The production of the project Nebula 1.9 has been released, providing tools for building secure overlay networks that enable the connection of geographically dispersed hosts into a separate isolated network on top of the global network. This project, developed by Slack, allows users to create customized overlay networks for various purposes, such as connecting corporate computers across different locations, servers in various data centers, or virtual environments in different cloud providers. The code base, written in Go, is open source under the MIT license. Nebula supports Linux, FreeBSD, MacOS, Windows, iOS, and Android platforms.
In the Nebula network, nodes communicate with each other directly in peer-to-peer mode, establishing dynamic VPN connections for data transmission. Each host in the network is authenticated by a digital certificate, and network connections require authentication through certificates signed by an internal certifying center. Users receive certificates confirming their IP address within the Nebula network, as well as their identity and membership in specific host groups.
Nebula utilizes its own tunnel protocol for secure communication, incorporating the Diffie-Hellman key exchange protocol and AES-256-GCM cipher. The protocol implementation is based on proven primitives from the Noise framework, also utilized in projects like Wireguard, Lightning, and I2P. The project claims to have undergone an independent security audit.
To facilitate network discovery and node coordination, Nebula deploys special nodes known as “Lighthouses” with fixed global IP addresses. Nodes do not have external IP address bindings and are identified by certificates, preventing hosts from impersonating others through simple IP address changes. Host identities are verified using individual private keys when establishing tunnels.