Hacker News new | past | comments | ask | show | jobs | submit login
Experiment Nebula Mesh – Part 2 (barim.us)
2 points by hamdouni on Nov 6, 2022 | hide | past | favorite | 5 comments



Part 1 is here:

https://barim.us/post/2022-07-13-experimenter-nebula-mesh-pa...

Submitted 30 days ago: https://news.ycombinator.com/item?id=33123953 (sadly, no discussion)

This is a nice write-up covering getting going with Nebula in real life!

There was a mega discussion of Slack's Nebula 3 years ago after it was initially open sourced:

https://news.ycombinator.com/item?id=21575614 (213 points, 66 comments)

WireGuard was discussed in the context of Nebula:

https://news.ycombinator.com/item?id=21577344

My takeaway then and now remains the same; I'm not clear on which circumstances Nebula would be preferable to WireGuard.

All the SSL certificate management with Nebula seems like a potential operational pain in the neck.


> Dealing with SSL certificate management could be an operational pain in the neck.

I don't know for WireGuard but generating the certificate for a new host to join the mesh in Nebula is one command

  nebula-cert sign -name "newHost" -ip "192.168.100.1/24"


Do the certs expire? What does the rotation process involve?


Yes certs expire (expiration is configurable). Large deployments will run an online CA that has some external means of verifying the identity of a host.

Rotation is straight forward. Add the new cert and reload the process (no restart required). Large deployments automate this process (which is easy with an online CA).


nope - no expiration, no rotation needed : this is all about mutually authenticated peer-to-peer nodes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: