Skip to main content

listen

listen sets the UDP port Nebula will use for sending/receiving traffic and for handshakes.

listen:
  host: 0.0.0.0
  port: 4242
  batch: 64
  read_buffer: 10485760
  write_buffer: 10485760

listen.host

Default: 0.0.0.0

host is the ip of the interface to use when binding the listener. The default is 0.0.0.0 for all IPv4 interfaces. To enable IPv6, use '[::]' instead. host may also contain a hostname.

listen.port

port is the UDP port nebula should use on a host. For a lighthouse node, the port should be defined, conventionally to 4242, however using port 0 or leaving port unset will dynamically assign a port and is recommended for roaming nodes. Using 0 on lighthouses and relay hosts will likely lead to connectivity issues.

listen.batch

Default: 64

Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg).

listen.read_buffer, listen.write_buffer

Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel. Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default). Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide max, net.core.rmem_max and net.core.wmem_max

listen.send_recv_error

Reloadable Default: always Added in v1.6.0

By default, Nebula replies to packets it has no tunnel for with a recv_error packet. This packet helps speed up reconnection in the case that Nebula on either side did not shut down cleanly. This response can be abused however as a way to discover if Nebula is running on a host. send_recv_error lets you configure if you want to send recv_error packets always, never, or only to private network remotes.

Valid values: always, never, private

listen.so_mark

Added in v1.10.0

On Linux systems, Nebula can now mark packets using the SO_MARK socket option to enable advanced routing scenarios. This is particularly useful for full subnet routing (including 0.0.0.0/0) without the complexity of network namespaces, allowing administrators to route Nebula traffic through custom routing tables.

# Mark Nebula packets with firewall mark 4242 (choose a number to associate with Nebula)
listen:
  so_mark: 4242

Example setup for 0.0.0.0/0 routing through Nebula:

# Create routing rules to handle marked traffic (use the number you marked Nebula traffic with)
ip rule add not from all fwmark 4242 lookup 4242
ip rule add from all lookup main suppress_prefixlength 0
ip route add default dev nebula1 via <nebula_unsafe_route_gw> table 4242