Convert Figma logo to code with AI

slackhq logonebula

A scalable overlay networking tool with a focus on performance, simplicity and security

14,290
960
14,290
101
View on GitHub

Top Related Projects

tailscale's avatar

tailscale

18,532

The easiest, most secure way to use WireGuard and 2FA.

WireGuard's avatar

wireguard-go

3,028

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-go

gravitational's avatar

teleport

17,295

The easiest, and most secure way to access and protect all of your infrastructure.

OpenVPN's avatar

openvpn

10,618

OpenVPN is an open source VPN daemon

pritunl's avatar

pritunl

4,404

Enterprise VPN server

zerotier's avatar

ZeroTierOne

14,173

A Smart Ethernet Switch for Earth

Quick Overview

Nebula is a scalable overlay networking tool designed to securely connect computers across different cloud providers, data centers, and regions. It creates a virtual network that allows devices to communicate as if they were on the same local network, regardless of their physical location or the complexity of the underlying network infrastructure.

Pros

  • Highly secure, using modern encryption and authentication methods
  • Scalable and performant, capable of handling large networks with minimal overhead
  • Platform-agnostic, supporting various operating systems and cloud providers
  • Easy to set up and manage, with a simple configuration process

Cons

  • Requires some networking knowledge to fully understand and implement
  • Limited documentation for advanced use cases and troubleshooting
  • May require additional firewall configuration in some network environments
  • Not as feature-rich as some commercial VPN solutions

Getting Started

To get started with Nebula, follow these steps:

  1. Download the latest release for your platform from the Nebula GitHub releases page.

  2. Generate certificates for your network:

./nebula-cert ca -name "My Nebula Network"
./nebula-cert sign -name "lighthouse" -ip "192.168.100.1/24"
./nebula-cert sign -name "host1" -ip "192.168.100.2/24"
./nebula-cert sign -name "host2" -ip "192.168.100.3/24"
  1. Create a configuration file (config.yml) for each node:
pki:
  ca: /path/to/ca.crt
  cert: /path/to/host.crt
  key: /path/to/host.key

static_host_map:
  "192.168.100.1": ["public_ip:4242"]

lighthouse:
  am_lighthouse: false
  hosts:
    - "192.168.100.1"

listen:
  host: 0.0.0.0
  port: 4242

tun:
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300

firewall:
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: icmp
      host: any
  1. Run Nebula on each node:
./nebula -config /path/to/config.yml

For more detailed instructions and advanced configuration options, refer to the Nebula documentation.

Competitor Comparisons

tailscale logo

tailscale

18,532

The easiest, most secure way to use WireGuard and 2FA.

Pros of Tailscale

  • Easier setup and configuration, especially for non-technical users
  • Built-in NAT traversal and automatic key management
  • Integrates well with existing identity providers (e.g., Google, Microsoft)

Cons of Tailscale

  • Closed-source control server, limiting self-hosting options
  • Requires a central coordination server, which may introduce privacy concerns
  • Less flexible in terms of custom network configurations

Code Comparison

Tailscale configuration example:

tailscale up --authkey=tskey-auth-abcdef1234567890

Nebula configuration example:

static_host_map:
  "10.0.0.1": ["100.64.22.11:4242"]
lighthouse:
  am_lighthouse: true
  interval: 60

While both projects aim to create secure overlay networks, Tailscale focuses on ease of use and integration with existing systems, whereas Nebula provides more flexibility and control over network configuration. Tailscale's approach may be more suitable for small to medium-sized organizations, while Nebula's design caters to users who require fine-grained control over their network setup.

