Nebula uses good ol' PKI for authentication in the form of Certificate Authorities (CAs).
NEBULA 3 SETUP WINDOWS ANDROID
They’re not feature-complete quite yet, nor are they fully polished, but they’re definitely functional.įor my setup when writing this, I’ll be running the lighthouse on an Ubuntu VPS, 1 client on my Arch desktop and 1 on my Android 10 phone. On clients, you’ll just need the nebulabinary, but to provision the network, you’ll also need nebula-cert.Īdditionally, there are mobile clients. You’ll be hard pushed to find it in any Linux distro’s package repositories (besides Arch, of course), so downloading the binaries directly is the easiest way to get started. There are versions available for Windows, macOS and Linux. Nebula is written in Go, and as such is available as a single binary. However, it’s missing the firewalling features of Nebula, not to mention that the server component (introducer) isn’t open-source. If you really want to use WireGuard, that’s the closest you’re going to get. There is tailscale, which is a mesh VPN which uses WireGuard under the hood. wg-dynamic is planning on changing that, but it’s still under development (however inactive it may be). It’s possible to make WireGuard pretend it’s a mesh, but it’s not really designed for it. Unfortunately however, it doesn’t natively support meshing. # What about WireGuardĮveryone loves WireGuard, and for good reason! It’s relatively simple, fast and built-in to the Linux kernel. If the destination node is on the LAN, traffic will be sent through a LAN interface, if not it’ll be sent over the internet, still directly to the device using UDP hole punching. Nebula is constantly polling and updating the IPs usable for communications to a node, meaning devices can easily roam between networks and always be accessible through the same VPN IP.
NEBULA 3 SETUP WINDOWS FULL
In some situations, this means traffic won’t leave the LAN, and thus will run at full LAN speeds. Traffic can take whatever paths it likes, simply being limited by the networks directly between it and the target device, which would be a bottleneck in any network setup. Because traffic is no longer routed via a single node, it drastically reduces the resource requirements for this node, along with reduces traffic bottlenecks. The lighthouse is also the only node which requires a static IP. This is the “introducer”, or “lighthouse” in Nebula’s lingo, and it’s responsible for ensuring all nodes on the network can communicate with each other effectively. Nodes could be single devices, or entire networks in themselves in a site-to-site deployment.Ī mesh network is very similar to this, however rather than flowing through a single server, it flows directly from client to client without ever touching the server.Īs you’ll notice, there’s still a central node. This architecture doesn’t work very well when nodes are trying to talk to each other, as traffic has to go via the host. This is also the model you want when thinking of commercial VPN solutions like Mullvad and PIA, where you don’t want peers to connect to each other, just to route their traffic via the VPN server. This is simple to maintain for small deployments, and is generally what you want when using a VPN to allow access to a private corporate network. Linux Unplugged 329 - Flat Network TruthersĪ conventional VPN, such as WireGuard and OpenVPN works in a hub-spoke pattern, such that all traffic flows through the central “hub”, regardless of where the other devices are.Nebula is a mesh network originally created by Slack, but now owned by a separate company. WireGuard has been the “hot new thing” when it comes to VPNs, but it’s not always the best suited for every workload.