Slack Nebula Secure Mesh on Docker

**Warning this post isn’t finished! there’s also another project to consider now at https://github.com/elestio/nebula-rest-api

From a look at the GitHub issues, it seems that there’s problems getting Slack’s Nebula open source project to run in an Alpine Docker image. But just recently, someone has packaged up, apparently with a new base image. So I downloaded it, and deployed it on a Synology device-

Download the image from

https://github.com/chrisx8/docker-nebula

The Docker run command is

docker run -v <NEBULA_DIR>:/nebula -d -p 4242:4242/udp --cap-add=NET_ADMIN ghcr.io/chrisx8/nebula

Let’s unpack that.
The command is basically saying ‘using Docker, run nebula in this specified volume. Run in detached mode with these ports, and add the docker capability for this container to use network capabilities on the host’
Reference

Create a folder on your Synology for storage, mine is on volume 2 and is at /docker/nebula
You’ll already have the certs and config.yml files created if you’ve been following the previous write up.

So you’ll have a folder structure like this

/volume2/docker/nebula/nebula
ca.crt
config.yml
company.crt
company.key

You can make a script in Synology/ Control Panel/ Task Scheduler with the following details

docker run -d --name=nebula \
-p 4242:4242/udp \
-v /volume2/docker/nebula/nebula:/nebula \
--restart=always \
ghcr.io/chrisx8/nebula

Or In Portainer 

Or alternatively, doing this with Portainer, you need to have Portainer Agent running, note the syntax -v /volume2/@docker which describes the actual location of docker on Synology- slightly different to most linux distros

docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /volume2/@docker/volumes:/var/lib/docker/volumes portainer/agent:latest

There’s a Portainer video showing how ‘easy’ it is to migrate from Portainer Server to adding the Agent, this didn’t work for me- I had to manually add the agent connection- however the instructions are in the Portainer docs and are relatively straight forward.

Portainer Settings-
Check ‘Advanced’
Manual port publishing
Host 4242 >> Container 4242
Add the host volume-
Volumes /nebula : /docker/nebula/nebula
Capabilities/ NET_ADMIN   < turn on

At this point you should be able to ping your Nebula Docker. But you can’t do anything else because Docker, by default, doesn’t allow connections to the host network.

Can we get around this with an ‘Unsafe route?’

 

Recent posts