Public Release

.gitignore

@@ -0,0 +1,10 @@
+/nebula
+/nebula-cert
+/nebula-arm
+/nebula-arm6
+/nebula-darwin
+/nebula.exe
+/cert/*.crt
+/cert/*.key
+/coverage.out
+/cpu.pprof

AUTHORS

@@ -0,0 +1,9 @@
+# This is the official list of Nebula authors for copyright purposes.
+
+# Names should be added to this file as:
+# Name or Organization <email address>
+# The email address is not required for organizations.
+
+Slack Technologies, Inc.
+Nate Brown <[email protected]>
+Ryan Huber <[email protected]>

LICENSE

@@ -0,0 +1,24 @@
+MIT License
+
+Copyright (c) 2018-2019 Slack Technologies, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+

Makefile

@@ -0,0 +1,77 @@
+BUILD_NUMBER ?= dev+$(shell date -u '+%Y%m%d%H%M%S')
+GO111MODULE = on
+export GO111MODULE
+
+all:
+	make bin
+	make bin-arm
+	make bin-arm6
+	make bin-arm64
+	make bin-darwin
+	make bin-windows
+
+bin:
+	go build -ldflags "-X main.Build=$(BUILD_NUMBER)" -o ./nebula ./cmd/nebula
+	go build -ldflags "-X main.Build=$(BUILD_NUMBER)" -o ./nebula-cert ./cmd/nebula-cert
+
+install:
+	go install -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+	go install -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula-cert
+
+bin-arm:
+	GOARCH=arm GOOS=linux go build -o nebula-arm -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+
+bin-arm6:
+	GOARCH=arm GOARM=6 GOOS=linux go build -o nebula-arm6 -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+
+bin-arm64:
+	GOARCH=arm64 GOOS=linux go build -o nebula-arm64 -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+
+
+bin-vagrant:
+	GOARCH=amd64 GOOS=linux go build -o nebula -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+	GOARCH=amd64 GOOS=linux go build -ldflags "-X main.Build=$(BUILD_NUMBER)" -o ./nebula-cert ./cmd/nebula-cert
+bin-darwin:
+	GOARCH=amd64 GOOS=darwin go build -o nebula-darwin -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+
+bin-windows:
+	GOARCH=amd64 GOOS=windows go build -o nebula.exe -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+
+bin-linux:
+	GOARCH=amd64 GOOS=linux go build -o ./nebula -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula
+	GOARCH=amd64 GOOS=linux go build -o ./nebula-cert -ldflags "-X main.Build=$(BUILD_NUMBER)" ./cmd/nebula-cert
+
+vet:
+	go vet -v ./...
+
+test:
+	go test -v ./...
+
+test-cov-html:
+	go test -coverprofile=coverage.out
+	go tool cover -html=coverage.out
+
+bench:
+	go test -bench=.
+
+bench-cpu:
+	go test -bench=. -benchtime=5s -cpuprofile=cpu.pprof
+	go tool pprof go-audit.test cpu.pprof
+
+bench-cpu-long:
+	go test -bench=. -benchtime=60s -cpuprofile=cpu.pprof
+	go tool pprof go-audit.test cpu.pprof
+
+proto: nebula.pb.go cert/cert.pb.go
+
+nebula.pb.go: nebula.proto .FORCE
+	go build github.com/golang/protobuf/protoc-gen-go
+	PATH="$(PWD):$(PATH)" protoc --go_out=. $<
+	rm protoc-gen-go
+
+cert/cert.pb.go: cert/cert.proto .FORCE
+	$(MAKE) -C cert cert.pb.go
+
+.FORCE:
+.PHONY: test test-cov-html bench bench-cpu bench-cpu-long bin proto
+.DEFAULT_GOAL := bin

