Skip to main content

listen

listen sets the UDP port Nebula will use for sending/receiving traffic and for handshakes.

listen:
  host: 0.0.0.0
  port: 4242
  batch: 64
  read_buffer: 10485760
  write_buffer: 10485760

listen.host

Default: 0.0.0.0

host is the ip of the interface to use when binding the listener. The default is 0.0.0.0 for all IPv4 interfaces. To enable IPv6, use '[::]' instead. host may also contain a hostname.

listen.port

port is the UDP port nebula should use on a host. For a lighthouse node, the port should be defined, conventionally to 4242, however using port 0 or leaving port unset will dynamically assign a port and is recommended for roaming nodes. Using 0 on lighthouses and relay hosts will likely lead to connectivity issues.

listen.batch

Default: 64

Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg).

listen.read_buffer, listen.write_buffer

Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel. Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default). Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide max, net.core.rmem_max and net.core.wmem_max

listen.send_recv_error

Reloadable Default: always Added in v1.6.0

By default, Nebula replies to packets it has no tunnel for with a recv_error packet. This packet helps speed up reconnection in the case that Nebula on either side did not shut down cleanly. This response can be abused however as a way to discover if Nebula is running on a host. send_recv_error lets you configure if you want to send recv_error packets always, never, or only to private network remotes.

Valid values: always, never, private

listen.so_mark

Added in v1.10.0

On Linux systems, Nebula can now mark packets using the SO_MARK socket option to enable advanced routing scenarios. This is particularly useful for full subnet routing (including 0.0.0.0/0) without the complexity of network namespaces, allowing administrators to route Nebula traffic through custom routing tables.

# Mark Nebula packets with firewall mark 4242
listen:
  so_mark: 4242

Example setup for 0.0.0.0/0 routing through Nebula:

# Create routing rules to handle marked traffic
ip rule add not from all fwmark 4242 lookup 4242
ip rule add from all lookup main suppress_prefixlength 0
ip route add default dev nebula1 via <nebula_unsafe_route_gw> table 4242