Nebula VS yggdrasil-go

(I am a Nebula maintainer.) We recently merged support for gVisor-based services, although it's very new, and I don't know of much experimentation that's been done with it yet: https://github.com/slackhq/nebula/pull/965

Nebula, originally from Slack[0].

Wireguard rightly gets a lot of attention, but Nebula is a really simple and easy to deploy mesh network that is often overlooked.

It does lack a management GUI and that stuff is very much DIY.

[0] https://github.com/slackhq/nebula

Fair enough about the android mobile client... My use case only involves meshing linux appliances across various networks so we only need the nebula core binaries which are under MIT license

https://github.com/slackhq/nebula/blob/master/LICENSE

That's not at all confusing with Slack's Nebula. https://github.com/slackhq/nebula

Sounds like a bunch of your pain points are just related to needing an online CA or ICA. But, looking through the Nebula docs I don't know that it supports things like CRL addresses where you could host the CRL, or OCSP responders. Someone got support for an OCSP responder but never submitted a PR with completed code: https://github.com/slackhq/nebula/issues/72

Nebula is a scalable, cross-platform overlay networking tool focused on performance, simplicity, and security. This portable tool is equally adapted for linking a small number of computers or scaling to connect tens of thousands. It integrates encryption, security groups, certificates, and tunneling into a powerful, cohesive connectivity solution. Thanks for the recommendation go to jmeador42.

Replying to my own comment as I can no longer edit it:

The folks over at Slack had an interesting discussion regarding the the "battle of the VPNs" article published by Netmaker I sourced in my parent comment:

https://github.com/slackhq/nebula/discussions/911

Interesting. I thought recognized the logo, apparently seems to be a commercial support offering of https://github.com/slackhq/nebula and they support the "nebula" iOS app. I had been using for nebula/defined in the past.

Nebula: Is super easy to get running. It uses an interesting angle, working on the service and not just the device level. Unfortunately their NAT support seems to be still quite problematic and I am not going to maintain all those forwarded ports manually. There is a PR to support PCP but even if that ever gets applied I am not sure how well that will play with older routers. While it should be battle proven at slack, the community seems to be not that active. It still has the in-house tool that just got released.

The catch is that I want this to be reliable and fault tolerant, so if some of the game servers in the network go down, the remaining online servers should still always be able to receive broadcasts from any other online server. The servers can also be in multiple geographic locations and I am planning on using a mesh overlay network like Nebula to connect them. Essentially each pair of online servers will likely have a secure link between them that goes directly through the underlying network.

> The next version will make it much simpler to deploy isolated networks by using TLS roots to prevent accidental peerings.

Is that PR #1038 [1]? Any info on how to use that feature and whether it works over multicast as well?

I noticed this PR uses SHA-1 for matching fingerprints. SHA-1 has been broken for 13 years now. Is it possible to use something more secure?

> It's also worth noting that Yggdrasil doesn't have the equivalent of "peer exchange" — only directly connected peers would ever find out your public IP address. Yggdrasil will not form new peerings automatically, with the single exception being multicast-discovered nodes on the same LAN.

Right, my worry is that by having a server with a public IPv4 address and Yggdrasil running on an open port (so that my other nodes can connect to it) will allow someone to connect to it (either on purpose or accidentally) and cause my traffic to route over their node(s) and/or the public mesh.

Thanks!

[1] https://github.com/yggdrasil-network/yggdrasil-go/pull/1038

From a purely networking perspective, there are far better solutions than tailscale.

Have a look at full mesh VPNs like:

https://github.com/cjdelisle/cjdns

https://github.com/yggdrasil-network/yggdrasil-go

https://github.com/gsliepen/tinc

https://github.com/costela/wesher

These build actual mesh networks where every node is equal and can serve as a router for other nodes to resolve difficult network topologies (where some nodes might not be connected to the internet, but do have connections to other nodes with an internet connection).

Sending data through multiple routers is also possible. They also deal with nodes disappearing and change routes accordingly.

tailscale (and similar solutions like netbird) still use a bunch of "proxy servers" for that. You can set them up on intermediate nodes, but that have to be dealt with manually (and you get two kinds of nodes).

The only real solution long-term is completely peer-to-peer ad-hoc networking that doesn't depend on BGP.

A few projects are in similar territory but none I've seen are working at the layer of bypassing BGP. Many are just acting as an overlay; which works to an extent. https://github.com/yggdrasil-network/yggdrasil-go

It's probably begging for a different model of the "internet" and where data lives.

My requirements:

1. Offline-first applications that sync via a pub/sub DHT of trusted peers. More details here but basically allows bypassing BGP.

It seems like you can limit connections to your node with AllowedPublicKeys (ref).

at least on the official discord the recommended way if you don’t want to play on a public server is using yggdrasil