# Nebula — Scalable Overlay Networking for Distributed Teams > Connect tens of thousands of hosts across any infrastructure with a peer-to-peer encrypted overlay network. Nebula, created at Slack, provides a portable mesh VPN that works across cloud providers, data centers, and edge devices. ## Install Save as a script file and run: # Nebula — Scalable Overlay Networking for Distributed Teams ## Quick Use ```bash # Generate CA and host certificates nebula-cert ca -name "MyOrg" nebula-cert sign -name "server1" -ip "192.168.100.1/24" # Start nebula with config nebula -config config.yml ``` ## Introduction Nebula is a scalable overlay networking tool developed at Slack for connecting hosts across heterogeneous infrastructure. It creates an encrypted peer-to-peer mesh network that allows direct communication between nodes regardless of their underlying network topology, NAT boundaries, or cloud provider. ## What Nebula Does - Creates encrypted point-to-point tunnels between hosts using Noise protocol (similar to WireGuard) - Punches through NATs and firewalls for direct peer-to-peer connectivity - Manages certificate-based authentication with its own lightweight CA - Supports firewall rules at the overlay level for microsegmentation - Scales to tens of thousands of nodes with minimal lighthouse infrastructure ## Architecture Overview Nebula operates with two node types: lighthouses (discovery nodes that help peers find each other) and regular nodes that form the mesh. Each node holds a certificate signed by the organization's CA, establishing identity and allowed IP ranges. When a node wants to communicate with another, it queries a lighthouse for the peer's public endpoint, then attempts NAT hole-punching for a direct connection. All traffic is encrypted end-to-end using the Noise protocol framework with X25519 key exchange and AES-256-GCM or ChaCha20-Poly1305. ## Self-Hosting & Configuration - Generate a certificate authority with `nebula-cert ca` and sign host certificates with assigned overlay IPs - Deploy the `nebula` binary to each host (available for Linux, macOS, Windows, iOS, Android) - Configure lighthouses as publicly reachable nodes that help with peer discovery - Define firewall rules in `config.yml` to control which hosts and ports can communicate - Use `unsafe_routes` to route traffic for non-Nebula subnets through specific nodes ## Key Features - Horizontal scalability to 10,000+ nodes without centralized routing - Certificate-based identity with built-in lightweight CA tooling - Cross-platform support including mobile devices - Built-in overlay firewall for network segmentation by certificate groups - No single point of failure once peers have established connections ## Comparison with Similar Tools - **WireGuard** — kernel-level VPN tunnel; Nebula adds mesh topology, NAT traversal, and certificate management on top - **Tailscale** — managed mesh VPN built on WireGuard; Nebula is fully self-hosted with no external coordination server - **ZeroTier** — similar overlay mesh; Nebula uses certificate-based auth instead of a central controller - **Headscale** — self-hosted Tailscale control server; Nebula provides its own protocol rather than depending on WireGuard - **NetBird** — WireGuard-based mesh with management UI; Nebula is more minimal and focuses on raw network performance ## FAQ **Q: How does Nebula compare to WireGuard in performance?** A: Both achieve near-line-rate encrypted throughput. Nebula uses userspace networking by default which adds slight overhead compared to WireGuard's kernel module, but the difference is negligible for most workloads. **Q: Do I need a lighthouse for every site?** A: No. A single lighthouse (or a few for redundancy) can serve the entire mesh. Lighthouses only assist with initial peer discovery; once connected, nodes communicate directly. **Q: Can Nebula traverse corporate firewalls?** A: Nebula uses UDP hole-punching to traverse most NATs. For strict firewalls that block UDP, you can configure relay nodes to forward traffic. **Q: Is there a management UI?** A: Nebula itself is CLI-driven. Third-party tools like Nebula-Mesh-Admin provide web interfaces, and the Defined Networking company offers a commercial management layer. ## Sources - https://github.com/slackhq/nebula - https://nebula.defined.net/docs/ --- Source: https://tokrepo.com/en/workflows/asset-19806f5a Author: Script Depot