I’ve been playing around with self hosting for file sharing, backups, and a handful of other ideas I might one day get round to. I like the idea of a mesh VPN and being able to, for example, connect a travelling laptop to a ‘host’ laptop nearby, though my only public ip is a VPS in another country.

Of all the options I found, I liked the look of Nebula most. Fiddly in some places, but it’s working nicely for me, and I appreciate some of the simplicity of design.

I’m wondering if people here have much experience of it, though? My biggest concern is over its future. With,

  1. The Defined Networking site focusing on making money off it, and
  2. The Android app doesn’t allow full configuration (including the firewall, so I can’t host a website from a phone) but - I heard - does if you use Defined Networking’s paid service for configuration,

makes me worry they might be essentially trying to deprecate viable FOSS Nebula in favour of a paid or controlled service.

Any thoughts? Insight?

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 months ago

    I’m not sure what the point is? Here’s my setup:

    1. wireguard VPN on my edge VPS
    2. lots of services behind my router that connect to that VPN
    3. router DNS to resolve my domains to my internal services when on my LAN

    This gets me like 95% of the benefit of something like Nebula or Tailscale. When connecting to my internal services, I get LAN speeds if I’m on my LAN and WAN speeds if not. I initially started with Tailscale, but realized that I really didn’t care about most of what it provided.

    • ShortN0te@lemmy.ml
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      The benefits are obvious:

      • No port forwarding needed
      • Central Auth management
      • Easy integration of new devices

      Not saying you should do it or that it is better overall, but ignoring those is not fair.

      Personally i would never go for Tailscale since i give away the access control to my kingdom to a company. Exactly what i want to get away from through selfhosting.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Exactly. I tried Tailscale to get things off the ground, but it didn’t do precisely what I wanted, so I abandoned it and built exactly what I needed, which for me was a VPN at the gateway that tunneled SSL traffic via HAProxy to my internal network.

        If Nebula solves your problems, great! I find I don’t need its features, and prefer to keep things relatively simple, which for me is a WireGuard VPN and a handful of containers to run my things. My setup is basically HAProxy -> Wireguard VPN -> Caddy (TLS termination; docker container) -> Docker container on internal network. HAProxy routes to the appropriate machine, and Caddy renews TLS certs and routes to the appropriate container. I could probably accomplish the same w/ Nebula, but I understand my setup a bit more than Nebula.

      • y0kai@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Doesn’t selfhosting headscale prevent the keys to the kingdom thing you’re talking about?

        • ShortN0te@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Yes. But it removes some benefits. You again open some ports or use a VPS to host it. The benefit of not needing to have open ports on other servers and central auth and management still stands.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    2 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    NAT Network Address Translation
    SSL Secure Sockets Layer, for transparent encryption
    SSO Single Sign-On
    TCP Transmission Control Protocol, most often over IP
    TLS Transport Layer Security, supersedes SSL
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    10 acronyms in this thread; the most compressed thread commented on today has 18 acronyms.

    [Thread #951 for this sub, first seen 5th Sep 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]

  • iso@lemy.lol
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 months ago

    I’m using Headscale for work and Tailscale for personal use. I tried to use Nebula but it’s not easy as Tailscale.

    • GameGod@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Tinc has weird limitations and Wireguard completely obsoletes it. There’s zero reasons to ever consider using Tinc when Wireguard exists.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        Can Wireguard to NAT traversal? Let’s say I have a publicly facing server A and then two devices B and C behind two separate nats. Can B reach C directly via hole punching by A?

  • uzay@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    What made you choose Nebula over Tailscale? I’m running it through a self-hosted Headscale server and it’s working well so far. I haven’t looked into Nebula too much.

    • paperd@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      the core bits of nebula are all open source. With tailscale, there is headscale, but that is made by a tailscale employee and it feels ripe for a rug pull whenever tailscale feels like it. with nebula, the lighthouse and user clients are open, so there is far less chance of that.

      • uzay@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        I see. That is a valid concern. Though it feels unfair to say that headscale is ‘made by a tailscale employee’. From what I understand, one of the main contributors of headscale was hired by tailscale, though he is not the only maintainer and does not own the repo from what I can tell. Still, Tailscale could decide to cede all support of headscale and that would likely hurt the project a lot. In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.

        • paperd@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.

          Sure but you’d still have whatever the last commit was to nebula under the MIT license. It can be forked etc etc.

          I am sure headscale is great, but its a side project and if so inclined (not saying they are, tailscale seem quite generous), they could kill it a lot faster than Defined Networking could kill nebula. But its all a gamble.

  • paperd@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I think nebula is really cool and am heavily considering it in production.

    Having a paid-for service that makes things easier is a good way to keep money going into the project, I think. And it feels a lot safer in terms of rug pull than tailscale/headscale. The android apps not being in fdroid and have some other limitations sucks… but I feel like those are easier to solve than some other issues that could be there.

    If you want tailscale, but not tailscale, check out netbird. You can self host the auth server and it isn’t some side project, the whole auth server is open.