# slackhq/nebula

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/slackhq-nebula).**

17,026 stars · 1,107 forks · Go · mit

## Links

- GitHub: https://github.com/slackhq/nebula
- awesome-repositories: https://awesome-repositories.com/repository/slackhq-nebula.md

## Description

Nebula is a scalable, decentralized overlay networking tool designed to create secure, encrypted peer-to-peer connections between distributed hosts. By utilizing a certificate-based identity authority, it enables the construction of private communication fabrics across disparate physical infrastructures, such as multiple cloud providers or on-premises data centers, without requiring central authentication servers.

The project distinguishes itself through a zero-trust architecture that enforces granular, policy-driven firewall filtering based on certificate-derived group memberships. It facilitates direct connectivity between nodes located behind restrictive firewalls and network boundaries by employing a sophisticated discovery protocol, relay nodes, and persistent keep-alive signaling to maintain stable tunnels.

Beyond its core connectivity features, the software provides a comprehensive suite of operational tools for network management and observability. This includes built-in diagnostic utilities for troubleshooting, support for exporting performance metrics to external monitoring systems, and integrated hostname resolution. The system also manages the full lifecycle of cryptographic identities, allowing for secure credential issuance and rotation to maintain network trust.

## Tags

### DevOps & Infrastructure

- [Mesh Networking](https://awesome-repositories.com/f/devops-infrastructure/mesh-networking.md) — Creates a scalable, software-defined mesh network with encrypted tunnels and certificate-based authentication.
- [Virtual Private Clouds](https://awesome-repositories.com/f/devops-infrastructure/cloud-infrastructure/networking-connectivity/virtual-private-clouds.md) — Links servers and services across multiple cloud providers or on-premises data centers into a unified private communication fabric.

### Networking & Communication

- [Overlay Networks](https://awesome-repositories.com/f/networking-communication/overlay-networks.md) — Creates secure virtual private networks by encapsulating traffic within encrypted UDP packets across disparate physical infrastructures.
- [Peer-to-Peer Networking](https://awesome-repositories.com/f/networking-communication/peer-to-peer-networking.md) — Establishes decentralized, direct encrypted connections between nodes to bypass restrictive firewalls and NAT environments.
- [Peer Discovery](https://awesome-repositories.com/f/networking-communication/peer-discovery.md) — Operates a central directory service that helps distributed hosts locate and connect to each other across disparate networks without manual configuration. ([source](https://nebula.defined.net/docs/guides/quick-start/))
- [NAT Traversal Mechanisms](https://awesome-repositories.com/f/networking-communication/nat-traversal-mechanisms.md) — Coordinates peer connectivity through firewalls and NATs using relay nodes and persistent keep-alive signaling.
- [Virtual Network Interfaces](https://awesome-repositories.com/f/networking-communication/virtual-network-interfaces.md) — Configures the virtual network device and tunnel lifecycle to handle packet routing and state management for the overlay network. ([source](https://nebula.defined.net/docs/config/))
- [Connection Management](https://awesome-repositories.com/f/networking-communication/connection-management.md) — Establishes direct communication between devices by mapping host addresses and using discovery nodes to bridge connections across different network environments. ([source](https://nebula.defined.net/docs/config/))
- [Encrypted Relaying](https://awesome-repositories.com/f/networking-communication/network-infrastructure-routing/network-routing-traffic-management/network-traffic-management/encrypted-relaying.md) — Forwards packets through intermediary nodes to establish connectivity between hosts that cannot communicate directly due to network restrictions. ([source](https://nebula.defined.net/docs/config/))
- [Keep-Alive Signaling](https://awesome-repositories.com/f/networking-communication/nat-traversal-mechanisms/keep-alive-signaling.md) — Sends keep-alive packets to prevent firewall state expiration, ensuring persistent connectivity between peers located behind restrictive network boundaries. ([source](https://nebula.defined.net/docs/config/))
- [Source Validation](https://awesome-repositories.com/f/networking-communication/traffic-routing-controllers/source-validation.md) — Confirms that incoming packets originate from the source address authorized by the sender's certificate to prevent unauthorized traffic injection. ([source](https://nebula.defined.net/docs/security/))
- [Network Diagnostics](https://awesome-repositories.com/f/networking-communication/network-reliability-diagnostics/network-diagnostics.md) — Includes built-in diagnostic utilities to inspect and troubleshoot the status of network hosts. ([source](https://nebula.defined.net/docs/guides/))
- [Network Traffic Optimization](https://awesome-repositories.com/f/networking-communication/network-traffic-optimization.md) — Prioritizes specific network ranges to improve performance and reduce latency for traffic between connected hosts. ([source](https://nebula.defined.net/docs/config/))
- [Non-Overlay Routing](https://awesome-repositories.com/f/networking-communication/network-traffic-routing/non-overlay-routing.md) — Configures specific network paths to forward traffic through designated nodes, allowing communication with devices that do not run the networking software directly. ([source](https://nebula.defined.net/docs/guides/))

