Hacker News new | ask | show | jobs
by ysleepy 137 days ago
I've used it for some time, it feels very much like it is in maintenance mode.

You manage a PKI and have to distribute the keys yourself, no auth/login etc.

it's much better than wireguard, not requiring O(N) config changes to add a node, and allowing peoxy nodes etc.

iirc key revocation and so on are not easy.
3 comments
dave78 137 days ago
Nebula just had a major release that added IPv6 support for overlay networks. Hardly maintenance mode.

The main company working on it now seems to be adding all the fancy easy-to-use features as a layer on top of Nebula that they are selling. I personally appreciate getting to use the simple core of Nebula as open source. It seems very Unix-y to me: a simple tool that does one thing and does it well.

link
c0balt 137 days ago
Nebula does not require O(n) config changes for adding a node.

O(n) is only required for:

- active revocation of a certificate (requires adding the CA fingerprint to the config file)

- adding/removing a lighthouses (hub for publishing IPs for p2p) or relay (for going over p2p)

- CA rotation

link
cpach 137 days ago
AFAICT you and 'ysleepy are in agreement.
link
ysleepy 137 days ago
We are, wireguard needs O(N) updates to add a node to every other node.
link
PLG88 137 days ago
This problem has been brought up in the OpenZiti community many times. I like Nebula, but it's not 'truly open source'.
link
tjoff 137 days ago
What do you mean?
link
PLG88 137 days ago
Referring to the previous person's comment, that you need to manage a PKI and have to distribute the keys yourself, no auth/login etc.
link
tjoff 137 days ago
How does that make it not "truly open source"?

I made a shell script that does most of that for my needs.

link
PLG88 137 days ago
Fair, I was being loose with my language. What I should have said is that it does not come fully featured open source, that you need to do a certain amount of rolling your own.
link
esseph 137 days ago
The same could be said for a webserver, a radius server, etc. I mean ssh "requires" a network to be remotely useful :)

Edit, since I can't reply sadly:

You're right, that was a bad example.

I can probably list at least a few dozen things that all require certificates though, which was really my point. Everything has dependencies.

Also if you just... Don't trust big tech, run your own CA.

link