What does HackerNews think of nebula?
A scalable overlay networking tool with a focus on performance, simplicity and security
If you already know how to run the desired workloads on the laptops, then most of what remains is a way to make it accessible to the rest of your infrastructure. Cloudflared, nebula, or wireguard tunnels are a few options.
I use nebula (https://github.com/slackhq/nebula) to network all the machines of my homelab, regardless of how they're connected to the internet, including my laptops. I do think there's space for more lightweight and batteries-included options to take advantage of connected resources in this model.
I will say however that development appears to have fizzled out. I was really looking forward to some of the changes in 1.1, but it's been in pre-release for years now and doesn't seem like it's closer to being officially released.
I've largely replaced tinc with Nebula [0], but I still think fondly of it.
Also with no ill intent looks like tailscale has the far more effective marketing organization :)
Reminds me of the intended use case of Nebula, which seems very similar to this. If you're interested in a bare-bones and totally self-hosted option, it could be a good choice here. https://github.com/slackhq/nebula
The main painful thing I've found has been cert management. PKI, as usual, is not a solved problem.
I've managed to do some fun stuff using salt + nebula on the hobby side.
First, yes a search phrase like that should get you the right terms, though there isn't anything inherently special about it. If multiple systems are connected to one system with wireguard giving them all access to a given subnet is straight forward. As far as the VPS, it can indeed access that subnet too, since it's acting as part of the subnet, but you can use normal firewall rules on the far side internally to control what can talk to what and how. And in this kind of specific instance the WG is more about controller public facing surface area, the Bitwarden/Vaultwarden traffic in flight is itself encrypted.
Second though, having said all that I think if you worried about the VPS bit (or even if not) you should take a look at the Nebula SDN [0, 1] instead. It's built on the Noise encryption framework as well. There, the fixed IP node (the "Lighthouse") primarily acts to let other nodes know their mutual addresses, and they then attempt to form a direct link with no bouncing through a bastion, it's a real mesh. This generally works even if both are NAT'd, and if not it's transparent fallback and still encrypted between them. Depending on distance between nodes this can be a lot lower latency as well. With Nebula you establish an internal CA (super easy built-in tool for it) and that doesn't (and absolutely shouldn't) live on the lighthouse.
I'm fortunate enough to have fixed IPs available to me at home and office and have tended to use WG a lot just because it's had more advanced support and performance in constrained environments for me (kernel support in Linux and now BSDs). Nebula has been super slick though and I've been using it more and more. It makes all this really easy.
Anyway, hope this helps a bit. It's really exciting to me how much open source networking power is now available to everyone. It's a bit of a counter decentralization force IMO to the last few decades push towards central service providers.
----
0: https://github.com/slackhq/nebula
1: https://arstechnica.com/gadgets/2019/12/how-to-set-up-your-o... (note 3 years old, there are now Android/iOS clients as well and things are further refined)
It's also very much not a "Tailscale Alternative" – it explicitly describes itself as not being "a tool for creating mesh networks", which is the exact thing that Tailscale is all about.
Nebula (https://github.com/slackhq/nebula) is much closer to actually being a fully open-source and self-hostable Tailscale alternative as I understand it, though I've never used it myself.
There also exists an open source implementation of the tailscale control server [1] that you could self host.
Once the clients talk to the lighthouse to build the tunnel they communicate directly
https://github.com/slackhq/nebula
Disclosure: I wrote and founded ZeroTier. Listed Nebula too for neutrality and completeness.
It's really cool because you have out of the box a private network across all cloud providers and also works for on-premise deployments
> Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework.
It's self-hosted and I think it's a great alternative to ZeroTier, or Tailscale.
I believe its been powering Slack's overlay network for ~5+ years.
Really happy to see this being worked on by a dedicated team. Combined with a tool like https://github.com/slackhq/nebula this could help form the foundation of a fully autonomous, durable, online community.
----
Although for my home lab, using X509 is more of a minus than a plus due to complexity involved.
You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.