from Hacker News

Would we still create Nebula today?

by carride on 10/13/23, 3:12 PM with 39 comments

  • by lenova on 10/13/23, 9:38 PM

    In the self-hosted space, I've been really enjoying playing around with decentralized encrypted overlay mesh networks like Nebula. Here's the current list of my faves (all Wireguard based).

    Open-source projects not-quite-prod-ready:

    - WebMesh: Golang, decentralized nodes https://github.com/webmeshproj

    - InnerNet: Rust, with subnet ACLs https://github.com/tonarino/innernet

    - Wesher: Golang, simple mesh with pre-shared key https://github.com/costela/wesher

    - Wiresmith: Rust, auto-configs clients into a mesh https://github.com/svenstaro/wiresmith

    Open source projects with company-backed SaaS offerings:

    - Netbird: Golang, full-fledged solution (desktop clients, DNS, SSO, STUN/TURN, etc) https://github.com/netbirdio/netbird

    - Netmaker: Golang, full-fledge solution https://github.com/gravitl/netmaker

    Honorable mention:

    - SuperHighway84 - more of a Usenet-inspired darknet, but I love the concept + the author's personal website: https://github.com/mrusme/superhighway84 https://xn--gckvb8fzb.com/superhighway84

  • by dave78 on 10/13/23, 3:59 PM

    Nebula is such a great tool. If you haven't tried it yet, you should really give it a shot. It's easy to self host and to set up, and has been absolutely rock solid. I have it on all my devices, plus several Raspberry Pis set up at unattended remote sites that I rarely have access to serving as gateways to internal LANs and they all just work, all the time.

    Tailscale gets most of the attention on HN, and I'm sure that it's a wonderful product too, but Nebula is a nice, simple, "do one thing well" product.

  • by apitman on 10/13/23, 7:51 PM

    We have a section for overlay networks on the tunneling list[0] I maintain. This is a very interesting space with some excellent software.

    I certainly have my gripes about the closed nature of Slack itself, in particular using a closed protocol when the model is clearly "federated" between multiple servers internally. That said, the contribution of something on the scale and quality of Nebula back to the open source community is hard to argue with.

    [0]: https://github.com/anderspitman/awesome-tunneling#overlay-ne...

  • by jdoss on 10/13/23, 7:13 PM

    I am using Defined.net to manage my nebula deployment in my datacenter rack and it has made operationalizing an overlay network a breeze. It's like having my own basic private VPC with security groups (roles) without a cloud provider.

    They added in tag support [1] a few months ago which I have yet to try out but it looks very promising. The defined.net API [2] is very easy to use for host management and I am able to auto enroll new hosts and remove them after I deprovision them.

    I also made a GitHub Action [3] which I use to allow for my Actions to communicate with resources on my overlay network.

    [1] https://docs.defined.net/guides/creating-firewalls-using-rol...

    [2] https://docs.defined.net/api/host-create/

    [3] https://github.com/quickvm/action-dnclient

  • by rhuber on 10/13/23, 3:58 PM

    (*blog post author here)

    Thanks for sharing this on HN! I'll keep an eye on the comments and try to answer questions that come up.

  • by linsomniac on 10/14/23, 1:07 AM

    I really like a lot of Tailscale, but I just finished implementing it for my company using headscale (I couldn't get the funding to buy from Tailscale). This is across ~200 machines.

    I'll be honest: If I could do it again, I'd use Nebula. The primary issues I have are that Tailscale has a lot of magic which I can see some cases it being nice, but it does make some of the routing and firewalling I'm doing on machines, and in particular the thing where it sets up Tailscale routes to network routes as higher priority than local interfaces leads to problems in my environment.

    The other thing is just Headscale itself, it works quite well but does have some rough edges. It's entirely too easy to kill your whole mesh by flubbing an ACL, and currently restarting headscale to pick up ACL changes is taking 3-5 minutes.

    I do, however, really prefer the Tailscale ACLs over Nebula's.

    One thing that led me to Tailscale was the ability for it to relay around network routing problems, and it looks like Nebula has added that since I started. Around the time I was evaluating Nebula vs. Tailscale we had a ~1 day network routing issue where some of my users were blackhole routed in Comcast, and Tailscale just worked around it.

  • by FL410 on 10/13/23, 4:21 PM

    Big fan of Nebula, especially Defined, which makes it real easy to setup/maintain

  • by jiveturkey on 10/14/23, 1:05 AM

    very interesting soft sell. they don't name any competitors, or specifically compare the alternate approaches taken by them, which is IMHO not the greatest SEO but what do I know. maybe they do that elsewhere on the site.

  • by woleium on 10/13/23, 7:02 PM

    Aside from defined.net, what are the best frontend/management tools for nebula? Last I looked it was all manual config (which is fine for most of us, but limits adoption elsewhere)

  • by BatgnomeDwarf on 10/14/23, 1:52 AM

    Can Nebula work with VPN exit nodes (similar to tailscale + mullvad)