[aborsy]

They don’t need private keys. The company is responsible for distribution of public keys. So, they can inject a public key to your network, and you happily encrypt your traffic with that public key, to be decrypted on the other side by their private key.

It’s the same old key distribution problem; for instance, when you SSH you need to verify the authenticity of the key that is presented to you first time. You approve the wrong public key and it’s over.

This is not to say, Tailscale does that. The service is by far my favorite (Nebula is not as user friendly, and ZeroTier uses nonstandard tunneling). Tailscale is dead simple, uses Wireguard, has integration with SSO, provides ACLs, relays, good NAT traversal, good management interface and lately a lot of DERPs around the world. Just be aware of limitations (in US, they can even be forced to share the networks, even if they don’t want to).

Two other comments. These mesh networking products could use pre-shared keys to address this concern. For example, Tailscale could use Wireguard preshared keys, as an optional feature for those concerned with key distribution. I don’t know why they don’t offer this option. Also, these services are not zero trust, contrary to what they often claim on their websites (usually they twist the meaning of the term zero trust).

[mediocregopher]

I'm afraid you don't understand how nebula works. A nebula cluster is fully self-contained, you are responsible for distribution of your own certs and hosting of your own lighthouse instances, there is no phoning home to any outside parties.

Under the hood nebula uses the noise protocol, the same used by wireguard.

[aborsy]

Obviously, in that case. See my response to jbotz.

[chaxor]

This is fixed with headscale.