README.md

@@ -0,0 +1,91 @@
+## What is Nebula?
+Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security.
+It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, and Windows.
+(Also: keep this quiet, but we have an early prototype running on iOS).
+It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.
+
+Nebula incorporates a number of existing concepts like encryption, security groups, certificates,
+and tunneling, and each of those individual pieces existed before Nebula in various forms.
+What makes Nebula different to existing offerings is that it brings all of these ideas together,
+resulting in a sum that is greater than its individual parts.
+
+You can read more about Nebula [here](https://medium.com/p/884110a5579).
+
+## Technical Overview
+
+Nebula is a mutually authenticated peer-to-peer software defined network based on the [Noise Protocol Framework](https://noiseprotocol.org/).
+Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups.
+Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes.
+Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs.
+Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.
+
+Nebula uses elliptic curve Diffie-Hellman key exchange, and AES-256-GCM in its default configuration.
+
+Nebula was created to provide a mechanism for groups hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.
+
+## Getting started (quickly)
+
+To set up a Nebula network, you'll need:
+
+#### 1. The [Nebula binaries](https://github.com/slackhq/nebula/releases) for your specific platform. Specifically you'll need `nebula-cert` and the specific nebula binary for each platform you use.
+
+#### 2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.
+
+Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo [DigitalOcean](https://digitalocean.com) droplets as lighthouses.
+
+  Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.
+
+
+#### 3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.
+
+  ```
+  ./nebula-cert ca -name "Myorganization, Inc"
+  ```
+  This will create files named `ca.key` and `ca.cert` in the current directory. The `ca.key` file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.
+
+#### 4. Nebula host keys and certificates generated from that certificate authority
+This assumes you have three nodes, named lighthouse1, host1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.
+```
+./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
+./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
+./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
+./nebula-cert sign -name "host3" -ip "192.168.100.9/24"
+```
+
+#### 5. Configuration files for each host
+Download a copy of the nebula [example configuration](https://github.com/slackhq/nebula/blob/master/examples/config.yaml).
+
+* On the lighthouse node, you'll need to ensure `am_lighthouse: true` is set.
+
+* On the individual hosts, ensure the lighthouse is defined properly in the `static_host_map` section, and is added to the lighthouse `hosts` section.
+
+
+#### 6. Copy nebula credentials, configuration, and binaries to each host
+
+For each host, copy the nebula binary to the host, along with `config.yaml` from step 5, and the files `ca.crt`, `{host}.crt`, and `{host}.key` from step 2.
+
+**DO NOT COPY `ca.key` TO INDIVIDUAL NODES.**
+
+#### 7. Run nebula on each host
+```
+./nebula -config /path/to/config.yaml
+```
+
+## Building Nebula from source
+
+Download go and clone this repo. Change to the nebula directory.
+
+To build nebula for all platforms:
+`make all`
+
+To build nebula for a specific platform (ex, Windows):
+`make bin-windows`
+
+See the [Makefile](Makefile) for more details on build targets
+
+## Credits
+
+Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.
+
+
+

