribution Packages](https://github.com/slackhq/nebula#distribution-packages) for your specific platform. Specifically you'll need `nebula-cert` and the specific nebula binary for each platform you use.\n\n#### 2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.\n\nNebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $6/mo [DigitalOcean](https://digitalocean.com) droplets as lighthouses.\n\nOnce you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.\n\n#### 3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.\n\n```sh\n./nebula-cert ca -name \"Myorganization, Inc\"\n```\n\nThis will create files named `ca.key` and `ca.cert` in the current directory. The `ca.key` file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.\n\n**Be aware!** By default, certificate authorities have a 1-year lifetime before expiration. See [this guide](https://nebula.defined.net/docs/guides/rotating-certificate-authority/) for details on rotating a CA.\n\n#### 4. Nebula host keys and certificates generated from that certificate authority\n\nThis assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.\n```sh\n./nebula-cert sign -name \"lighthouse1\" -ip \"192.168.100.1/24\"\n./nebula-cert sign -name \"laptop\" -ip \"192.168.100.2/24\" -groups \"laptop,home,ssh\"\n./nebula-cert sign -name \"server1\" -ip \"192.168.100.9/24\" -groups \"servers\"\n./nebula-cert sign -name \"host3\" -ip \"192.168.100.10/24\"\n```\n\nBy default, host certificates will expire 1 second before the CA expires. Use the `-duration` flag to specify a shorter lifetime.\n\n#### 5. Configuration files for each host\n\nDownload a copy of the nebula [example configuration](https://github.com/slackhq/nebula/blob/master/examples/config.yml).\n\n* On the lighthouse node, you'll need to ensure `am_lighthouse: true` is set.\n\n* On the individual hosts, ensure the lighthouse is defined properly in the `static_host_map` section, and is added to the lighthouse `hosts` section.\n\n\n#### 6. Copy nebula credentials, configuration, and binaries to each host\n\nFor each host, copy the nebula binary to the host, along with `config.yml` from step 5, and the files `ca.crt`, `{host}.crt`, and `{host}.key` from step 4.\n\n**DO NOT COPY `ca.key` TO INDIVIDUAL NODES.**\n\n#### 7. Run nebula on each host\n\n```sh\n./nebula -config /path/to/config.yml\n```\n\nFor more detailed instructions, [find the full documentation here](https://nebula.defined.net/docs/).\n\n## Building Nebula from source\n\nMake sure you have [go](https://go.dev/doc/install) installed and clone this repo. Change to the nebula directory.\n\nTo build nebula for all platforms:\n`make all`\n\nTo build nebula for a specific platform (ex, Windows):\n`make bin-windows`\n\nSee the [Makefile](Makefile) for more details on build targets\n\n## Curve P256 and BoringCrypto\n\nThe default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using `nebula-cert ca -curve P256` to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes.\n\nIn addition, Nebula can be built using the [BoringCrypto GOEXPERIMENT](https://github.com/golang/go/blob/go1.20/src/crypto/internal/boring/README.md) by running either of the following make targets:\n\n```sh\nmake bin-boringcrypto\nmake release-boringcrypto\n```\n\nThis is not the recommended default deployment, but may be useful based on your compliance requirements.\n\n## Credits\n\nNebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslackhq%2Fnebula","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslackhq%2Fnebula","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslackhq%2Fnebula/lists"}