Skip to content

Instantly share code, notes, and snippets.

@jasikpark

jasikpark/ipv6-quick-start.md

Created March 17, 2025 18:57
Show Gist options
  • Save jasikpark/80bf47724f7bfbc9ae758ea78cc9d766 to your computer and use it in GitHub Desktop.
Save jasikpark/80bf47724f7bfbc9ae758ea78cc9d766 to your computer and use it in GitHub Desktop.
Download ZIP
Seting up an IPv6 nebula network
Raw
ipv6-quick-start.md

Building an IPv6 network with the nebula nightly builds:

nebula-cert ca -name "Nebula IPv6 Tutorial CA" -encrypt
Enter passphrase:
# typed in my password and pressed enter.

Using nebula-cert print we can see that this is a v2 certificate authority, with support for IPv6 addresses.

nebula-cert print -path ./ca.crt
{
        "curve": "CURVE25519",
        "details": {
                "groups": null,
                "isCa": true,
                "issuer": "",
                "name": "Nebula IPv6 Tutorial CA",
                "networks": null,
                "notAfter": "2026-03-11T12:26:19-05:00",
                "notBefore": "2025-03-11T12:26:19-05:00",
                "unsafeNetworks": null
        },
        "fingerprint": "a95ed86f7754fc5b0fcaf38473504403748d6dc422b16bc3e29fcae32af9a73c",
        "publicKey": "4f1200baedc57f39adfc71e1b5409a3a7dc60fab4e1a2c4decaeb347a2ad4d75",
        "signature": "e46d1f31e4b677fc4bbef9ebcf941261cd49e00fd4bf124e26b9fb7716d23e7588b0b6b87d276e625b30ef6fa32ced0aa46abee7b61d150907007586cd6e2203",
        "version": 2
}

To create an IPv6 lighthouse, you must specify to only generate a v2 certificate. We'll use the subnet range fd00:1:1::1/64 for our network.

 nebula-cert sign -name "lighthouse1" -ip "fd00:1:1::1/64" -version 2              
Enter passphrase:
# typed in my password and pressed enter.

Next we can see the new cert for our first lighthouse, using an IPv6 overlay address:

 nebula-cert print -path ./lighthouse1.crt
{
        "curve": "CURVE25519",
        "details": {
                "groups": null,
                "isCa": false,
                "issuer": "a95ed86f7754fc5b0fcaf38473504403748d6dc422b16bc3e29fcae32af9a73c",
                "name": "lighthouse1",
                "networks": [
                        "fd00:1:1::1/64"
                ],
                "notAfter": "2026-03-11T12:26:18-05:00",
                "notBefore": "2025-03-11T12:31:48-05:00",
                "unsafeNetworks": null
        },
        "fingerprint": "31a53856199b98e6c1815ab1f23e28af8022e1098bbc55a27fc75f259126d14f",
        "publicKey": "c141277b24fe8f0abd38c84018a59defd808a390898bc471e868dc4419bac407",
        "signature": "78d3a423bbed7df53377945c0de5d7c119bd0580cf4624d173af0e52b3a3359e2b1aca04a29a787f663bc080283fc149cc9303599773073c339d8264a5a78a06",
        "version": 2
}

Next let's make a cert for our laptop and our server:

nebula-cert sign -name "laptop" -ip "fd00:1:1::2/64" -groups "laptop,ssh" -version 2
nebula-cert sign -name "server" -ip "fd00:1:1::3/64" -groups "servers" -version 2

Now we have 3 hosts in our network, fd00:1:1::1 for the lighthouse, fd00:1:1::2 for the laptop, and fd00:1:1::3 for the server.

We'll download the example config and make a lighthouse and host variant of it:

curl -o config.yml https://raw.githubusercontent.com/slackhq/nebula/master/examples/config.yml
cp config.yml config-lighthouse.yaml
cp config.yml config.yaml

Set am_lighthouse: true and remove the entries from hosts and static_hosts for config-lighthouse.yaml .

Set the static ip for the lighthouse in hosts and static_hosts in config.yaml

Then you can copy the configs to the proper boxes and test your new network out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment