Skip to main content

tun

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
    - mtu: 8800
      route: 10.0.0.0/16
  unsafe_routes:
    - route: 172.16.1.0/24
      via: 192.168.100.99
      mtu: 1300 # mtu will default to tun mtu if this option is not specified
      install: true # controls whether this route is installed in the systems routing table.

tun.disabled

Default: False

Allows the nebula interface (tun) to be disabled, which lets you run a lighthouse without a nebula interface (and therefore without root). You will not be able to communiate over IP with a nebula node that uses this setting.

tun.dev

dev sets the interface name for your nebula interface. If not set, a default will be chosen by the OS. For macOS: Not required. If set, must be in the form utun[0-9]+. For FreeBSD: Required to be set, must be in the form tun[0-9]+.

tun.drop_local_broadcast

Default: False

Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert

tun.drop_multicast

Default: False

Toggles forwarding of multicast packets

tun.tx_queue

Default: 500

Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500.

tun.mtu

Default: 1300 Reloadable: Linux

Default MTU for every packet, safe setting is (and the default) 1300 for internet routed packets.

tun.routes

Reloadable

Route based MTU overrides. If you have known VPN IP paths that can support larger MTUs you can increase/decrease them here.

tun:
  routes:
    - mtu: 8800
      route: 10.0.0.0/16

tun.unsafe_routes

Reloadable
warning

The nebula certificate of the via node MUST have the route defined in the subnets list in its certificate or it will silently refuse to route traffic.

Unsafe routes allows you to route traffic over nebula to non-nebula nodes. Unsafe routes should be avoided unless you have hosts/services that cannot run nebula.

tun:
  unsafe_routes:
    - route: 172.16.1.0/24
      via: 192.168.100.99
      mtu: 1300
      metric: 100
      install: true # controls whether this route is installed in the systems routing table.

For more information, see the Extend network access beyond overlay hosts guide.

tun.use_system_route_table

Default: False

On Linux only, set to true to manage unsafe routes directly on the system route table with gateway routes instead of in nebula configuration files.