Agreed, hard to see how that could happen with Nebula, since there is no vendor that has your CA key.
Defined Networks version, however, completely controls your CA key, and could generate their own nodes. The config files they generate are plain text and can be inspected for "mirror traffic" configs (I don't remember if Nebula has that feature, ZeroTier does). Defined Networks has a pretty slick setup, which I can go into a bit further if there is interest, I've done an eval and ended up deciding it wasn't quite ready for our use.
Being mesh networks, one could do some examination of traffic to ensure that they aren't shipping traffic external.
With ZeroTier, there are also some "self hosted" options. I haven't dug too deeply into them. I really like ZeroTier, and wanted to use it for our work overlay network, but I'm a bit skeptical about the reliability. It's been good for my test use case, but last year they had some sort of controller outage and when I asked their sales people about it and how we might be able to run a backup controller, he said that sort of outage wasn't possible. When I asked what was meant by this specific tweet that ZeroTier sent out that said it had happened, I got no reply. :-(
ZeroTier is super slick, but I can't move our entire infrastructure over to something that could have an outage that would take out our infrastructure until some third party resolved it.
They don’t need private keys. The company is responsible for distribution of public keys. So, they can inject a public key to your network, and you happily encrypt your traffic with that public key, to be decrypted on the other side by their private key.
It’s the same old key distribution problem; for instance, when you SSH you need to verify the authenticity of the key that is presented to you first time. You approve the wrong public key and it’s over.
This is not to say, Tailscale does that. The service is by far my favorite (Nebula is not as user friendly, and ZeroTier uses nonstandard tunneling). Tailscale is dead simple, uses Wireguard, has integration with SSO, provides ACLs, relays, good NAT traversal, good management interface and lately a lot of DERPs around the world. Just be aware of limitations (in US, they can even be forced to share the networks, even if they don’t want to).
Two other comments. These mesh networking products could use pre-shared keys to address this concern. For example, Tailscale could use Wireguard preshared keys, as an optional feature for those concerned with key distribution. I don’t know why they don’t offer this option. Also, these services are not zero trust, contrary to what they often claim on their websites (usually they twist the meaning of the term zero trust).
I'm afraid you don't understand how nebula works. A nebula cluster is fully self-contained, you are responsible for distribution of your own certs and hosting of your own lighthouse instances, there is no phoning home to any outside parties.
Under the hood nebula uses the noise protocol, the same used by wireguard.
Defined Networks version, however, completely controls your CA key, and could generate their own nodes. The config files they generate are plain text and can be inspected for "mirror traffic" configs (I don't remember if Nebula has that feature, ZeroTier does). Defined Networks has a pretty slick setup, which I can go into a bit further if there is interest, I've done an eval and ended up deciding it wasn't quite ready for our use.
Being mesh networks, one could do some examination of traffic to ensure that they aren't shipping traffic external.
With ZeroTier, there are also some "self hosted" options. I haven't dug too deeply into them. I really like ZeroTier, and wanted to use it for our work overlay network, but I'm a bit skeptical about the reliability. It's been good for my test use case, but last year they had some sort of controller outage and when I asked their sales people about it and how we might be able to run a backup controller, he said that sort of outage wasn't possible. When I asked what was meant by this specific tweet that ZeroTier sent out that said it had happened, I got no reply. :-(
ZeroTier is super slick, but I can't move our entire infrastructure over to something that could have an outage that would take out our infrastructure until some third party resolved it.