Nebula, a network tool for building secure overlay networks

The launch of the new version of Nebula 1.5 which is positioned as a collection of tools to build secure overlay networks They can link from several to tens of thousands of geographically separated hosts, forming a separate isolated network on top of the global network.

The project is designed to create your own overlay networks for any need, for example, to combine corporate computers in different offices, servers in different data centers, or virtual environments from different cloud providers.

About Nebula

The nodes of the Nebula network communicate directly with each other in P2P mode, since the need to transfer data between nodess creates direct VPN connections dynamically. The identity of each host on the network is confirmed by a digital certificate, and connection to the network requires authentication; each user receives a certificate confirming the IP address in the Nebula network, the name and the membership of the host groups.

Certificates are signed by an internal certificate authority, implemented by the creator of each individual network at their own facilities, and used to certify the authority of hosts that have the right to connect to a specific overlay network linked to the certificate authority.

To create an authenticated secure communication channel, Nebula uses its own tunneling protocol based on the Diffie-Hellman key exchange protocol and AES-256-GCM encryption. The implementation of the protocol is based on ready-to-use and tested primitives provided by the Noise framework, which is also used in projects like WireGuard, Lightning and I2P. The project is said to have passed an independent safety audit.

To discover other nodes and coordinate the connection to the network, "beacon" nodes are created specials, whose global IP addresses are fixed and known to network participants. The participating nodes do not have a link to an external IP address, they are identified by certificates. Host owners cannot make changes to self-signed certificates, and unlike traditional IP networks, they cannot pretend to be another host simply by changing the IP address. When a tunnel is created, the identity of the host is validated against an individual private key.

The created network is assigned a certain range of intranet addresses (for example, and internal addresses are bound with host certificates. Groups can be formed from participants in the overlay network, for example to separate servers and workstations, to which separate traffic filtering rules are applied. Various mechanisms are provided for traversing address translators (NAT) and firewalls. It is possible to organize routing through the overlay network of traffic from third-party hosts that are not included in the Nebula network (insecure route).

Also, supports the creation of Firewalls to separate access and filter traffic between the nodes of the overlay Nebula network. Tag-bound ACLs are used for filtering. Each host on the network can define its own filter rules for network hosts, groups, protocols, and ports. At the same time, hosts are not filtered by IP addresses, but by digitally signed host identifiers, which cannot be forged without compromising the certification center that coordinates the network.

The code is written in Go and is licensed by MIT. The project was founded by Slack, which develops the corporate messenger of the same name. It supports Linux, FreeBSD, macOS, Windows, iOS and Android.

As for the the changes that were implemented in the new version are the following:

  • Added the "-raw" flag to the print-cert command to print the PEM representation of the certificate.
  • Added support for the new Linux riscv64 architecture.
  • Added experimental remote_allow_ranges setting to bind allowed host lists to specific subnets.
  • Added pki.disconnect_invalid option to reset tunnels after trust termination or certificate expiration.
  • Added unsafe_routes option. .metric to set the weight for a specific external path.

Finally, if you are interested in being able to know more about it, you can consult its details and / or documentation in the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.