bits.go

@@ -0,0 +1,157 @@
+package nebula
+
+import (
+	"github.com/rcrowley/go-metrics"
+	"github.com/sirupsen/logrus"
+)
+
+type Bits struct {
+	length             uint64
+	current            uint64
+	bits               []bool
+	firstSeen          bool
+	lostCounter        metrics.Counter
+	dupeCounter        metrics.Counter
+	outOfWindowCounter metrics.Counter
+}
+
+func NewBits(bits uint64) *Bits {
+	return &Bits{
+		length:             bits,
+		bits:               make([]bool, bits, bits),
+		current:            0,
+		lostCounter:        metrics.GetOrRegisterCounter("network.packets.lost", nil),
+		dupeCounter:        metrics.GetOrRegisterCounter("network.packets.duplicate", nil),
+		outOfWindowCounter: metrics.GetOrRegisterCounter("network.packets.out_of_window", nil),
+	}
+}
+
+func (b *Bits) Check(i uint64) bool {
+	// If i is the next number, return true.
+	if i > b.current || (i == 0 && b.firstSeen == false && b.current < b.length) {
+		return true
+	}
+
+	// If i is within the window, check if it's been set already. The first window will fail this check
+	if i > b.current-b.length {
+		return !b.bits[i%b.length]
+	}
+
+	// If i is within the first window
+	if i < b.length {
+		return !b.bits[i%b.length]
+	}
+
+	// Not within the window
+	l.Debugf("rejected a packet (top) %d %d\n", b.current, i)
+	return false
+}
+
+func (b *Bits) Update(i uint64) bool {
+	// If i is the next number, return true and update current.
+	if i == b.current+1 {
+		// Report missed packets, we can only understand what was missed after the first window has been gone through
+		if i > b.length && b.bits[i%b.length] == false {
+			b.lostCounter.Inc(1)
+		}
+		b.bits[i%b.length] = true
+		b.current = i
+		return true
+	}
+
+	// If i packet is greater than current but less than the maximum length of our bitmap,
+	// flip everything in between to false and move ahead.
+	if i > b.current && i < b.current+b.length {
+		// In between current and i need to be zero'd to allow those packets to come in later
+		for n := b.current + 1; n < i; n++ {
+			b.bits[n%b.length] = false
+		}
+
+		b.bits[i%b.length] = true
+		b.current = i
+		//l.Debugf("missed %d packets between %d and %d\n", i-b.current, i, b.current)
+		return true
+	}
+
+	// If i is greater than the delta between current and the total length of our bitmap,
+	// just flip everything in the map and move ahead.
+	if i >= b.current+b.length {
+		// The current window loss will be accounted for later, only record the jump as loss up until then
+		lost := maxInt64(0, int64(i-b.current-b.length))
+		//TODO: explain this
+		if b.current == 0 {
+			lost++
+		}
+
+		for n := range b.bits {
+			// Don't want to count the first window as a loss
+			//TODO: this is likely wrong, we are wanting to track only the bit slots that we aren't going to track anymore and this is marking everything as missed
+			//if b.bits[n] == false {
+			//	lost++
+			//}
+			b.bits[n] = false
+		}
+
+		b.lostCounter.Inc(lost)
+
+		if l.Level >= logrus.DebugLevel {
+			l.WithField("receiveWindow", m{"accepted": true, "currentCounter": b.current, "incomingCounter": i, "reason": "window shifting"}).
+				Debug("Receive window")
+		}
+		b.bits[i%b.length] = true
+		b.current = i
+		return true
+	}
+
+	// Allow for the 0 packet to come in within the first window
+	if i == 0 && b.firstSeen == false && b.current < b.length {
+		b.firstSeen = true
+		b.bits[i%b.length] = true
+		return true
+	}
+
+	// If i is within the window of current minus length (the total pat window size),
+	// allow it and flip to true but to NOT change current. We also have to account for the first window
+	if ((b.current >= b.length && i > b.current-b.length) || (b.current < b.length && i < b.length)) && i <= b.current {
+		if b.current == i {
+			if l.Level >= logrus.DebugLevel {
+				l.WithField("receiveWindow", m{"accepted": false, "currentCounter": b.current, "incomingCounter": i, "reason": "duplicate"}).
+					Debug("Receive window")
+			}
+			b.dupeCounter.Inc(1)
+			return false
+		}
+
+		if b.bits[i%b.length] == true {
+			if l.Level >= logrus.DebugLevel {
+				l.WithField("receiveWindow", m{"accepted": false, "currentCounter": b.current, "incomingCounter": i, "reason": "old duplicate"}).
+					Debug("Receive window")
+			}
+			b.dupeCounter.Inc(1)
+			return false
+		}
+
+		b.bits[i%b.length] = true
+		return true
+
+	}
+
+	// In all other cases, fail and don't change current.
+	b.outOfWindowCounter.Inc(1)
+	if l.Level >= logrus.DebugLevel {
+		l.WithField("accepted", false).
+			WithField("currentCounter", b.current).
+			WithField("incomingCounter", i).
+			WithField("reason", "nonsense").
+			Debug("Receive window")
+	}
+	return false
+}
+
+func maxInt64(a, b int64) int64 {
+	if a > b {
+		return a
+	}
+
+	return b
+}