+1 on Nebula. I don’t know why it doesn’t get mentioned more as an overlay network option.

I've used it for some time, it feels very much like it is in maintenance mode.

You manage a PKI and have to distribute the keys yourself, no auth/login etc.

it's much better than wireguard, not requiring O(N) config changes to add a node, and allowing peoxy nodes etc.

iirc key revocation and so on are not easy.

Nebula just had a major release that added IPv6 support for overlay networks. Hardly maintenance mode.

The main company working on it now seems to be adding all the fancy easy-to-use features as a layer on top of Nebula that they are selling. I personally appreciate getting to use the simple core of Nebula as open source. It seems very Unix-y to me: a simple tool that does one thing and does it well.

Nebula does not require O(n) config changes for adding a node.

O(n) is only required for:

- active revocation of a certificate (requires adding the CA fingerprint to the config file)

- adding/removing a lighthouses (hub for publishing IPs for p2p) or relay (for going over p2p)

- CA rotation

AFAICT you and 'ysleepy are in agreement.

We are, wireguard needs O(N) updates to add a node to every other node.

This problem has been brought up in the OpenZiti community many times. I like Nebula, but it's not 'truly open source'.

What do you mean?

Referring to the previous person's comment, that you need to manage a PKI and have to distribute the keys yourself, no auth/login etc.

How does that make it not "truly open source"?

I made a shell script that does most of that for my needs.

Fair, I was being loose with my language. What I should have said is that it does not come fully featured open source, that you need to do a certain amount of rolling your own.

The same could be said for a webserver, a radius server, etc. I mean ssh "requires" a network to be remotely useful :)

Edit, since I can't reply sadly:

You're right, that was a bad example.

I can probably list at least a few dozen things that all require certificates though, which was really my point. Everything has dependencies.

Also if you just... Don't trust big tech, run your own CA.

Right, but if certificates are a fundamental part of your design, you should include the functional mechanisms to manage them imho (i.e., key distribution, auth/login). The developers created it, but they keep it in the commercial product. Other overlays which use PKI include those functions in the FOSS.

nah, I dont buy that. A network is not a functional requirement of SSH etc in your use case.

What about DNS integration? As far as I know, you can't resolve nodes by name (http://media-server), you have to use node's internal IP.

Nebula uses lighthouses instead of DNS for finding other nodes.

https://github.com/slackhq/nebula?tab=readme-ov-file#2-optio...

Yes, but when you connect your phone to a Nebula network, and go to http://media-server in your browser, the DNS won't resolve it to your desired node, because the phone client (same on desktop) didn't update DNS of the phone, so you'll have to use node's IP address.

That's what I've read (when evaluating Nebula), at least.

It doesn't automatically update, that's true. But I think the typical way to deal with this is to have a nebula subdomain. www.nebula.example.com instead of www.example.com.

I haven't thought about it, thanks

When your nodes are not very numerous, and their IPs are statically assigned, you can just have them in a hosts file, or even served by your normal name server if you're using a split-horizon configuration.

Editing hosts file seems unwieldy, and impossible on a phone without rooting it, AFAIK

> split-horizon configuration

Is it when your local router redirects media-server.mydomain.com to a local IP, and say Cloudflare DNS redirects it to your Nebula IP?

it his much complex to setup then wireguard based?

It is the easiest to setup and understand really. There are no users, just hosts and their keys.

What it doesn't offer is a gui or tool to handle copying/installing/revocating keys so you trade super easy setup for a handful of nodes to management overhead if you are scaling up and down regularly.