Nebula is such a great tool. If you haven't tried it yet, you should really give it a shot. It's easy to self host and to set up, and has been absolutely rock solid. I have it on all my devices, plus several Raspberry Pis set up at unattended remote sites that I rarely have access to serving as gateways to internal LANs and they all just work, all the time.
Tailscale gets most of the attention on HN, and I'm sure that it's a wonderful product too, but Nebula is a nice, simple, "do one thing well" product.
We have a section for overlay networks on the tunneling list[0] I maintain. This is a very interesting space with some excellent software.
I certainly have my gripes about the closed nature of Slack itself, in particular using a closed protocol when the model is clearly "federated" between multiple servers internally. That said, the contribution of something on the scale and quality of Nebula back to the open source community is hard to argue with.
[0]: https://github.com/anderspitman/awesome-tunneling#overlay-ne...
I am using Defined.net to manage my nebula deployment in my datacenter rack and it has made operationalizing an overlay network a breeze. It's like having my own basic private VPC with security groups (roles) without a cloud provider.
They added in tag support [1] a few months ago which I have yet to try out but it looks very promising. The defined.net API [2] is very easy to use for host management and I am able to auto enroll new hosts and remove them after I deprovision them.
I also made a GitHub Action [3] which I use to allow for my Actions to communicate with resources on my overlay network.
[1] https://docs.defined.net/guides/creating-firewalls-using-rol...
(*blog post author here)
Thanks for sharing this on HN! I'll keep an eye on the comments and try to answer questions that come up.
I really like a lot of Tailscale, but I just finished implementing it for my company using headscale (I couldn't get the funding to buy from Tailscale). This is across ~200 machines.
I'll be honest: If I could do it again, I'd use Nebula. The primary issues I have are that Tailscale has a lot of magic which I can see some cases it being nice, but it does make some of the routing and firewalling I'm doing on machines, and in particular the thing where it sets up Tailscale routes to network routes as higher priority than local interfaces leads to problems in my environment.
The other thing is just Headscale itself, it works quite well but does have some rough edges. It's entirely too easy to kill your whole mesh by flubbing an ACL, and currently restarting headscale to pick up ACL changes is taking 3-5 minutes.
I do, however, really prefer the Tailscale ACLs over Nebula's.
One thing that led me to Tailscale was the ability for it to relay around network routing problems, and it looks like Nebula has added that since I started. Around the time I was evaluating Nebula vs. Tailscale we had a ~1 day network routing issue where some of my users were blackhole routed in Comcast, and Tailscale just worked around it.
Big fan of Nebula, especially Defined, which makes it real easy to setup/maintain
very interesting soft sell. they don't name any competitors, or specifically compare the alternate approaches taken by them, which is IMHO not the greatest SEO but what do I know. maybe they do that elsewhere on the site.
Aside from defined.net, what are the best frontend/management tools for nebula? Last I looked it was all manual config (which is fine for most of us, but limits adoption elsewhere)
Can Nebula work with VPN exit nodes (similar to tailscale + mullvad)
In the self-hosted space, I've been really enjoying playing around with decentralized encrypted overlay mesh networks like Nebula. Here's the current list of my faves (all Wireguard based).
Open-source projects not-quite-prod-ready:
- WebMesh: Golang, decentralized nodes https://github.com/webmeshproj
- InnerNet: Rust, with subnet ACLs https://github.com/tonarino/innernet
- Wesher: Golang, simple mesh with pre-shared key https://github.com/costela/wesher
- Wiresmith: Rust, auto-configs clients into a mesh https://github.com/svenstaro/wiresmith
Open source projects with company-backed SaaS offerings:
- Netbird: Golang, full-fledged solution (desktop clients, DNS, SSO, STUN/TURN, etc) https://github.com/netbirdio/netbird
- Netmaker: Golang, full-fledge solution https://github.com/gravitl/netmaker
Honorable mention:
- SuperHighway84 - more of a Usenet-inspired darknet, but I love the concept + the author's personal website: https://github.com/mrusme/superhighway84 https://xn--gckvb8fzb.com/superhighway84