Nebula

Nebula is the overlay networking tool Slack built to connect their global infrastructure — then open-sourced it for everyone. It creates encrypted mesh networks across machines anywhere, using a certificate-based identity system that's more secure than most VPN setups. Think WireGuard but with built-in service discovery and fine-grained firewall rules per host.

If you're connecting servers across cloud providers or offices and want full control, Nebula is the power tool. Tailscale is the managed alternative — dramatically easier to set up, with SSO and a web dashboard, but you're trusting their coordination servers. WireGuard is the lower-level primitive Tailscale builds on. ZeroTier is another mesh option with a free tier.

The catch: Nebula is self-hosted everything. You run your own certificate authority, distribute keys to machines, and manage lighthouse nodes for discovery. There's no web UI, no SSO integration, no user management. For a team of two, Tailscale's free tier saves you hours. Nebula makes sense when you need Tailscale's capabilities but can't send coordination data through a third party.