Skip to content
Nebula Docs Nebula Docs Nebula

tun

tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
    - mtu: 8800
      route: 10.0.0.0/16
  unsafe_routes:
    - route: 172.16.1.0/24
      via: 192.168.100.99
      mtu: 1300 # mtu will default to tun mtu if this option is not specified
      install: true # controls whether this route is installed in the systems routing table.

tun.disabled

Section titled “tun.disabled”
Default: False

Allows the nebula interface (tun) to be disabled, which lets you run a lighthouse without a nebula interface (and therefore without root). You will not be able to communicate over IP with a nebula node that uses this setting.

tun.dev

Section titled “tun.dev”

dev sets the interface name for your nebula interface. If not set, a default will be chosen by the OS. For macOS: Not required. If set, must be in the form utun[0-9]+. For FreeBSD: Required to be set, must be in the form tun[0-9]+.

tun.drop_local_broadcast

Section titled “tun.drop_local_broadcast”
Default: False

Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert

tun.drop_multicast

Section titled “tun.drop_multicast”
Default: False

Toggles forwarding of multicast packets

tun.tx_queue

Section titled “tun.tx_queue”
Default: 500

Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500.

tun.mtu

Section titled “tun.mtu”
Default: 1300 Reloadable: Linux

Default MTU for every packet, safe setting is (and the default) 1300 for internet routed packets.

tun.routes

Section titled “tun.routes”
Reloadable

Route based MTU overrides. If you have known VPN IP paths that can support larger MTUs you can increase/decrease them here.

tun:
  routes:
    - mtu: 8800
      route: 10.0.0.0/16

tun.unsafe_routes

Section titled “tun.unsafe_routes”
Reloadable

Unsafe routes allows you to route traffic over nebula to non-nebula nodes. Unsafe routes should be avoided unless you have hosts/services that cannot run nebula.

tun:
  unsafe_routes:
    - route: 172.16.1.0/24
      via: 192.168.100.99
      mtu: 1300
      metric: 100
      install: true # controls whether this route is installed in the systems routing table.

For more information, see the Extend network access beyond overlay hosts guide.

tun.use_system_route_table

Section titled “tun.use_system_route_table”
Default: False

This option is only supported on Linux.

Set to true to manage unsafe routes directly on the system route table with gateway routes instead of in nebula configuration files.