Managed Nebula vs ZeroTier

Managed Nebula and ZeroTier are both overlay networking tools that create encrypted connections between your hosts. They share the goal of making networking simpler, but we designed Nebula with a different philosophy around control, transparency, and open source.

Nebula is a fully open-source overlay networking tool that we originally built at Slack and continue to maintain at Defined Networking. It uses its own protocol built on the Noise framework to create peer-to-peer encrypted tunnels between hosts. Managed Nebula is our cloud-hosted management layer that handles certificate authorities, host configuration, and distribution, while you retain full control of your network’s data plane.

ZeroTier is a software-defined networking platform that creates virtual Ethernet networks. It uses a centralized root server infrastructure (called “planets” and “moons”) operated by ZeroTier to coordinate connectivity between nodes.

Below, we break down the key differences to help you decide which is right for your network.

	Managed Nebula	ZeroTier
Protocol	Nebula (Noise IX)	Custom (Salsa20/Poly1305)
Architecture	Fully peer-to-peer mesh	Peer-to-peer with root servers
Authentication	Certificate-based (Nebula CA)	Network membership via controller
Firewall	Stateful with security groups	Flow rules via controller
NAT traversal	Lighthouses (you operate)	Root servers (ZeroTier operates)
Open source	Fully (MIT license)	BSL 1.1 (source-available)
Infrastructure	You run lighthouses and relays	ZeroTier-operated root servers
Free tier	Up to 100 hosts	Up to 25 nodes
Pricing	$1/host/month	Per-node pricing

Both Nebula and ZeroTier create mesh networks, but they take very different approaches to coordination and control.

Nebula uses its own protocol built on the Noise IX handshake pattern. Every host holds a signed certificate from a Nebula Certificate Authority, and hosts establish direct peer-to-peer tunnels without needing a central server to broker connections. The data plane is fully decentralized. If our control plane goes offline, your existing network continues operating normally.

ZeroTier creates virtual Layer 2 Ethernet networks. Nodes connect through a hierarchy of root servers (“planets”) operated by ZeroTier, with optional self-hosted relay points (“moons”). The network controller manages membership and configuration. While data flows peer-to-peer when possible, the root server infrastructure is involved in peer discovery and relay.

Nebula uses certificate-based authentication with its own simplified certificate format. Each host receives a certificate signed by a Nebula Certificate Authority that contains the host’s public key, Nebula IP address, name, and group memberships. When two hosts connect, they mutually validate each other’s certificates. Managed Nebula handles the CA and certificate lifecycle for you, and we support single sign-on (SSO) on all plans, including the free tier.

ZeroTier uses a network controller to manage membership. Nodes request access to a network and must be authorized through the controller (either manually or via API). The controller distributes network configuration and membership credentials to authorized nodes.

Nebula has a stateful packet firewall built directly into the Nebula process. Because Nebula certificates include group membership information, firewall rules can reference groups rather than individual IP addresses. This works similarly to AWS Security Groups. Rules like “allow the WebApp group to access port 443” don’t need to be updated as hosts join or leave the network.

ZeroTier manages access control through flow rules defined in the network controller. Rules are written in a custom rule language and distributed to all nodes via the controller. This provides flexible traffic filtering but requires the controller to be available for rule updates.

Nebula uses Lighthouses, special hosts that you deploy and operate, to coordinate peer discovery. Since you operate the Lighthouses, you control this infrastructure entirely. For difficult NAT situations, Nebula also supports relays that you run yourself.

ZeroTier uses its root server infrastructure for peer discovery and relay. ZeroTier operates a global network of root servers that help nodes find each other and relay traffic when direct connections fail. You can supplement this with self-hosted “moons,” but the primary infrastructure is ZeroTier-operated.

Nebula is fully open-source under the MIT license. Every component, including the networking protocol, the firewall, and the certificate authority tooling, is available for inspection, modification, and self-hosting. You can run a complete Nebula network with zero dependency on us.

ZeroTier is released under the Business Source License 1.1 (BSL). While the source code is available for inspection, the BSL restricts commercial use beyond certain thresholds. This is not an OSI-approved open-source license. After four years, each version converts to the Apache 2.0 license.

With Nebula, you have full access to and control over every component of your network under a permissive open-source license. There are no proprietary dependencies and no usage restrictions.

With Managed Nebula, you run your own lighthouses and relays on infrastructure you control. Your network’s data plane is entirely yours. If our management service experiences downtime, your overlay network continues operating. Hosts communicate, tunnels form, and firewalls enforce rules. We handle the certificate authority and configuration distribution, but your operational network does not depend on us.

With ZeroTier, the root server infrastructure is operated by ZeroTier. While you can run supplementary “moon” nodes, the core peer discovery and relay infrastructure depends on ZeroTier’s global root servers being available.

Managed Nebula offers simple per-host pricing:

• Free: Up to 100 hosts, 2 routes, SSO, and a simple management UI. No credit card required.
• Pro: $1/host/month with unlimited hosts, up to 100 routes, priority support, and guaranteed uptime
• Enterprise: Custom pricing with a dedicated Slack support channel and network design assistance

See our pricing page for full details, or contact sales for Enterprise.

ZeroTier offers a free tier for up to 25 nodes, with paid plans for larger networks. Pricing is per-node.

Choose Managed Nebula if you want:

• Full control over your network infrastructure, including lighthouses and relays
• A truly open-source foundation under the MIT license with no usage restrictions
• Certificate-based authentication that scales without constant reconfiguration
• Built-in, group-based firewall rules that work like AWS Security Groups
• A generous free tier supporting up to 100 hosts
• Simple, transparent per-host pricing

Choose ZeroTier if you want:

• Virtual Layer 2 Ethernet networking between nodes
• A managed root server infrastructure you don’t need to operate
• A network controller with a web-based management UI