When companies originally started building network infrastructure, no one thought of the internet as a safe space to conduct business. Companies constructed their own private networks and built firewalls that could protect what was inside. If workers wanted to connect to internal machines or services on the company’s private network, they had to use a VPN. As modern companies migrate to cloud-based services, traditional VPNs create traffic bottlenecks and private networks are complex to maintain.
Peer-to-peer or mesh networks manifested as a solution to this problem: these services allow machines to connect to each other directly, with coordination provided and secured by a third-party vendor, saving companies a lot of time and pain.
Nebula is an open-source, peer-to-peer mesh network. Nebula was created by engineers at Slack and open sourced after several years of internal use. Defined Networking was founded by the creators of Nebula.
As a global overlay network, Nebula lets users connect to devices anywhere in the world. It currently runs on Linux, Mac OS X, Windows, iOS, and Android. It also has security controls built in, enabling encrypted communications between hosts, and incorporating identity-based security with user-defined groups and certificates for authentication and authorization. Given its peer-to-peer mesh network design, communications are also low latency and relatively fast.
Both Tailscale and Nebula can be thought of as “mesh VPNs”. Nebula and Tailscale are, in fact, very similar networking tools; here, we’ll do a head-to-head comparison so that you can decide for yourself which one suits your purposes.
|No (inspired by Tinc)
|Yes (clients but not coordination server)
|Yes, completely open source
|Role-based access control
|Yes (uses ACLs)
|Yes (uses user-defined groups)
|Integrates with identity providers for single sign-on
|Hosted control plane
|Yes (hosted by Tailscale)
|No (you must host it yourself)
|Need to open firewall ports in order for it to work
|Freemium model (free for individual users, costs for teams and enterprise)
Nebula allows you to set up a full overlay network for your own use. A user needs to create a certificate authority to act as the root of trust for their Nebula network, and use this to generate keys for each machine they plan on including. For each machine in the network, you need to download the Nebula binary for that platform, generate a certificate, distribute these certificates in a configuration file, and start running the service. If you need NAT traversal in your network, you need to host a discovery node, also known as a lighthouse, to enable UDP punching — this allows machines in your network to find each other. New machines need to be configured with certificates generated by the certificate authority as well as connectivity information for the lighthouse.
Tailscale makes connecting devices straightforward: you simply install and log into Tailscale on each device using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.
Both Nebula and Tailscale allow machines to connect directly to each other, with encrypted peer-to-peer connections. Both Nebula and Tailscale allow individual machines to communicate with each other based on their identity, not just on their IP address.
In a Nebula network, a machine uses a discovery node, also known as a lighthouse, to find other machines in its network. Lighthouses facilitate communications between two nodes trying to find one another, and they help find the most direct path between the two, including using UDP hole punching to connect behind firewalls or NATs. You have to host your own lighthouses.
Tailscale has similar coordination servers, but they are hosted by Tailscale. These are closed source.
Both Nebula and Tailscale use well-regarded modern encryption protocols. Nebula and Tailscale’s underlying communication protocol WireGuard use the Noise Protocol Framework for secure communications, elliptic curve Diffie-Hellman for key exchange, and symmetric encryption for data. Nebula uses AES-256-GCM for symmetric encryption while WireGuard (and so Tailscale) uses ChaCha20.
Nebula doesn’t support user management such as single sign-on (SSO) yet, as of September 2021. Users must be provided with certificates to access the network separately. These are protobuf certificates and not X.509 certificates. User-defined groups are used to segment machines and users.
With Tailscale, users can authenticate with an identity provider to manage access to the network. Administrators can express rules in an RBAC ACL to restrict what users can access.
Both Nebula and Tailscale are mesh VPNs with peer-to-peer connectivity, and are limited by the performance of those connections. Both Nebula and Tailscale users would encounter latency issues if peer-to-peer connections were completely blocked, and traffic had to be relayed through external servers.
Nebula needs to be self-hosted in your network. You need to provision your own certificate authority, distribute keys to machines, and run a control plane of lighthouses in order for machines to be able to connect to each other.
Tailscale offers a managed service, including key distribution, key management and rotation, machine certificates, user configurations, a hosted control plane and a web-based administration panel.
The bottom line
Both Nebula and Tailscale offer mesh VPNs with encrypted peer-to-peer communications, based on modern and well-regarded encryption protocols.
If you’re a system administrator or technical person looking for a completely open source, free peer-to-peer mesh VPN, and you’re willing to run a certificate authority and the control plane yourself, try out Nebula.
If you’re looking for a polished, user-friendly peer-to-peer mesh VPN with a hosted control plane and integration with existing identity providers, give Tailscale a try.