Managed Nebula vs Netmaker

Managed Nebula and Netmaker are both mesh networking tools that create encrypted overlay networks between your hosts. Both are open source and both aim to simplify secure connectivity, but we built Nebula with a different protocol, a different architecture, and a different philosophy around infrastructure control.

Nebula is a fully open-source overlay networking tool that we originally built at Slack and continue to maintain at Defined Networking. It uses its own protocol built on the Noise framework to create peer-to-peer encrypted tunnels between hosts. Managed Nebula is our cloud-hosted management layer that handles certificate authorities, host configuration, and distribution, while you retain full control of your network’s data plane.

Netmaker is a WireGuard-based mesh networking platform. It uses WireGuard as its tunnel protocol and adds a server-based control plane to manage network configuration, access control, and peer distribution.

Below, we break down the key differences to help you decide which is right for your network.

	Managed Nebula	Netmaker
Protocol	Nebula (Noise IX)	WireGuard (Noise IK)
Architecture	Fully peer-to-peer mesh	WireGuard mesh via control plane
Authentication	Certificate-based (Nebula CA)	Key management via server
Firewall	Stateful with security groups	WireGuard + OS-level ACLs
NAT traversal	Lighthouses (you operate)	TURN server for relay
Open source	Fully (MIT license)	SSPL (source-available)
Infrastructure	You run lighthouses and relays	Self-hosted or SaaS server
Free tier	Up to 100 hosts	Community edition (self-hosted)
Pricing	$1/host/month	Per-network pricing

Both Nebula and Netmaker create mesh networks, but they use different protocols and different approaches to coordination.

Nebula uses its own protocol built on the Noise IX handshake pattern. Every host holds a signed certificate from a Nebula Certificate Authority, and hosts establish direct peer-to-peer tunnels without needing a central server to broker connections. The data plane is fully decentralized. If our control plane goes offline, your existing network continues operating normally. Hosts already have their certificates and can establish new tunnels with each other.

Netmaker uses WireGuard as its tunnel protocol and adds a central server that manages peer configuration. The server distributes WireGuard configurations to all nodes, which then establish WireGuard tunnels between each other. The server must be available for configuration changes, new node enrollment, and access control updates.

We maintain an ongoing, public benchmarking effort that compares Nebula against other mesh networking tools including Netmaker, using dedicated hardware and rigorous methodology. Key findings from our benchmarking results:

• Throughput: Nebula, Netmaker, and Tailscale can all saturate a 10 Gbps network in a single direction on modern CPUs. All three are competitive at the top end.
• Memory: Nebula averages approximately 27 MB of memory with extremely consistent usage. Netmaker’s memory usage varies depending on network size and configuration.
• Consistency: Nebula’s throughput and resource usage are extremely consistent and predictable across runs and configurations.

As we wrote in that post: “There is no single ‘best’ solution.” We publish the full benchmarking methodology, configurations, and raw data publicly.

Nebula has a stateful packet firewall built directly into the Nebula process. Because Nebula certificates include group membership information, firewall rules can reference groups rather than individual IP addresses. This works similarly to AWS Security Groups. Rules like “allow the WebApp group to access port 443” don’t need to be updated as hosts join or leave the network.

Netmaker relies on WireGuard’s cryptokey routing for basic network segmentation and OS-level firewall rules for fine-grained access control. Access control lists are managed through the Netmaker server and distributed as WireGuard configuration updates.

Nebula is fully open-source under the MIT license. Every component, including the networking protocol, the firewall, and the certificate authority tooling, is available for inspection, modification, and self-hosting. You can run a complete Nebula network with zero dependency on us.

Netmaker changed its license from Apache 2.0 to the Server Side Public License (SSPL) in 2023. While the source code is available, the SSPL is not an OSI-approved open-source license and places restrictions on offering Netmaker as a managed service. This is an important distinction for organizations that value permissive open-source licensing.

With Managed Nebula, you run your own lighthouses and relays on infrastructure you control. Your network’s data plane is entirely yours. If our management service experiences downtime, your overlay network continues operating. Hosts communicate, tunnels form, and firewalls enforce rules. We handle the certificate authority and configuration distribution, but your operational network does not depend on us.

With Netmaker, you either self-host the Netmaker server or use their SaaS offering. The server is required for configuration changes and new node enrollment. The WireGuard data plane continues operating if the server goes down, but management operations require the server to be available.

Managed Nebula offers simple per-host pricing:

• Free: Up to 100 hosts, 2 routes, SSO, and a simple management UI. No credit card required.
• Pro: $1/host/month with unlimited hosts, up to 100 routes, priority support, and guaranteed uptime
• Enterprise: Custom pricing with a dedicated Slack support channel and network design assistance

See our pricing page for full details, or contact sales for Enterprise.

Netmaker offers a free community edition for self-hosting, with paid SaaS plans for managed infrastructure.

Choose Managed Nebula if you want:

• Full control over your network infrastructure, including lighthouses and relays
• A truly open-source foundation under the MIT license
• Certificate-based authentication with group-based firewall rules
• A network that keeps working even if the management plane goes down
• Consistent, predictable performance with low memory overhead
• Simple, transparent per-host pricing

Choose Netmaker if you want:

• A WireGuard-based mesh with a management UI
• A self-hosted control plane with community edition
• Familiar WireGuard protocol and tooling underneath