nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Running in Userspace, if possible?

Open lonnietc opened this issue 3 years ago • 5 comments

Hi All,

I have been able to compile and run Nebula which really works well.

On thing that I would like to investigate, although I do not know if it is possible, is the possibility of running it from Userspace instead of elevated Admin and Sudo privilege's.

I know of another Start-type VPN system called SmartEther which is written in C/C++ and one it has been initially installed via elevated privilege's then it can be can be started and stopped (i.e. to make VPN connections) from userspace so that all users could do it.

Would something like this be possible with Nebula after some type of initial installation, or something? Cheers

lonnietc avatar Oct 26 '21 16:10 lonnietc

Nitpick: The term you're looking for is a "regular user" not userspace, Nebula already runs in userspace as it has no kernel code (except for tun/tap)

Check this issue out: https://github.com/slackhq/nebula/issues/300

tl;dr: allow access to /dev/net/tun and provide CAP_NET_ADMIN

caguiclajmg avatar Oct 26 '21 22:10 caguiclajmg

@caguiclajmg Yea, I think that you are correct and I am off on the terminology, but basically, I could see it where you need sudo/admin to install the tap/tun driver on Linux, Windows, etc. but then a "regular user" could start/stop the VPN mesh with their normal privilege's. At least, that is the idea and also what I noticed with the SoftEther (https://www.softether.org/) approach although it is more of a centralized star-vpn topology.

Yes, I'll look into issue: #300

lonnietc avatar Oct 26 '21 23:10 lonnietc

could start/stop the VPN mesh with their normal privilege's

It's a bit more involved than just allowing a user to stop/start the service, if you've read through the issue I linked you have to jump a few hoops to even make nebula start up as a non-root user.

Once you're past that you can then worry about manipulating the service: if you're using systemd, you can either set up a sudo rule to allow regular users to stop/start/enable/disable the service or create a User unit file (but that runs it per-user which may not be what you want).

caguiclajmg avatar Oct 26 '21 23:10 caguiclajmg

I use a systemd service like this to run it as a non-root user:

# Systemd unit file for Nebula
#

[Unit]
Description=Nebula
Wants=basic.target
After=basic.target network.target
Before=sshd.service

[Service]
ExecStartPre=/usr/local/bin/nebula -test -config /etc/nebula/config.yaml
ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yaml
ExecReload=/bin/kill -HUP $MAINPID

RuntimeDirectory=nebula
ConfigurationDirectory=nebula
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=full
User=nebula
Group=nebula

SyslogIdentifier=nebula

Restart=always
RestartSec=2
TimeoutStopSec=5
StartLimitInterval=0
LimitNOFILE=131072

Nice=-1

[Install]
WantedBy=multi-user.target

rmarchei avatar Nov 22 '21 22:11 rmarchei

Just wanted to chime in for anyone that finds this in Google search like I did to confirm that the above systemd service is working perfectly for me on Ubuntu to run as a dedicated "nebula" user instead of root.

einsteinx2 avatar May 17 '22 17:05 einsteinx2

Thanks for all the discussion and solutions here. At this time, I'm closing this as a dupe of #300.

johnmaguire avatar Dec 07 '22 19:12 johnmaguire