What version of nebula are you using? (nebula -version)
1.6.1
What operating system are you using?
Linux
Describe the Bug
I’m trying to use a Nebula node as an internet gateway for traffic that originates outside the Nebula overlay (from the host system or other routed networks). The goal is to route specific destinations (e.g. adobe.com) through a Nebula peer.
However, Nebula appears to drop this traffic because the source IP is not part of the Nebula certificate, and the internal firewall rejects it.
Environment:
node-edge (client machine)
node-1 (gateway / exit node)
node-2 (gateway / exit node)
Goal:
Route selected external traffic from node-edge through node-1,node-2 using the Nebula tunnel.
What I tried:
Routing traffic to a specific destination through the Nebula interface:
Example:
text
ip route add <destination_ip>/32 dev nebula1
Enabling IP forwarding and NAT on the gateway node:
text
sysctl -w net.ipv4.ip_forward=1
Firewall rules allowing traffic between hosts.
Observed behavior:
Nebula drops the packets maybe because the source IP is not a Nebula IP present in the certificate. From what I can tell, Nebula’s internal firewall requires that packet sources match the Nebula network identities defined in certificates.
This prevents using Nebula as a generic routed tunnel or exit gateway for system traffic.
Expected behavior:
Ideally it would be possible to allow routing of non‑Nebula source traffic through the overlay when explicitly configured, for example:
allowing forwarded packets with non‑Nebula source IPs
or an option to bypass the Nebula firewall for routed traffic
or a documented method for implementing an exit node / internet gateway
Questions:
Is routing non‑Nebula source traffic through a Nebula interface supported?
Is there a recommended configuration for implementing an exit node / gateway?
If not supported, is there a design reason the firewall strictly enforces certificate source IPs for forwarded traffic?
If helpful I can provide additional configs and packet captures.
Thanks!
Logs from affected hosts
Tcpdump show icmp, but it doesn't show any traffic that I routed to my exit node
Config files from affected hosts
What version of
nebulaare you using? (nebula -version)1.6.1
What operating system are you using?
Linux
Describe the Bug
I’m trying to use a Nebula node as an internet gateway for traffic that originates outside the Nebula overlay (from the host system or other routed networks). The goal is to route specific destinations (e.g. adobe.com) through a Nebula peer.
However, Nebula appears to drop this traffic because the source IP is not part of the Nebula certificate, and the internal firewall rejects it.
Environment:
node-edge (client machine)
node-1 (gateway / exit node)
node-2 (gateway / exit node)
Goal:
Route selected external traffic from node-edge through node-1,node-2 using the Nebula tunnel.
What I tried:
Routing traffic to a specific destination through the Nebula interface:
Example:
text
ip route add <destination_ip>/32 dev nebula1
Enabling IP forwarding and NAT on the gateway node:
text
sysctl -w net.ipv4.ip_forward=1
Firewall rules allowing traffic between hosts.
Observed behavior:
Nebula drops the packets maybe because the source IP is not a Nebula IP present in the certificate. From what I can tell, Nebula’s internal firewall requires that packet sources match the Nebula network identities defined in certificates.
This prevents using Nebula as a generic routed tunnel or exit gateway for system traffic.
Expected behavior:
Ideally it would be possible to allow routing of non‑Nebula source traffic through the overlay when explicitly configured, for example:
allowing forwarded packets with non‑Nebula source IPs
or an option to bypass the Nebula firewall for routed traffic
or a documented method for implementing an exit node / internet gateway
Questions:
Is routing non‑Nebula source traffic through a Nebula interface supported?
Is there a recommended configuration for implementing an exit node / gateway?
If not supported, is there a design reason the firewall strictly enforces certificate source IPs for forwarded traffic?
If helpful I can provide additional configs and packet captures.
Thanks!
Logs from affected hosts
Tcpdump show icmp, but it doesn't show any traffic that I routed to my exit node
Config files from affected hosts