I’ve been playing around with self hosting for file sharing, backups, and a handful of other ideas I might one day get round to. I like the idea of a mesh VPN and being able to, for example, connect a travelling laptop to a ‘host’ laptop nearby, though my only public ip is a VPS in another country.
Of all the options I found, I liked the look of Nebula most. Fiddly in some places, but it’s working nicely for me, and I appreciate some of the simplicity of design.
I’m wondering if people here have much experience of it, though? My biggest concern is over its future. With,
- The Defined Networking site focusing on making money off it, and
- The Android app doesn’t allow full configuration (including the firewall, so I can’t host a website from a phone) but - I heard - does if you use Defined Networking’s paid service for configuration,
makes me worry they might be essentially trying to deprecate viable FOSS Nebula in favour of a paid or controlled service.
Any thoughts? Insight?
I’m not sure what the point is? Here’s my setup:
- wireguard VPN on my edge VPS
- lots of services behind my router that connect to that VPN
- router DNS to resolve my domains to my internal services when on my LAN
This gets me like 95% of the benefit of something like Nebula or Tailscale. When connecting to my internal services, I get LAN speeds if I’m on my LAN and WAN speeds if not. I initially started with Tailscale, but realized that I really didn’t care about most of what it provided.
The benefits are obvious:
- No port forwarding needed
- Central Auth management
- Easy integration of new devices
Not saying you should do it or that it is better overall, but ignoring those is not fair.
Personally i would never go for Tailscale since i give away the access control to my kingdom to a company. Exactly what i want to get away from through selfhosting.
Exactly. I tried Tailscale to get things off the ground, but it didn’t do precisely what I wanted, so I abandoned it and built exactly what I needed, which for me was a VPN at the gateway that tunneled SSL traffic via HAProxy to my internal network.
If Nebula solves your problems, great! I find I don’t need its features, and prefer to keep things relatively simple, which for me is a WireGuard VPN and a handful of containers to run my things. My setup is basically HAProxy -> Wireguard VPN -> Caddy (TLS termination; docker container) -> Docker container on internal network. HAProxy routes to the appropriate machine, and Caddy renews TLS certs and routes to the appropriate container. I could probably accomplish the same w/ Nebula, but I understand my setup a bit more than Nebula.
Doesn’t selfhosting headscale prevent the keys to the kingdom thing you’re talking about?
Yes. But it removes some benefits. You again open some ports or use a VPS to host it. The benefit of not needing to have open ports on other servers and central auth and management still stands.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
10 acronyms in this thread; the most compressed thread commented on today has 18 acronyms.
[Thread #951 for this sub, first seen 5th Sep 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]
If your not sure about Nebula, take a look at tinc. its a meshing VPN, simple to setup and even has an Android app
I’m using Headscale for work and Tailscale for personal use. I tried to use Nebula but it’s not easy as Tailscale.
Headscale server, open source, self hosted, with the open source tailscale clients are the way to go.
Netbird is easier to use although it is a little less developed
I’m interested in Tinc but there isn’t a lot of documentation
Tinc has weird limitations and Wireguard completely obsoletes it. There’s zero reasons to ever consider using Tinc when Wireguard exists.
Can Wireguard to NAT traversal? Let’s say I have a publicly facing server A and then two devices B and C behind two separate nats. Can B reach C directly via hole punching by A?
No, I don’t think so.
deleted by creator
What made you choose Nebula over Tailscale? I’m running it through a self-hosted Headscale server and it’s working well so far. I haven’t looked into Nebula too much.
the core bits of nebula are all open source. With tailscale, there is headscale, but that is made by a tailscale employee and it feels ripe for a rug pull whenever tailscale feels like it. with nebula, the lighthouse and user clients are open, so there is far less chance of that.
I see. That is a valid concern. Though it feels unfair to say that headscale is ‘made by a tailscale employee’. From what I understand, one of the main contributors of headscale was hired by tailscale, though he is not the only maintainer and does not own the repo from what I can tell. Still, Tailscale could decide to cede all support of headscale and that would likely hurt the project a lot. In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.
In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.
Sure but you’d still have whatever the last commit was to nebula under the MIT license. It can be forked etc etc.
I am sure headscale is great, but its a side project and if so inclined (not saying they are, tailscale seem quite generous), they could kill it a lot faster than Defined Networking could kill nebula. But its all a gamble.
I think nebula is really cool and am heavily considering it in production.
Having a paid-for service that makes things easier is a good way to keep money going into the project, I think. And it feels a lot safer in terms of rug pull than tailscale/headscale. The android apps not being in fdroid and have some other limitations sucks… but I feel like those are easier to solve than some other issues that could be there.
If you want tailscale, but not tailscale, check out netbird. You can self host the auth server and it isn’t some side project, the whole auth server is open.