5 comments

[ 5.1 ms ] story [ 27.0 ms ] thread
Part 1 is here:

https://barim.us/post/2022-07-13-experimenter-nebula-mesh-pa...

Submitted 30 days ago: https://news.ycombinator.com/item?id=33123953 (sadly, no discussion)

This is a nice write-up covering getting going with Nebula in real life!

There was a mega discussion of Slack's Nebula 3 years ago after it was initially open sourced:

https://news.ycombinator.com/item?id=21575614 (213 points, 66 comments)

WireGuard was discussed in the context of Nebula:

https://news.ycombinator.com/item?id=21577344

My takeaway then and now remains the same; I'm not clear on which circumstances Nebula would be preferable to WireGuard.

All the SSL certificate management with Nebula seems like a potential operational pain in the neck.

> Dealing with SSL certificate management could be an operational pain in the neck.

I don't know for WireGuard but generating the certificate for a new host to join the mesh in Nebula is one command

  nebula-cert sign -name "newHost" -ip "192.168.100.1/24"
Do the certs expire? What does the rotation process involve?
nope - no expiration, no rotation needed : this is all about mutually authenticated peer-to-peer nodes
Yes certs expire (expiration is configurable). Large deployments will run an online CA that has some external means of verifying the identity of a host.

Rotation is straight forward. Add the new cert and reload the process (no restart required). Large deployments automate this process (which is easy with an online CA).