Self-hosted tooling for secure overlay networks — built around Slack's Nebula and the certificate authority that anchors it.

nebula-mesh — a self-hosted control plane for the Nebula mesh VPN.

Nebula gives you a fast, mTLS-authenticated overlay network, but leaves certificate issuance, rotation, distribution and revocation to the operator — usually shell scripts and a CA on a laptop. nebula-mesh fills that gap: issue and rotate CAs and certificates, enroll hosts (including iOS / Android via QR), distribute config, and roll out changes from one place — a single Go binary plus an enrollment agent, running on one VM.

MIT-licensed. Runs entirely on your own infrastructure.