nebula
A scalable overlay networking tool with a focus on performance, simplicity and security
Open-source overlay network that builds an encrypted mesh between machines so they talk directly, with a lighthouse helping peers find each other.
Nebula is an open-source networking tool that creates a private, encrypted network spanning any number of computers across the internet. Think of it as building your own private network — like a VPN (Virtual Private Network) — but designed so that all participating machines communicate directly with each other rather than routing everything through a single central server.
The way it works: you set up a "certificate authority" (a trusted source that issues digital identity cards to each machine), sign certificates for each computer, and run the Nebula software on each one. One or more "lighthouse" nodes (servers with stable public IP addresses) help machines find each other on the network. After that, the machines communicate directly and securely, even if they are behind firewalls or home routers. The encryption uses Elliptic-curve Diffie-Hellman key exchange and AES-256-GCM — industry-standard cryptographic methods.
You can define traffic rules between groups of machines, controlling which machines can reach which others — similar to firewall or cloud security group rules.
Nebula runs on Linux, Windows, macOS, FreeBSD, iOS, and Android. It is written in Go and can be installed from distribution packages on most Linux systems or via Homebrew on macOS. A managed hosted version called Defined Networking handles the infrastructure for you if you don't want to run your own lighthouses.
You would use Nebula to securely connect remote workers, servers in different data centers, or personal devices into a single private network without relying on a commercial VPN service.
Where it fits
- Connect remote workers and servers into one private encrypted network
- Mesh servers across multiple data centers without a central VPN concentrator
- Define firewall-style group rules controlling which hosts can reach which
- Self-host a VPN replacement instead of paying for Tailscale or a commercial VPN