Direct connection through UDP skullduggery Typically, they'll be able to communicate with one another directly rather than going through the router-even if they're behind NAT on two different networks, neither of which has port forwarding enabled.īy contrast, connections between any two PCs on a traditional VPN must pass through its central server-adding bandwidth to that server's monthly allotment and potentially degrading both throughput and latency from peer to peer. Once the location has been gotten from the lighthouse, the two nodes can work out between themselves what the best route to one another might be.
When a Nebula node wants to connect to another Nebula node, it'll query a central server-what Nebula calls a lighthouse-to ask where that node can be found. Where Nebula becomes more efficient is when two Nebula-connected machines are closer to each other than they are to the central cloud server. As long as you've got that one public IP answering to VPN connection requests, you can get files from one network to another-even if both endpoints are behind NAT with no port forwarding configured. This is true for both mesh and conventional VPNs-if two machines on different networks punch tunnels outbound to a cloud server, the cloud server can then tie those two tunnels together, providing a link with two hops. Once a tunnel has been established-even through Network Address Translation (NAT)-it's bidirectional, regardless of which side initially reached out. We can examine the differences with a network flow diagram demonstrating patterns in a small virtual private network.Īll VPNs work in part by exploiting the bi-directional nature of network tunnels. If node A is right next to node Z, the mesh won't arbitrarily route all of its traffic through node M in the middle-it'll just send them from A to Z directly, without middlemen or unnecessary overhead. In sharp contrast, a mesh network understands the layout of all its member nodes and routes packets between them intelligently.
All VPN traffic has to flow through that central server, whether it makes sense in the grander scheme of things or not. A conventional VPN is much simpler than a mesh and uses a simple star topology: all clients connect to a server, and any additional routing is done manually on top of that. The biggest selling point of Nebula is that it's not "just" a VPN, it's a distributed VPN mesh. Today, we're going to dive a little deeper into how you can set up your own Nebula private mesh network-along with a little more detail about why you might (or might not) want to. Further Reading Nebula VPN routes between hosts privately, flexibly, and efficientlyLast week, we covered the launch of Slack Engineering's open source mesh VPN system, Nebula.