Nebula: Open Source Overlay Networking
Nebula is an overlay networking tool designed to be fast, secure, and scalable. Connect any number of hosts with on-demand, encrypted tunnels that work across any IP networks and without opening firewall ports.
- Peer-to-peer, layer 3, virtual network (Technical Details)
- Supports TCP/UDP/ICMP traffic via TUN adapter with split-tunneling
- Host firewall with groups-based rules engine for overlay traffic
- Route discovery and NAT traversal assisted by simple "lookup" hosts
Identity and Authorization
Nebula uses a PKI model for establishing trust between hosts and networks.
- Host certificates are used to securely identify and authorize peers
- Hosts mutually authenticate by validating certificates and CA's
- Firewall rules enforced by evaluating certificate "security groups"
nebula-cert executable to generate keys, certs, CA's, and to sign host certificates.
Nebula is written in Go and is designed for portability.
- Packaged for Linux, macOS, Windows, iOS, Android, and FreeBSD
- Efficiently runs on x86, ARM, MIPS, PPC, and RISC hardware (32 & 64-bit)
- A single
nebulaexecutable runs host firewall and service
- Host config file defines CA trust, host cert & key, and firewall rules
- At least one host in overlay network should be a Lighthouse, which helps hosts discover routes to one another and assists in NAT traversal.
How to create your first overlay network is a step-by-step guide that explains how to deploy Nebula. It's a great place to get started and learn how to connect a few hosts.
Watch a 90-minute deep-dive on Nebula presented by one of its creators, Ryan Huber, at the All Things Open conference in 2020.
What’s an overlay network?
Put simply, an overlay network is a virtual network that runs on top of another network. A virtual Private Network (VPN) is an overlay network. An SSH tunnel can help create an overlay network. A Virtual Private Cloud (VPC) is an overlay network offered by cloud infrastructure providers.
Inspired by a number of existing tools and projects, Nebula was created to make it much easier to design, deploy, and manage overlay networks that were highly performant, portable, and secure.
Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework. Nebula uses certificates to assert a node's IP address, name, and membership within user-defined groups. Nebula's user-defined groups allow for provider-agnostic traffic filtering between nodes.
Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs. Users can move data between nodes in any number of cloud service providers, datacenters, and endpoints, without needing to maintain a particular addressing scheme.
Nebula uses elliptic curve Diffie-Hellman key exchange, and AES-256-GCM in its default configuration.
Nebula was created to provide a mechanism for groups hosts to communicate securely, even across the internet, while enabling expressive firewall definitions similar in style to cloud security groups.
News & Press
Listen a discussion Nebula on TechSNAP Episode 419.
Read "Nebula VPN routes between hosts privately, flexibly, and efficiently" at ArsTechnica
After several years of internal development, Nebula was open-sourced by Slack in 2019. Read the announcement posted on Slack's Engineering blog.
By early 2020, the project had over 4,000 stars on GitHub and it was being adopted by organizations of all sizes.
As of December 2021, Nebula continues to power Slack's global overlay network of over 50,000 production hosts.
Read Nebula's Release Notes on GitHub to learn about additions and changes to the project.
About Defined Networking
Nebula's creators, Ryan Huber and Nate Brown, founded Defined Networking in 2020 to focus on Nebula development and to broaden the adoption of overlay networking in organizations.
As of early 2021, Slack continues to be a primary sponsor of the Nebula open source project. Defined Networking is publishing this official documentation with their support.