WireGuard logo

wireguard-go

3,028

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-go

Pros of WireGuard

  • Simpler implementation and easier to audit due to smaller codebase
  • Generally faster performance and lower latency
  • Wider adoption and integration into various operating systems

Cons of WireGuard

  • Less flexible network topology options
  • Limited built-in features for access control and user management
  • Lacks native support for more complex networking scenarios

Code Comparison

WireGuard:

func (device *Device) RoutineHandshake() {
    for {
        select {
        case <-device.signals.stop:
            return
        default:
        }
        device.handshake()
        time.Sleep(time.Second)
    }
}

Nebula:

func (f *Interface) handshakeManager() {
    for {
        select {
        case <-f.stopHandshakeManager:
            return
        case <-f.handshakeTicker.C:
            f.handleHandshakeTimer()
        }
    }
}

Both projects implement handshake routines, but Nebula's approach appears more modular and event-driven. WireGuard's implementation is more straightforward, reflecting its simpler design philosophy. Nebula offers more flexibility in handling different events within the handshake process, which aligns with its focus on complex network topologies and advanced features.

gravitational logo

teleport

17,295

The easiest, and most secure way to access and protect all of your infrastructure.

Pros of Teleport

  • More comprehensive access management solution, including SSH, Kubernetes, databases, and web applications
  • Built-in auditing and session recording capabilities
  • Supports role-based access control (RBAC) and single sign-on (SSO)

Cons of Teleport

  • More complex setup and configuration compared to Nebula
  • Requires a central authority (Teleport Auth Server) for operation
  • May have higher resource requirements due to its broader feature set

Code Comparison

Nebula configuration example:

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key

Teleport configuration example:

teleport:
  nodename: example-node
  data_dir: /var/lib/teleport
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025

Both projects use YAML for configuration, but Teleport's configuration is more extensive due to its broader feature set. Nebula focuses on network connectivity, while Teleport provides a more comprehensive access management solution.

Nebula is ideal for simple, lightweight VPN-like connectivity, while Teleport is better suited for organizations requiring advanced access management, auditing, and multi-protocol support across various infrastructure components.

OpenVPN logo

openvpn

10,618

OpenVPN is an open source VPN daemon

Pros of OpenVPN

  • Widely adopted and well-established, with extensive documentation and community support
  • Supports a broader range of platforms and devices
  • Offers more advanced authentication options and integration with external systems

Cons of OpenVPN

  • More complex setup and configuration process
  • Generally slower performance due to its SSL/TLS-based encryption
  • Requires root/admin privileges for installation and operation

Code Comparison

OpenVPN configuration example:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

Nebula configuration example:

pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key
static_host_map:
  "10.0.0.1": ["100.100.100.100:4242"]

While OpenVPN uses a more traditional configuration format, Nebula employs a YAML-based configuration, which can be easier to read and maintain. Nebula's configuration is generally simpler and more straightforward, reflecting its focus on ease of use and modern design principles. OpenVPN's configuration offers more granular control but can be more complex to set up and manage.

pritunl logo

pritunl

4,404

Enterprise VPN server

Pros of Pritunl

  • User-friendly web interface for easy management and configuration
  • Supports multiple VPN protocols (OpenVPN, WireGuard, IPsec)
  • Built-in user management and authentication system

Cons of Pritunl

  • Requires more server resources compared to Nebula
  • Less focus on mesh networking capabilities
  • May have a steeper learning curve for advanced configurations

Code Comparison

Nebula configuration example:

static_host_map:
  "10.0.0.1": ["100.64.22.11:4242"]
lighthouse:
  am_lighthouse: true
  interval: 60

Pritunl configuration example:

{
  "bind_addr": "0.0.0.0",
  "port": 9700,
  "debug": false,
  "ssl": true,
  "static_cache": true
}

While both projects aim to provide VPN solutions, they have different approaches. Nebula focuses on a lightweight, peer-to-peer mesh network, while Pritunl offers a more traditional client-server VPN model with a web-based management interface. Nebula's configuration is typically done through YAML files, emphasizing simplicity and ease of deployment. Pritunl, on the other hand, uses JSON for configuration and provides more extensive options through its web interface, catering to users who prefer graphical management tools.

zerotier logo

ZeroTierOne

14,173

A Smart Ethernet Switch for Earth

Pros of ZeroTierOne

  • Easier setup and configuration for non-technical users
  • Built-in NAT traversal capabilities
  • Supports a wider range of platforms, including mobile devices

Cons of ZeroTierOne

  • Closed-source central controller, which may raise privacy concerns
  • Less customizable and flexible compared to Nebula
  • Potential scalability limitations in large enterprise environments

Code Comparison

ZeroTierOne (C++):

void Node::processVirtualNetworkFrame(...)
{
    // ... (packet processing logic)
    _r->sw->onRemotePacket(tPtr,len,path,vl);
}

Nebula (Go):

func (f *Interface) readPacket(...) {
    // ... (packet reading logic)
    f.decryptPacket(data)
    f.firewall.AddTraffic(packet)
}

Both projects implement packet processing and encryption, but ZeroTierOne uses C++ while Nebula uses Go. Nebula's code appears more modular and easier to read, potentially making it more maintainable for developers familiar with Go.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

What is Nebula?

