Nebula — Scalable Overlay Networking with Performance and Simplicity

Introduction

Nebula was created at Slack to solve the problem of securely connecting hosts across data centers, cloud providers, and office networks. It creates a flat overlay network where every node can reach every other node directly, using encrypted tunnels and a certificate authority model for identity.

What Nebula Does

• Creates encrypted mesh VPN tunnels between hosts across any network
• Uses a certificate-based identity model instead of pre-shared keys
• Enables direct host-to-host connectivity with UDP hole punching
• Provides built-in firewall rules based on certificate metadata groups
• Supports lighthouses (discovery nodes) for NAT traversal coordination

Architecture Overview

Nebula uses the Noise protocol framework for encrypted tunnel establishment between hosts. Each host runs a nebula agent that maintains connections to configured lighthouses for peer discovery. When two hosts need to communicate, they attempt direct UDP hole punching; if that fails, traffic routes through a relay. The certificate authority signs host certificates with embedded IP addresses and group memberships, which the built-in firewall uses for access control decisions.

Self-Hosting & Configuration

• Deploy the single nebula binary to each host (Linux, macOS, Windows, FreeBSD)
• Generate a CA certificate pair and sign individual host certificates offline
• Configure lighthouses as stable, publicly reachable nodes for discovery
• Define firewall rules in YAML based on certificate groups and ports
• Use systemd or similar to run nebula as a background service on each host

Key Features

• Peer-to-peer encrypted tunnels using modern Noise protocol cryptography
• Certificate-based identity eliminates the need for centralized auth servers
• Built-in firewall with group-based rules defined in host certificates
• NAT traversal via UDP hole punching with lighthouse-assisted discovery
• Scales to tens of thousands of nodes in production at Slack

Comparison with Similar Tools

• WireGuard — Kernel-level VPN; Nebula adds certificate identity and mesh discovery
• Tailscale — Managed WireGuard mesh; Nebula is fully self-hosted with no SaaS dependency
• ZeroTier — Peer-to-peer networking; uses a centralized controller vs Nebula's CA model
• Headscale — Open-source Tailscale control server; different architecture and protocol
• NetBird — WireGuard-based mesh with SSO; Nebula uses certificate groups instead

FAQ

Q: How does Nebula differ from WireGuard? A: WireGuard provides point-to-point encrypted tunnels. Nebula adds a certificate authority for identity, automatic peer discovery via lighthouses, and a built-in firewall with group-based rules.

Q: Can Nebula work behind strict NATs? A: Yes. Nebula uses UDP hole punching for direct connections. When that fails, traffic can relay through lighthouse nodes.

Q: How many hosts can Nebula support? A: Nebula was designed for large-scale deployments. Slack runs it across tens of thousands of hosts in production.

Q: Is Nebula suitable for a homelab? A: Yes. Nebula works well for connecting a small number of machines across different networks. The lightweight binary has minimal resource requirements.

Sources

• https://github.com/slackhq/nebula
• https://nebula.defined.net/docs/