Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How does this differ from WireGuard?


WireGuard is a VPN, and Nebula is an overlay network (also known as a service mesh). They are closely related concepts.

VPNs are primarily used for remote access, to get random machines access to closed IP networks. Service meshes synthesize a new network (sometimes IP, sometimes something else) to connect a bunch of related machines, almost always with policy controls for who can talk to what, usually cryptographic.

It would be weird (but not "wrong") to use a service mesh to get developer laptops access to staging Postgres.

It would be weird (but not "wrong") to use WireGuard to connect an application server to its Postgres instance.

WireGuard is a much tighter and more limited design, intended for integration directly into operating system kernels, with a strong emphasis on performance. Nebula is a much more ambitious design; it includes direct DNS support, certificates, and server infrastructure. WireGuard is a few thousand lines of very carefully written C code; Nebula is a typical Go project.

They're both very cool.


Why do you think it is "weird" to use WireGuard for connecting application server with a DB instance?

(Backdrop: I have recently moved our various prod servers into a WireGuard based VPN to encrypt the traffic between them. I found it was easier/pragmatic to do this than:

* to setup SSL for my DB

* to figure out how to encrypt traffic between my application server and Redis or my application server and Nginx )


I like WireGuard and wouldn't blink at a client proposing to use it to create a secure network fabric for their deployment environment, but it is not the norm for people to do stuff like this; in K8s land, this is what service meshes like Istio do, and more generally this is what people use overlay networks for. WireGuard could form the basis of an overlay network, if you added the same bells and whistles Nebula has. But I don't think Jason has in his plans to add those bells and whistles himself, because that's not really WireGuard's charter.


Thanks, that’s a helpful comparison!


Like wireguard, Nebula is using the Noise Protocol Framework[1], but it seems that Nebula is using a ca-cert authority to tie together the peers in the same Nebula network[2]

[1] https://www.noiseprotocol.org/noise.html#introduction [2] https://github.com/slackhq/nebula#3-a-nebula-certificate-aut...


I get a certificate error for `www.noiseprotocol.org`. It turns out they're serving a certificate for `noiseprotocol.org` instead. The URL is still valid without `www.` [0].

https://noiseprotocol.org/noise.html#introduction


It sounds like encryption was a necessary but not a sufficient requirement for Nebula.

In addition to VPN, Nebula added traffic filtering and spanning different clouds and data centers. I don't think Wireguard had those as goals.

They serve very different purposes. I use WireGuard to encrypt my mobile traffic but I wouldn't have picked it to connect the various hosts in my network at work. Nebula, however, might do the trick.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: