100 commits

Author	SHA1	Message	Date
Wade Simmons	0824035906	Merge remote-tracking branch 'origin/master' into multiport	2026-01-21 10:58:11 -05:00
Nate Brown	1283ff0db4	Add option to control accepting recv_error (#1569)	2026-01-13 00:00:27 -06:00
Wade Simmons	510a8912a9	Merge remote-tracking branch 'origin/master' into multiport	2025-12-04 15:22:14 -05:00
Nate Brown	64f202fa17	Make 0.0.0.0/0 and ::/0 not mean any address family, add any for that (#1538)	2025-11-21 13:46:36 -06:00
Wade Simmons	ae9de47dd9	Merge remote-tracking branch 'origin/master' into multiport	2025-07-11 12:57:52 -04:00
Nate Brown	52623820c2	Drop inactive tunnels (#1427)	2025-07-03 09:58:37 -05:00
maggie44	8536c57645	Allow configuration of logger and build version in gvisor service library (#1239)	2025-04-21 13:45:59 -04:00
Andriyanov Nikita	e5ce8966d6	add netlink options (#1326) ... * add netlink options * force use buffer * fix namings and add config examples * fix linter	2025-04-21 13:44:33 -04:00
John Maguire	d4a7df3083	Rename pki.default_version to pki.initiating_version (#1381)	2025-04-07 18:08:29 -04:00
John Maguire	e136d1d47a	Update example config with default_local_cidr_any changes (#1373)	2025-04-01 16:08:03 -05:00
dioss-Machiel	f86953ca56	Implement ECMP for unsafe_routes (#1332)	2025-03-24 17:15:59 -05:00
Caleb Jasik	50473bd2a8	Update example config to listen on :: by default (#1351)	2025-03-12 22:53:16 -05:00
jampe	1d3c85338c	add so_mark sockopt support (#1331)	2025-03-12 09:35:33 -05:00
Wade Simmons	f36db374ac	Merge remote-tracking branch 'origin/master' into multiport	2025-03-06 16:11:32 -05:00
Nate Brown	d97ed57a19	V2 certificate format (#1216) ... Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>	2025-03-06 11:28:26 -06:00
Wade Simmons	dabce8a1b4	1.9.4 Release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEnN7QnoQoG72upUfo5qM118W2lxoFAmbfOr4ACgkQ5qM118W2 lxoTGQ//SKoaiZwbtWZtEjYWUJPxGL5gbidmqdmtT9b0ttBK+ufRRbRQXeuXv+pY KlKE3YxS8aWbW+YPvtQ7Ly6W4KoJ49esZYnFRMwnLnOpJY9KXtWe0ej+ohQIqm0g R/7MFx9YiKsO+oNI3Bk8Flfkdhh2RCSECO/i5V0oZIkZHy3ceeM/EAlMXy2slC7Z jcDLKkHsDSTkNhuCiNFwR8t04y2sZhYXPDC3xG/9FzO8dlstj6Kj7L0E7uceb3yP 9LlmnQB8AAXQ/ZpJ82Roe72ORGuL5xwUPDpEPKnM2090h6skIA9cpIn4BpRpg/6S rrZb/fSIjLlE8YnkA39kKnMS1SW5O2EXSDtXCzEkZI40vGHIJiVY2j+mELqHiWLf 8MLVC0qW2DvOMA28ZAipQ2gG9txxuArLBD/Zlhtlzn4KeP8m1Dnnv1kkL8z8+H+6 18zM9lcE4xK8ET+9yao5yNpYinhwEHQnekeevMBJPrI/5SQxkb53u+FXeg1eGAbK IewcLlpxun/IwL8D0NwY2/1EVlemupEed9geHDBIjM9gPmBG/zYJdRvh2aLUXcti C5nxXAXUknXYAyUwT2kvplLyj1yZheA9nDonIVI9GY1nyZmzWsT0D7BSoOGxw+6H 4nhcsQfHpEVQvCfY9G2wOvmqiZEkbFDho/3o7hebowkFljXXcKU= =IC32 -----END PGP SIGNATURE----- Merge tag 'v1.9.4' into multiport 1.9.4 Release	2024-09-13 10:17:59 -04:00
Jack Doan	3dc56e1184	Support UDP dialling with gvisor (#1181)	2024-08-26 12:38:32 -05:00
Wade Simmons	b445d14ddb	Merge remote-tracking branch 'origin/master' into multiport	2024-05-08 11:22:19 -04:00
Wade Simmons	50b24c102e	v1.9.0 (#1137) ... Update CHANGELOG for Nebula v1.9.0 Co-authored-by: John Maguire <john@defined.net>	2024-05-08 10:31:24 -04:00
John Maguire	f31bab5f1a	Add support for SSH CAs (#1098) ... - Accept certs signed by trusted CAs - Username must match the cert principal if set - Any username can be used if cert principal is empty - Don't allow removed pubkeys/CAs to be used after reload	2024-04-30 10:50:17 -04:00
John Maguire	f7db0eb5cc	Remove Vagrant example (#1129)	2024-04-30 09:40:24 -05:00
Andrew Kraut	df78158cfa	Create service script for open-rc (#711)	2024-04-30 09:53:00 -04:00
Nate Brown	a99618e95c	Don't log invalid certificates (#1116)	2024-04-29 15:21:00 -05:00
Nate Brown	cc8b3cc961	Add config option for local_cidr control	2024-02-15 11:46:45 -06:00
Nate Brown	f346cf4109	At the end	2024-02-05 10:23:10 -06:00
Wade Simmons	659d7fece6	1.8.2 Release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEnN7QnoQoG72upUfo5qM118W2lxoFAmWcXeYACgkQ5qM118W2 lxo8yBAAxnMxvP2d2Mu2n6SExRxqmK5e+CddM0XWNZQzTXO1gyKw7YPLzzQwRPTa mhmuGEmqjmG0/VXwz9dl1jrpIJu0ge7APgIn9duFzz5HYnDbb+6+T0cQ/8LQbNe1 i+xGdY3n1RYHKoeqOi14lmf9uB6zrklfhzFG/05AyYjNNipMtAsC82FrFmySTQ9w gp4XGwK5edzWSrBZ0w4nbo8G8r4mP/2qZdbxY+9g9IrrQoeoZtWVttdZ36rkEvIi uzyj//PClLTTrAiSHcWdrdPHlLj2L4t1S0ixjnAk2OO/OD/EQ5FwtYggF+x+YE6N fedIcUliJNidK7FZ+cWUdB6tUWgjM9TsbfuPoCI786e1OnBRML5ZPCiXZpzhxMWZ l+uKJkOUqoC7Nu83+WoedLrJo5zwOhq8oYx0/BVw8dNMdYFGSPrbE3ooFtgUc6Lu 2TEtD5NzVz6nPAyPOYVNOw726J19fFBKbBZsV12KSTW1ElFafEDCHGelIf2wt8mI t23SlYfHMJOhKPMnJWczAFsuVDfMmt5xRvH1mFORiBIm/4EXYIS00IEGKQYuC7m+ lUmdrk9R6pVdq5lekL1KkB/fjGI/mg5liYY0ubx/4oeHXRyMPXeVY0ZkTqc2PPHi 7wl2iLytG/FTMdGPC4F4LmXT9xPRzTGNpANItael2PTSBPThQb8= =XsOf -----END PGP SIGNATURE----- Merge tag 'v1.8.2' into multiport 1.8.2 Release	2024-01-26 10:45:15 -05:00
Nate Brown	072edd56b3	Fix re-entrant GetOrHandshake issues (#1044)	2023-12-19 11:58:31 -06:00
Tristan Rice	1083279a45	add gvisor based service library (#965) ... * add service/ library	2023-11-21 11:50:18 -05:00
Nate Brown	3356e03d85	Default pki.disconnect_invalid to true and make it reloadable (#859)	2023-11-13 12:39:38 -06:00
Wade Simmons	f2aef0d6eb	Merge remote-tracking branch 'origin/master' into multiport	2023-10-27 08:48:13 -04:00
John Maguire	87b628ba24	Fix truncated comment in config.yml (#999)	2023-10-27 08:39:34 -04:00
c0repwn3r	03e70210a5	Add support for NetBSD (#916)	2023-07-27 13:44:47 -05:00
Nate Brown	1e3c155896	Attempt to notify systemd of service readiness on linux (#929)	2023-07-24 11:30:18 -05:00
John Maguire	7e380bde7e	Document new DNS config options (#879)	2023-07-10 15:19:05 -04:00
John Maguire	8ba5d64dbc	Add support for naming FreeBSD tun devices (#903)	2023-06-22 12:13:31 -04:00
Wade Simmons	0e593ad582	Merge branch 'master' into multiport	2023-05-09 15:37:30 -04:00
Ilya Lukyanov	1701087035	Add destination CIDR checking (#507)	2023-05-09 10:37:23 -05:00
Nate Brown	a9cb2e06f4	Add ability to respect the system route table for unsafe route on linux (#839)	2023-05-09 10:36:55 -05:00
Wade Simmons	28ecfcbc03	Merge remote-tracking branch 'origin/master' into multiport	2023-05-03 10:50:06 -04:00
Nate Brown	397fe5f879	Add ability to skip installing unsafe routes on the os routing table (#831)	2023-04-10 12:32:37 -05:00
Nate Brown	3cb4e0ef57	Allow listen.host to contain names (#825)	2023-04-05 11:29:26 -05:00
Wade Simmons	e71059a410	Merge remote-tracking branch 'origin/master' into multiport	2023-04-03 11:30:41 -04:00
Wade Simmons	3e5c7e6860	add punchy.respond_delay config option (#721)	2023-03-29 14:32:35 -05:00
