What Is Nebula?
Nebula creates a fast, encrypted peer-to-peer mesh network across any number of nodes, regardless of where they physically live. Every node gets a private overlay IP, and traffic between them is encrypted with certificate-based mutual authentication using the Noise protocol.
Unlike a traditional VPN where all traffic routes through a central server, Nebula nodes communicate directly with each other whenever possible. The central server — called a lighthouse — only handles peer discovery. Once two nodes find each other, they talk directly.
Common Use Cases
- Connect a home server, cloud VPS, and laptop under one private network
- Give a distributed team secure access to internal services without exposing them publicly
- Build a self-hosted alternative to Tailscale or ZeroTier that you fully control
- Create isolated overlay networks for multi-node homelab or production deployments
Architecture Overview
A Nebula network has two node types:
- Lighthouse — a publicly reachable node with a static IP. Every other node registers with the lighthouse at startup so peers can find each other. The lighthouse does not route traffic; it only brokers discovery.
- Client nodes — all other nodes on the network. They register with the lighthouse, then communicate directly with each other over UDP. Client nodes can be behind NAT with no public IP.
[Laptop]──────────────────────────────[Home Server]
\ (direct P2P after discovery) /
\ /
└──────[RamNode Lighthouse 1.2.3.4]──────┘
(UDP 4242, discovery only)For this guide, your RamNode VPS is the lighthouse. Your laptops, home servers, other VPS instances, or containers are client nodes.
Prerequisites
- A RamNode KVM VPS running Ubuntu 22.04 or Debian 12
- Root or sudo access on the lighthouse
- Root or sudo access on at least one client node to test the setup
- UDP port 4242 open on your RamNode firewall
Tip: RamNode's $4/month plan (1 vCPU, 512 MB RAM) handles hundreds of connected nodes. The lighthouse is extremely lightweight since it only brokers peer discovery.
Open the Lighthouse Port
Nebula communicates over UDP. By default it uses port 4242.
sudo ufw allow 4242/udp comment "Nebula lighthouse"
sudo ufw statusIf managing iptables directly:
sudo iptables -A INPUT -p udp --dport 4242 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4Install Nebula on the Lighthouse
Nebula ships as a single static binary. Grab the latest release from GitHub:
# Check https://github.com/slackhq/nebula/releases for the latest version
NEBULA_VERSION="1.9.5"
wget https://github.com/slackhq/nebula/releases/download/v${NEBULA_VERSION}/nebula-linux-amd64.tar.gz
tar -xzf nebula-linux-amd64.tar.gz
sudo mv nebula nebula-cert /usr/local/bin/
sudo chmod +x /usr/local/bin/nebula /usr/local/bin/nebula-certnebula -version
nebula-cert -versionCreate the Certificate Authority
Nebula uses its own PKI. You generate a CA, then sign certificates for every node. The CA private key should live only on the lighthouse (or a secure offline machine).
sudo mkdir -p /etc/nebula
cd /etc/nebula
sudo nebula-cert ca -name "MyNet CA" -duration 8760hThis creates two files:
ca.crt— the CA certificate, distributed to every nodeca.key— the CA private key, kept only on the lighthouse
Important: Back up ca.key somewhere secure. If you lose it, you cannot issue new certificates and will need to rebuild the entire PKI.
Design Your IP Space
Nebula overlay IPs are independent of your real network. Choose a private subnet that does not overlap with your existing infrastructure. 10.42.0.0/24 is a clean choice.
| Node | Overlay IP | Role |
|---|---|---|
| RamNode VPS | 10.42.0.1 | Lighthouse |
| Laptop | 10.42.0.10 | Client |
| Home server | 10.42.0.20 | Client |
| Additional VPS | 10.42.0.30 | Client |
Issue Node Certificates
Lighthouse Certificate
cd /etc/nebula
sudo nebula-cert sign -name "lighthouse" -ip "10.42.0.1/24"This produces lighthouse.crt and lighthouse.key.
