If you have a server or system at home that you want to have secure remote access to without the need for a VPN, Nebula could be the solution to your problem. The reason to use Nebula over just port forwarding another protocol, such as RDP, is that Nebula will build a VPN tunnel and encrypt all traffic between your devices. You can then write firewall rules like in my last post on Nebula.
In this post I will be covering how to configure your home firewall or router to forward traffic to the system you want access to. You can set this up for multiple systems by using different ports in the forwarding rules.
First create a Nebula certificate for your systems(The one you want to access, and the one you want to access from) and download both the certificates and Nebula binaries onto the systems. You can see my first post on Nebula for instructions on how to accomplish this.
After all of the Nebula files are on their respective systems, edit the configuration for the device you want to access. Remove all entries from the “hosts” portion of the “Lighthouses” section. Also change the listening port to whatever you like, I used 4343.
Next set up the port forwarding rule to the device you want to access on the firewall or router. Below are instructions for port forwarding rules on the Check Point SMB 1550 and a normal AT&T internet router. If you have a basic internet router skip to the explanation for that below.
Check Point SMB 1550
Create a service object for the Nebula port running on your system and the port you want to connect to from the outside. I used port 33333 as the outside port and since I set Nebula to run on port 4343 that’s the other object I created. You can just use a single service object if you want the inside and outside port to be the same.
Next create a NAT rule where the original destination is the gateway itself and the original service is the outside service object you created. The translated destination should be the IP of the device you want to connect to and the translated service should be the inside service object.
Now when an outside Nebula node tries to connect to {Public IP}:33333 it will be forwarded to {system IP}:4343.
AT&T Router
Log into the configuration web interface of your router. The information for this is usually on the router itself. Once there go to the NAT/port forwarding configuration section. On an AT&T router it looks like below.
Create a custom service. Name it Nebula, set the global port and base port as 4343, and set the protocol as UDP.
Assign this new service to the device you want to be able to access.
Now when an outside Nebula node tries to connect to {Public IP}:4343 it will be forwarded to {system IP}:4343.
Now that the NAT rules are in place, configure the outside node. The port on the outside node can be 0 so that it assigns a random port. Also set a static host mapping for the device we want to have remote access to. This requires mapping the node IP to the public IP of the network. The port to the right of the public IP should either be the outside service port or the global port depending on what router or firewall you’re using.
Note: If you use dynamic DNS, you can put your hostname in place of the public IP.
Now run Nebula on both of our systems. My laptop is connected to the hotspot on my phone for testing, and I can ping the system on my home network via its Nebula IP meaning its able to build a tunnel.
Note on setup reasoning:
I chose to use forwarding rules instead of a Nebula lighthouse because I use a Check Point SMB 1550 firewall, and when a port is assigned during NAT, it is only used for a single connection. So when a Nebula node connects out to the lighthouse, the port that is assigned is during NAT is the port that the lighthouse sends to the other nodes. But when a new Nebula connection comes into my Check Point device, it sees that its a new connection and doesn't forward it along as a NAT translation. This is true for many different devices and I wanted a solution that would work for as many networks as possible.
Also, for devices that aren’t going to be moving around, you can easily have a port forwarding rule and a static mapping in Nebula so that you don't have to worry about hosting a lighthouse with a cloud provider.