### Security & Cryptography

- [Certificate Authorities](https://awesome-repositories.com/f/security-cryptography/certificate-authorities.md) — Provides a decentralized certificate authority for managing cryptographic host identities without central authentication servers.
- [Traffic Encryption](https://awesome-repositories.com/f/security-cryptography/traffic-encryption.md) — Secures data transmission between network peers using authenticated encryption to ensure privacy and integrity across untrusted public network segments. ([source](https://nebula.defined.net/docs/config/))
- [Certificate Authority Management](https://awesome-repositories.com/f/security-cryptography/certificate-authority-management.md) — Generates cryptographic credentials to sign and validate host identities, ensuring only authorized nodes can join and communicate within the network. ([source](https://nebula.defined.net/docs/guides/quick-start/))
- [Encrypted Tunneling](https://awesome-repositories.com/f/security-cryptography/encrypted-tunneling.md) — Establishes secure, encrypted tunnels between network peers to ensure privacy across untrusted network segments.
- [Secure Node Networking](https://awesome-repositories.com/f/security-cryptography/secure-node-networking.md) — Verifies host identity using certificates and private keys to ensure secure peer-to-peer communication. ([source](https://nebula.defined.net/docs/config/))
- [Zero Trust Networking](https://awesome-repositories.com/f/security-cryptography/zero-trust-networking.md) — Enforces zero-trust security by requiring identity-based authentication for all communication between nodes.
- [Credential Rotators](https://awesome-repositories.com/f/security-cryptography/automated-secret-rotation/credential-rotators.md) — Updates or replaces security credentials and certificate authorities across the network infrastructure without interrupting active traffic or connectivity. ([source](https://nebula.defined.net/docs/guides/))
- [Firewall Policies](https://awesome-repositories.com/f/security-cryptography/firewall-policies.md) — Enforces granular, policy-driven firewall filtering based on certificate-derived group memberships at the host level.
- [Identity Providers](https://awesome-repositories.com/f/security-cryptography/identity-providers.md) — Manages cryptographic host identities and certificate signing to authorize devices within the network.
- [Network Access Control](https://awesome-repositories.com/f/security-cryptography/network-access-control.md) — Defines inbound and outbound firewall rules to control traffic flow and enforce security policies at the host level. ([source](https://nebula.defined.net/docs/config/))
- [Network and Infrastructure Security](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security.md) — Provides infrastructure for managing host identities and private certificate authorities to secure inter-node communication.
- [PKI Management](https://awesome-repositories.com/f/security-cryptography/pki-management.md) — Issues and validates host certificates to establish trust and authorize communication between nodes within a private network. ([source](https://nebula.defined.net/docs/))
- [Identity Issuance](https://awesome-repositories.com/f/security-cryptography/identity-based-access-control/identity-issuance.md) — Assigns unique identities and network addresses to individual nodes to prevent impersonation and enable granular access control. ([source](https://nebula.defined.net/docs/guides/quick-start/))
- [Remote Signing](https://awesome-repositories.com/f/security-cryptography/certificate-signing-request-managers/remote-signing.md) — Generates valid host certificates by exchanging public keys, eliminating the need to distribute or store sensitive private keys on multiple devices. ([source](https://nebula.defined.net/docs/guides/))

### Software Engineering & Architecture

- [Group-Based](https://awesome-repositories.com/f/software-engineering-architecture/access-rules/group-based.md) — Restricts communication between nodes using certificate-based security groups to enforce expressive and provider-agnostic access control policies. ([source](https://nebula.defined.net/docs/))
- [Overlay Resolution](https://awesome-repositories.com/f/software-engineering-architecture/resource-addressing-utilities/hostname-aliasing/overlay-resolution.md) — Provides a built-in domain name service to map network addresses to human-readable hostnames for easier connectivity between nodes. ([source](https://nebula.defined.net/docs/guides/))