Client Certificates
Generate certificates for each client. You can do this on the lighthouse and then securely copy the files to each client.
sudo nebula-cert sign -name "laptop" -ip "10.42.0.10/24"
sudo nebula-cert sign -name "homeserver" -ip "10.42.0.20/24"Configure the Lighthouse
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/lighthouse.crt
key: /etc/nebula/lighthouse.key
static_host_map: {}
lighthouse:
am_lighthouse: true
interval: 60
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
tun:
disabled: false
dev: nebula1
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
logging:
level: info
format: text
firewall:
outbound_action: drop
inbound_action: drop
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: any
proto: any
group: trustedThe firewall section allows all outbound traffic and all ICMP inbound. The group: trusted rule allows nodes that present a certificate signed with the trusted group — assign groups when signing certs.
sudo nebula -config /etc/nebula/config.yml -testRun Nebula as a systemd Service
sudo tee /etc/systemd/system/nebula.service > /dev/null <<'EOF'
[Unit]
Description=Nebula overlay network
After=network.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yml
Restart=on-failure
RestartSec=5s
LimitNOFILE=65536
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target
EOFsudo systemctl daemon-reload
sudo systemctl enable --now nebula
sudo systemctl status nebulaip addr show nebula1You should see 10.42.0.1/24 assigned to the interface.
Set Up a Client Node
Repeat the Nebula binary installation from Step 5 on each client machine. Then copy the required certificate files:
# From the lighthouse
scp /etc/nebula/ca.crt user@client-host:/tmp/
scp /etc/nebula/laptop.crt user@client-host:/tmp/
scp /etc/nebula/laptop.key user@client-host:/tmp/sudo mkdir -p /etc/nebula
sudo mv /tmp/ca.crt /tmp/laptop.crt /tmp/laptop.key /etc/nebula/
sudo chmod 600 /etc/nebula/laptop.keyClient Configuration
Create /etc/nebula/config.yml on the client, replacing 1.2.3.4 with your RamNode VPS public IP:
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/laptop.crt
key: /etc/nebula/laptop.key
static_host_map:
"10.42.0.1": ["1.2.3.4:4242"]
lighthouse:
am_lighthouse: false
interval: 60
hosts:
- "10.42.0.1"
listen:
host: 0.0.0.0
port: 0
punchy:
punch: true
tun:
disabled: false
dev: nebula1
mtu: 1300
logging:
level: info
format: text
firewall:
outbound_action: drop
inbound_action: drop
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: icmp
host: any
- port: any
proto: any
group: trustedInstall and start the service using the same systemd unit from Step 10, then verify connectivity:
ping 10.42.0.1Verify Direct P2P Connectivity
Once two client nodes are registered with the lighthouse, they should communicate directly without routing through the lighthouse.
# From the laptop, ping the home server
ping 10.42.0.20sudo journalctl -u nebula -fAfter the initial handshake (which touches the lighthouse), further traffic between clients should appear as direct peer messages — not on the lighthouse interface.
Certificate Groups & Firewall Rules
Nebula's real power is its certificate-based firewall. When you sign a certificate, you can embed groups:
sudo nebula-cert sign -name "webserver" -ip "10.42.0.50/24" -groups "trusted,web"
sudo nebula-cert sign -name "database" -ip "10.42.0.60/24" -groups "trusted,db"Granular Firewall Rules
firewall:
inbound:
- port: any
proto: icmp
host: any
# Only web nodes can reach port 3306 on the db group
- port: 3306
proto: tcp
group: web
# Laptops can SSH to everything in the trusted group
- port: 22
proto: tcp
group: trustedThese rules are evaluated locally on each node using the groups embedded in the peer's certificate — no central policy server needed.
Maintenance & Operations
Renewing Certificates
Nebula certificates have a default duration. Check expiry:
nebula-cert print -path /etc/nebula/laptop.crtTo renew, reissue with nebula-cert sign and distribute the new cert. The node picks up the new cert on restart.
Adding a New Node
- Run
nebula-cert signon the lighthouse for the new node's name and overlay IP - Copy
ca.crt, the new.crt, and the new.keyto the new node - Deploy
config.ymlpointing at your lighthouse public IP - Start the Nebula service — no changes to existing nodes needed
Upgrading Nebula
sudo systemctl stop nebula
sudo mv nebula-new /usr/local/bin/nebula
sudo systemctl start nebulaTroubleshooting
| Issue | Solution |
|---|---|
| Nodes not finding each other | Verify UDP 4242 is reachable: nc -u 1.2.3.4 4242 from a client |
| nebula1 interface missing | Load the tun module: sudo modprobe tun |
| High latency between clients | Nodes may be routing through lighthouse — enable punchy on both nodes and check NAT type |
| Certificate validation errors | Check clock sync: timedatectl status — Nebula certs are time-bounded |
Nebula Overlay Network Deployed!
You now have an encrypted peer-to-peer mesh network running with your RamNode VPS as the lighthouse. With a working Nebula network in place, consider these next steps:
- Expose internal services — run Nginx on a client node and reverse proxy over the overlay network
- Multi-region setup — deploy additional RamNode VPS nodes as secondary lighthouses
- Container networking — assign Nebula IPs to Docker containers with bridge networking