I’m looking to use Nebula to set up the overlay network for my home and cloud setup, as well as managing ingress into Home Assistant and other devices on my network under my control.
It exists somewhere on the spectrum between ZeroTier and WireGuard, in that it’s fully “on-prem” managed, but has all the dynamic endpoint discoverability advantages of ZeroTier, and is well supported across a variety of OSes and architectures.
Looking at the source of the wireguard and zerotier add-ons, it seems feasible to adapt the same/ similar approach to get nebula support and management as well.
There is also Tailscale that has been added to HA, by Frenck, I believe. It is super simple, and works well. HOWEVER, it does rely on a central server, and is not open source, like Nebula. I would also be interested in Nebula integration.
It’s incredibly rudimentary and not tested yet, but with some iteration I think it will end up working pretty smoothly as a substitute for wireguard, zerotier, or other alternatives for an encrypted overlay network.
For anyone following along, I came back to it today and this is functional enough (though still a pain to configure) that I’m considering swapping to using it to manage my network access full time into my house and not using supervised HA anymore, since this was the last thing keeping me from switching to HassOS. Now that it works I can start making it configurable and automated in earnest which should be much faster progress than before, if nothing else because it’s more rewarding than ‘Did that fix it? No. Still broken…’
Another update: I finally came back this week and rewrote the configuration layer for this so now it’s click-button/UI-configurable to set up the nebula add-on in HassOS, and it will optionally generate all your certs, act as a CA, and operate as either a lighthouse or a regular node, as you need.
There’s still various TODOs in the code and the docs need polishing, but by and large it should be totally configurable from the UI, or if you want power-user status, you can always override the config directly and it will run with whatever you give it.
Next burst of motivation will go towards getting it installable via the store without having to do it as a local addon.
Another big benefit of overlay networks (such as Nebula), and my use case, is that if you run it on your servers in the cloud, it’s very very easy to set up a reverse proxy in a datacenter for TLS termination, and just specify the homeassistant node as the backend directly, with no port forwarding or dyndns or anything required. The connection is also mtls between the TLS terminator in the datacenter and the HA node, too, so it’s very secure.
Saves a ton of hassle with hole punching and forwarding and dns ttls and dyndns and whatever else; my nebula network is just a big /24 that everything I have is on.
For now I’ve got my LAN router on it and I’m running a socat container on there to simply forward a port from its nebula IP to my HA node, but that sucks. Native nebula on the HA is ideal. I’m going to check out @mr_ransel’s addon. Looking forward to it.