I've been using Nebula for personal use and it's really great. I have a free Oracle Cloud vm as my "lighthouse."
The advantage of Nebula is that it's dead simple. Generate a keypair, copy it over, copy the config file, and go. It can do mesh routing for the vpn and traverse nat magically. You can delegate dns to the lighthouse and name resolution just works too.
That simplicity is awesome for personal use, and maybe it's good enough for a small operation, but I'm guessing it doesn't have all the bells and whistles you'd want for medium or larger companies.
Nebula transits every EC2-to-EC2 packet at Slack, across lots of AWS regions and tens of thousands of hosts. It’s probably doing petabits of traffic per second. And it’s a safer, more expressive firewall than EC2 security groups.
So, yes, it works for personal use-cases but it works for truly gigantic applications, too.
The big thing I see missing is the management piece, which is what makes Tailscale compelling. If you're just running Nebula as an individual user, or for a small org, there wouldn't be much overhead. Otherwise, for larger deployments, you need to "roll your own" solution to manage configs outside of Nebula itself.
You'd also want this to be self-service in some way - so road warriors can rotate their own certs, with auth backed by some kind of central SSO system. The last I looked, Nebula didn't offer this stuff.
How well does it handle public WiFi? Some hotspots may block any non-HTTP traffic, or traffic on nonstandard ports. IIRC ZeroTier will use relays when UDP traffic is blocked.
The advantage of Nebula is that it's dead simple. Generate a keypair, copy it over, copy the config file, and go. It can do mesh routing for the vpn and traverse nat magically. You can delegate dns to the lighthouse and name resolution just works too.
That simplicity is awesome for personal use, and maybe it's good enough for a small operation, but I'm guessing it doesn't have all the bells and whistles you'd want for medium or larger companies.