# Nebula — Scalable Overlay Networking with Performance and Simplicity > Nebula is an open-source overlay networking tool created at Slack. It builds encrypted mesh networks across hosts in any environment using a lightweight agent and a certificate-based identity model, enabling secure communication without complex firewall rules. ## Install Save in your project root: # Nebula — Scalable Overlay Networking with Performance and Simplicity ## Quick Use ```bash # Download the latest release curl -LO https://github.com/slackhq/nebula/releases/latest/download/nebula-linux-amd64.tar.gz tar xzf nebula-linux-amd64.tar.gz # Generate a CA certificate ./nebula-cert ca -name "MyOrg" # Sign a host certificate ./nebula-cert sign -name "server1" -ip "192.168.100.1/24" # Run nebula with your config sudo ./nebula -config config.yml ``` ## Introduction Nebula was created at Slack to solve the problem of securely connecting hosts across data centers, cloud providers, and office networks. It creates a flat overlay network where every node can reach every other node directly, using encrypted tunnels and a certificate authority model for identity. ## What Nebula Does - Creates encrypted mesh VPN tunnels between hosts across any network - Uses a certificate-based identity model instead of pre-shared keys - Enables direct host-to-host connectivity with UDP hole punching - Provides built-in firewall rules based on certificate metadata groups - Supports lighthouses (discovery nodes) for NAT traversal coordination ## Architecture Overview Nebula uses the Noise protocol framework for encrypted tunnel establishment between hosts. Each host runs a nebula agent that maintains connections to configured lighthouses for peer discovery. When two hosts need to communicate, they attempt direct UDP hole punching; if that fails, traffic routes through a relay. The certificate authority signs host certificates with embedded IP addresses and group memberships, which the built-in firewall uses for access control decisions. ## Self-Hosting & Configuration - Deploy the single nebula binary to each host (Linux, macOS, Windows, FreeBSD) - Generate a CA certificate pair and sign individual host certificates offline - Configure lighthouses as stable, publicly reachable nodes for discovery - Define firewall rules in YAML based on certificate groups and ports - Use systemd or similar to run nebula as a background service on each host ## Key Features - Peer-to-peer encrypted tunnels using modern Noise protocol cryptography - Certificate-based identity eliminates the need for centralized auth servers - Built-in firewall with group-based rules defined in host certificates - NAT traversal via UDP hole punching with lighthouse-assisted discovery - Scales to tens of thousands of nodes in production at Slack ## Comparison with Similar Tools - **WireGuard** — Kernel-level VPN; Nebula adds certificate identity and mesh discovery - **Tailscale** — Managed WireGuard mesh; Nebula is fully self-hosted with no SaaS dependency - **ZeroTier** — Peer-to-peer networking; uses a centralized controller vs Nebula's CA model - **Headscale** — Open-source Tailscale control server; different architecture and protocol - **NetBird** — WireGuard-based mesh with SSO; Nebula uses certificate groups instead ## FAQ **Q: How does Nebula differ from WireGuard?** A: WireGuard provides point-to-point encrypted tunnels. Nebula adds a certificate authority for identity, automatic peer discovery via lighthouses, and a built-in firewall with group-based rules. **Q: Can Nebula work behind strict NATs?** A: Yes. Nebula uses UDP hole punching for direct connections. When that fails, traffic can relay through lighthouse nodes. **Q: How many hosts can Nebula support?** A: Nebula was designed for large-scale deployments. Slack runs it across tens of thousands of hosts in production. **Q: Is Nebula suitable for a homelab?** A: Yes. Nebula works well for connecting a small number of machines across different networks. The lightweight binary has minimal resource requirements. ## Sources - https://github.com/slackhq/nebula - https://nebula.defined.net/docs/ --- Source: https://tokrepo.com/en/workflows/asset-855dca14 Author: AI Open Source