[bclemens]

Also consider Nebula: https://github.com/slackhq/nebula

ZeroTier does not use an OSI approved open-source license. It is under a freedom-restricting "Business Source License". Nebula is MIT licensed.

Nebula is much simpler and in most cases faster than ZeroTier.

[yjftsjthsd-h]

Unfortunately their mobile app isn't open source: https://github.com/DefinedNet/mobile_nebula/issues/19#issuec...

[uselpa]

Last time I checked it did not support IPv6, and the issue is still open today https://github.com/slackhq/nebula/issues/6

[lostmsu]

I tried Nebula, but ended up with Yggdrasil instead. https://yggdrasil-network.github.io/

Unlike Nebula, it gives you an IPv6 address (actually, millions of them per node, if needed).

They now also have a userspace only SOCKS 5 proxy server that can connect your app to the whole network without forcing user to install drivers or to mess with their network configuration.

[jstasiak]

Adding +1 to the Nebula recommendation.

The last time I tried ZeroTier (years ago, I admit) it wasn't possible to self-host all of it I think and I couldn't make it reliably use my own relays for good performance of non-direct connections.

I've been happily using Nebula for a while now, pretty easy to configure and self-host.

[lukaslalinsky]

Thanks for the recommendation! I wanted a VPN like this for a long time, to manage HA in a remote propery, and this seems like a great option. Even the hosted service is very reasonably priced - https://www.defined.net/pricing/

[FieryTransition]

Is nebula actually good to use now?

Do they route announcements over the network? Can I just setup two machines and expect them to just work by finding each other?

Does it support name resolution?

[exceptione]

How does Nebula compare to Wireguard?

[bclemens]

They are not directly comparable. Nebula is a mesh VPN. Wireguard can be used as a building block for a mesh VPN (as it is in Tailscale), but it does not have that function organically.

I have tried Tailscale / Headscale and did not find the overhead worth it. Both can saturate a 10Gbps link and that's all I need right now. Nebula's much simpler to administer. The configuration's spelled out in the client configs and in the certificates you provision. If you're already using some form of configuration management, it's quite easy to make changes. If you require a Web UI, Tailscale / Zerotier / etc may be better. There is a company that provides a Nebula-based service with a Web UI but I haven't tried it.

[quickslowdown]

Which company provides a webUI for Nebula? Might be interested in checking that out :)

[jstasiak]

They're solutions to slightly different problems.

I'd characterize it as such: Wireguard is more of a plumbing solution that gives you a point-to-point connection, either it's enough for you or you can use this to build what you need.

Nebula is more of an end-user ready-to-use solution, gives you features like NAT traversal, automatic selection of direction connections if possible, the nodes don't need to know other nodes' addresses ahead of time(x) etc.

(x) except for the lighthouse

[eptcyka]

Nebula does use WireGuard, as per their go.mod file.

EDIT: actually, they just use various I/O abstractions that WireGuard developed.

[jstasiak]

Looking at that file may make you reach misleading conclusions. Some tun/io code may be use but there's that. As far as I understand WireGuard the protocol is not used anywhere:

  nebula (master)> git rev-parse HEAD
  2b427a7e8934f0a436fea25eb40a6b979b34ee7a
  
  nebula (master)> rg --glob '*.go' -i wireguard
  wintun/tun.go
  6: * Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved.
  9://NOTE: This file was forked from https://git.zx2c4.com/wireguard-go/tree/tun/tun_windows.go?id=851efb1bb65555e0f765a3361c8eb5ac47435b19

  udp/udp_rio_windows.go
  4:// Inspired by https://git.zx2c4.com/wireguard-go/tree/conn/bind_windows.go
  25: "golang.zx2c4.com/wireguard/conn/winrio"

  overlay/tun_wintun_windows.go
  17: "golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"

  wintun/device.go
  6: * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
  9://NOTE: this file was forked from https://git.zx2c4.com/wireguard-go/tree/tun/tun.go?id=851efb1bb65555e0f765a3361c8eb5ac47435b19

[eptcyka]

I stand corrected then.

[KAMSPioneer]

It is likely an option, but as per the ReadMe:

Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration.