New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One lighthouse supports multiple overly networks #306
Comments
You can achieve this now by running multiple instances of nebula on the lighthouse machine, but using a different config/cert/listen port for each instance (and therefore "network"). |
Assuming the address spaces issued under each CA root does not overlap, you can trust each root issuing for devices at the lighthouse and re-use the single process. Just make sure to trust the root that signed the lighthouse certificate on each device. |
Thanks a lot. In this case , I would first try to run multiple instances
of nebula on the lighthouse machine, for the purpose of serving multiple
overlay networks for different users with a single machine. Concerning
config/cert/listen port for each instance, could you please elaborate a bit
more by giving an example or tutorial?
best regards,
Samuel
…On Mon, Sep 28, 2020 at 3:44 AM Nathan Brown ***@***.***> wrote:
Assuming the address spaces issued under each CA root *does not* overlap,
you can trust each root issuing for devices at the lighthouse and re-use
the single process. Just make sure to trust the root that signed the
lighthouse certificate on each device.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#306 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACYMCAOMCRV3AB2A2T4J7OTSH7TBLANCNFSM4R3BMX2Q>
.
|
I asked something similar in this issue as well: so am very curious about the answer here. Would it be possible to add a feature to allow a single Nebula client to connect to multiple instances? (Similar to what ZeroTier allows): For right now - would be awesome if there was something in the docs about how to launch multiple instances, with a valid example setup for certs/config/ports etc? |
Does anybody have a working example of multiple Lighthouse instances running on the same host, connecting to different overlay networks? |
What problems are you hitting? There should be no issue provided you run the nebula instances on distinct ports. |
@nbrownus can you elaborate on this? If I have a single public IP (1.2.3.4) and I use a single port (4242) are you saying you can still achieve multi-tenant support using the overlay network address space? Something like this, perhaps:
So when ABC client1 connects to 1.2.3.4:4242 Nebula knows how to route it because it's using overlay network 10.10.10.* instead of 10.20.20.* ? And there's no security risk because the overlay networks aren't bridged, right? |
I'm guessing the IP space approach above could also be combined with the port option as well, right? So 10.10.10.* on port 49152 could service a different network than 10.10.10.* on port 49153 |
Related to #251. |
@nbrownus Sorry to resurrect an old issue, but what would happen if the address spaces did overlap? For example, consider the following setup:
FooNet and BarNet both have their own CAs and both use the Now let's say that I have a personal device connected to FooNet with mesh IP |
@ZelnickB The Lighthouse tracks hosts by their Nebula IP. If multiple hosts connect to a Lighthouse with the same Nebula IP, there will be confusion across the network over who owns said IP. For example, when the device at 100.64.2.123 requests the list of IP addresses for 100.64.2.17, how would the Lighthouse know which IPs to provide it? Those belonging to the device in BarNet, or those belonging to the device in FooNet? It doesn't... instead, the two devices will be "fighting" over that IP address, and you'll end up with a flaky, race-y split network. This is not a supported configuration. Your best bet is to run separate Lighthouse processes for separate networks. |
Got it. I haven't looked at the protocol specification, so I'm not sure if this would work, but one possible way to implement this feature request (as described by @samuelxhu) would be to store two key-value maps, one for FooNet and one for BarNet. Depending on the issuing CA for the certificate of the device that was contacting the lighthouse, the lighthouse could decide which map to use for reading/writing IP addresses. For example, two networks with a lighthouse on the same IP at the same port might have transactions that look like this:
|
@ZelnickB Indeed, this is a possible approach. However, it is supported for an organization to run with host configs that trust multiple CAs in a bundle. In other words, a CA is not a network, a network can have many CAs (and in fact, must have two CAs during a CA rotation event) - so using a CA as the "boundaries" of a network may create other problems. (To say nothing of the complexity of configuring the network mapping, and ensuring that all Lighthouses are running the same config.) This isn't meant to rule the option out, just pointing out that a solution isn't trivial here. |
Cross posting here to some relevant content on this issue for others to find: #823 (comment) |
This would be a feature request instead of a bug report.
In order to setup an overlay network, one needs at least one public IP address for lighthouse, but in practice, one would like one lighthouse (with a single IP address ) to host (support) multiple overlay networks.
As far as I know, Tinc VPN has this feature, which enables one single VM with a public IPv4 addess to support multiple instances of networks for multi tenants.
thanks,
samuel
The text was updated successfully, but these errors were encountered: