Available Project Issue Nebula 1.5 offering tools for building protected overlay networks. The network can combine from several to tens of thousands of geographically separated hosts placed in different providers, forming a separate isolated network over the global network. The project is written in GO and distributed under the MIT license. The project is based on Slack, developing the same corporate messenger. Work is supported in Linux, FreeBSD, MacOS, Windows, iOS and Android.
NOBULA Networks interact with each other directly in P2P mode – as the need for data transmission between nodes is dynamically created direct VPN connections. The identity of each host on the network is confirmed by a digital certificate, and network connection requires authentication – each user receives a certificate confirming the IP address on the NEBULA network, name and membership in host groups. Certificates are signed by the internal certification center, deployed by the network creator at its capacities and applied to certify the powers of hosts that have the right to connect to the overlay network.
To create an authenticated protected communication channel in Nebula, its own tunnel protocol is used, based on the Diffi Helman key exchange protocol and the AES-256-GCM cipher. The implementation of the protocol is based on ready-made and proven primitives provided by framework noise , which also applies in projects such as Wireguard, Lightning and I2P. It is argued that the project has passed an independent security audit.
To detect other nodes and coordinate to the network, special “LightHouse” nodes are created, the global IP addresses of which are fixed and known to the network participants. The participating nodes do not have binding to an external IP address, they are identified by certificates. Host owners independently can make changes to signed certificates and, unlike traditional IP networks, cannot pretend to be another host of a simple change of IP address. When creating the tunnel, the host identity is confirmed by an individual closed key.
The is allocated a certain range of Intranet addresses (for example, 192.168.10.0/24) and internal binding Addresses with certificates of hosts. From the participants of the overlay network, a group may be formed, for example, to separate servers and workstations to which individual rules for filtering traffic can apply. Various mechanisms are provided to bypass address translators (NAT) and firewalls. It is possible to organize routing through an overlay network of third-party traffic that are not included in the NEBULA network (Unsafe Route).