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, Windows, iOS, and Android. It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

Nebula incorporates a number of existing concepts like encryption, security groups, certificates, and tunneling, and each of those individual pieces existed before Nebula in various forms. What makes Nebula different to existing offerings is that it brings all of these ideas together, resulting in a sum that is greater than its individual parts.

Further documentation can be found here.

You can read more about Nebula here.

You can also join the NebulaOSS Slack group here.

Supported Platforms

Desktop and Server

Check the releases page for downloads or see the Distribution Packages section.

  • Linux - 64 and 32 bit, arm, and others
  • Windows
  • MacOS
  • Freebsd

Distribution Packages

Mobile

Technical Overview

Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.

Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration.

Nebula was created to provide a mechanism for groups of hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.

Getting started (quickly)

To set up a Nebula network, you'll need:

1. The Nebula binaries or Distribution Packages for your specific platform. Specifically you'll need nebula-cert and the specific nebula binary for each platform you use.

2. (Optional, but you really should..) At least one discovery node with a routable IP address, which we call a lighthouse.

Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.

Once you have launched an instance, ensure that Nebula udp traffic (default port udp/4242) can reach it over the internet.

3. A Nebula certificate authority, which will be the root of trust for a particular Nebula network.

./nebula-cert ca -name "Myorganization, Inc"

This will create files named ca.key and ca.cert in the current directory. The ca.key file is the most sensitive file you'll create, because it is the key used to sign the certificates for individual nebula nodes/hosts. Please store this file somewhere safe, preferably with strong encryption.

4. Nebula host keys and certificates generated from that certificate authority

This assumes you have four nodes, named lighthouse1, laptop, server1, host3. You can name the nodes any way you'd like, including FQDN. You'll also need to choose IP addresses and the associated subnet. In this example, we are creating a nebula network that will use 192.168.100.x/24 as its network range. This example also demonstrates nebula groups, which can later be used to define traffic rules in a nebula network.

./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
./nebula-cert sign -name "laptop" -ip "192.168.100.2/24" -groups "laptop,home,ssh"
./nebula-cert sign -name "server1" -ip "192.168.100.9/24" -groups "servers"
./nebula-cert sign -name "host3" -ip "192.168.100.10/24"

5. Configuration files for each host

Download a copy of the nebula example configuration.

  • On the lighthouse node, you'll need to ensure am_lighthouse: true is set.

  • On the individual hosts, ensure the lighthouse is defined properly in the static_host_map section, and is added to the lighthouse hosts section.

6. Copy nebula credentials, configuration, and binaries to each host

For each host, copy the nebula binary to the host, along with config.yml from step 5, and the files ca.crt, {host}.crt, and {host}.key from step 4.

DO NOT COPY ca.key TO INDIVIDUAL NODES.

7. Run nebula on each host

./nebula -config /path/to/config.yml

Building Nebula from source

Make sure you have go installed and clone this repo. Change to the nebula directory.

To build nebula for all platforms: make all

To build nebula for a specific platform (ex, Windows): make bin-windows

See the Makefile for more details on build targets

Curve P256 and BoringCrypto

The default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using nebula-cert ca -curve P256 to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes.

In addition, Nebula can be built using the BoringCrypto GOEXPERIMENT by running either of the following make targets:

make bin-boringcrypto
make release-boringcrypto

This is not the recommended default deployment, but may be useful based on your compliance requirements.

Credits

Nebula was created at Slack Technologies, Inc by Nate Brown and Ryan Huber, with contributions from Oliver Fross, Alan Lam, Wade Simmons, and Lining Wang.