Wade Simmons	e1af37e46d	add calculated_remotes (#759) ... * add calculated_remotes This setting allows us to "guess" what the remote might be for a host while we wait for the lighthouse response. For networks that hard designed with in mind, it can help speed up handshake performance, as well as improve resiliency in the case that all lighthouses are down. Example: lighthouse: # ... calculated_remotes: # For any Nebula IPs in 10.0.10.0/24, this will apply the mask and add # the calculated IP as an initial remote (while we wait for the response # from the lighthouse). Both CIDRs must have the same mask size. # For example, Nebula IP 10.0.10.123 will have a calculated remote of # 192.168.1.123 10.0.10.0/24: - mask: 192.168.1.0/24 port: 4242 * figure out what is up with this test * add test * better logic for sending handshakes Keep track of the last light of hosts we sent handshakes to. Only log handshake sent messages if the list has changed. Remove the test Test_NewHandshakeManagerTrigger because it is faulty and makes no sense. It relys on the fact that no handshake packets actually get sent, but with these changes we would send packets now (which it should!) * use atomic.Pointer * cleanup to make it clearer * fix typo in example	2023-03-13 15:09:08 -04:00
Wade Simmons	6e0ae4f9a3	firewall: add option to send REJECT replies (#738) ... * firewall: add option to send REJECT replies This change allows you to configure the firewall to send REJECT packets when a packet is denied. firewall: # Action to take when a packet is not allowed by the firewall rules. # Can be one of: # `drop` (default): silently drop the packet. # `reject`: send a reject reply. # - For TCP, this will be a RST "Connection Reset" packet. # - For other protocols, this will be an ICMP port unreachable packet. outbound_action: drop inbound_action: drop These packets are only sent to established tunnels, and only on the overlay network (currently IPv4 only). $ ping -c1 192.168.100.3 PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data. From 192.168.100.3 icmp_seq=2 Destination Port Unreachable --- 192.168.100.3 ping statistics --- 2 packets transmitted, 0 received, +1 errors, 100% packet loss, time 31ms $ nc -nzv 192.168.100.3 22 (UNKNOWN) [192.168.100.3] 22 (?) : Connection refused This change also modifies the smoke test to capture tcpdump pcaps from both the inside and outside to inspect what is going on over the wire. It also now does TCP and UDP packet tests using the Nmap version of ncat. * calculate seq and ack the same was as the kernel The logic a bit confusing, so we copy it straight from how the kernel does iptables `--reject-with tcp-reset`: - https://github.com/torvalds/linux/blob/v5.19/net/ipv4/netfilter/nf_reject_ipv4.c#L193-L221 * cleanup	2023-03-13 15:08:40 -04:00
Wade Simmons	aec7f5f865	Merge remote-tracking branch 'origin/master' into multiport	2023-03-13 15:07:32 -04:00
Caleb Jasik	f0ac61c1f0	Add nebula.plist based on the homebrew nebula LaunchDaemon plist (#762)	2023-03-13 13:16:46 -05:00
John Maguire	b5a85a6eb8	Update example config with IPv6 note for allow lists (#742)	2022-12-20 16:50:02 -05:00
Fabio Alessandro Locati	3ae242fa5f	Add nss-lookup to the systemd wants (#791) ... * Add nss-lookup to the systemd wants to ensure DNS is running before starting nebula * Add Ansible & example service scripts * Fix #797 * Align Ansible scripts and examples Co-authored-by: John Maguire <contact@johnmaguire.me>	2022-12-19 14:42:07 -05:00
John Maguire	ec48298fe8	Update config to show aes cipher instead of chacha (#788)	2022-12-07 11:38:56 -06:00