Connecting servers, laptops, and IoT devices across the internet as if they were on the same local network used to require complex VPN setups, port forwarding, and static IPs. In 2026, overlay network technologies make this trivial — but most people still rely on centralized, proprietary services that can see your network topology, throttle your bandwidth, or shut down without warning.
This guide covers the three leading open-source overlay network platforms you can self-host: ZeroTier (via the open-source controller), Nebula, and Netmaker. Each takes a fundamentally different architectural approach to solving the same problem — creating secure, encrypted, peer-to-peer virtual networks that span the globe.
Why Self-Host Your Overlay Network?
Overlay networks (also called SD-WAN, mesh VPN, or virtual LAN solutions) let you connect devices across the internet as if they share the same subnet. Commercial services like Tailscale and the hosted ZeroTier platform make this easy, but come with trade-offs:
- Centralized control plane — The service provider sees every device on your network, its IP, and when it connects
- Device and user limits — Free tiers cap at 25–100 devices; enterprise plans cost per-user
- Vendor lock-in — Your network identity and configuration live on someone else’s servers
- Potential downtime — If the control plane goes down, new connections can’t be established
- Data sovereignty — For regulated industries, routing metadata through third-party infrastructure is unacceptable
Self-hosting flips the model:
- Full control — You run the control plane. No one else sees your topology
- No limits — Connect thousands of nodes without per-device fees
- Resilience — Your control plane runs on infrastructure you choose and manage
- Compliance — Metadata never leaves your environment
- Customization — Integrate with existing identity providers, set custom routing rules, and build the topology you need
Whether you’re running a homelab across multiple locations, connecting branch offices, managing IoT sensors in the field, or building a zero-trust infrastructure, self-hosted overlay networks give you the connectivity without the compromise.
The Contenders at a Glance
| Feature | ZeroTier (OSS) | Nebula | Netmaker |
|---|---|---|---|
| Language / Stack | C++ core, Node.js controller | Go (single binary) | Go core, React UI, PostgreSQL |
| Architecture | SDN with centralized controller | P2P mesh, no central dependency after bootstrapping | WireGuard-based with centralized management UI |
| Transport Protocol | Custom (UDP port 9993) | Custom (UDP, configurable) | WireGuard (UDP) |
| Control Plane | Self-hostable zerotier-one controller | Distributed — lighthouse nodes are lightweight | Netmaker server with PostgreSQL + MQTT |
| NAT Traversal | Built-in (uses root servers as relays) | Built-in (hole punching via lighthouses) | Built-in (WireGuard handles NAT traversal) |
| Encryption | ChaCha20-Poly1305 (Curve25519 key exchange) | Curve25519 for key exchange, AES-GCM or ChaCha20-Poly1305 | WireGuard’s Noise protocol (ChaCha20-Poly1305) |
| Web UI | Basic API; third-party UIs available | CLI only (no official UI) | Full web management dashboard |
| Access Control | Network-level rules (flow rules in MOF language) | Firewall rules per node, group-based | ACLs, user management, SSO integration |
| DNS | Built-in DNS for network members | No built-in DNS | Built-in DNS resolution across networks |
| Subnet Routing | Yes (route declarations) | Yes (static routes via lighthouses) | Yes (ingressdockers gateways) |
| Docker Support | Official images | Official images | Official images with full compose stack |
| Maturity | 2014 — very mature, production-hardened | 2017 — mature, used at scale (Slack) | 2020 — actively developed, growing adoption |
| GitHub Stars | 20,000+ | 9,000+ | 7,000+ |
| License | BSL 1.1 (free for most uses) | MIT | MIT |
Architecture Deep Dive
ZeroTier: Software-Defined Networking
ZeroTier uses a centralized controller model. When a node joins a network, it authenticates with the controller, receives a virtual IP, and learns about other nodes. The controller facilitates the initial handshake, but data traffic flows directly peer-to-peer using NAT hole-punching. If a direct connection isn’t possible, traffic routes through relay nodes.
The controller assigns virtual IPs from a private range and distributes a network configuration that includes routing rules, DNS settings, and flow rules (a declarative language for traffic filtering). Nodes maintain persistent connections to each other, and the controller only needs to be reachable during initial join and topology changes.
ZeroTier’s root servers (13 publicly operated servers) handle initial bootstrap and act as relays, but you can deploy your own root server or moon for complete independence.
Nebula: Decentralized Mesh with Lighthouses
Nebula takes a fundamentally different approach. There is no central authority. Instead, you define a certificate authority (CA) that signs node certificates. Each node has a certificate that identifies it and declares which groups it belongs to.
Lighthouse nodes are special Nebula nodes with public IP addresses. They act as directory services — nodes register their public IP with lighthouses, and lighthouses help peers discover each other. But lighthouses don’t relay traffic (unless configured to). Once two nodes know each other’s addresses, they communicate directly.
Nebula’s security model is certificate-based: every packet is authenticated against the sender’s certificate, and firewall rules can reference certificate groups rather than IP addresses. This means access control follows identity, not network position.
Slack uses Nebula internally for its global infrastructure, demonstrating its production readiness at scale.
Netmaker: WireGuard Orchestration
Netmaker builds on WireGuard — the modern, kernel-level VPN protocol — and adds a management layer on top. WireGuard itself is intentionally simple: you configure peers by exchanging public keys and endpoint addresses. There’s no built-in discovery, dynamic IP assignment, or user management.
Netmaker fills these gaps with:
- Automatic key and config generation — Nodes get WireGuard configs generated and pushed automatically
- User management with SSO — OAuth/OIDC integration for team-based access
- Web dashboard — Visual network management, monitoring, and troubleshooting
- DNS resolution — Nodes can resolve each other by name
- Ingress/Egress gateways — Route traffic between WireGuard networks and external networks
- Relay servers — Fallback routing when direct peering fails
The trade-off: Netmaker depends on WireGuard, which means it inherits WireGuard’s strengths (simplicity, performance, kernel integration) but also its limitations (static peer configs require regeneration when topology changes, no built-in roaming support without the management layer).
Docker Deployment: ZeroTier Controller
ZeroTier’s controller is straightforward to self-host. The official Docker image includes both the zerotier-one service and the HTTP API controller.
Prerequisites
- A server with a public IP and open UDP port 9993
- Docker and Docker Compose installed
Docker Compose Setup
| |
Creating Your First Network
| |
Joining a Node
On each client machine:
| |
Adding a Moon (Optional but Recommended)
A Moon is a ZeroTier root server you control. It accelerates peer discovery and provides a relay fallback without relying on ZeroTier’s public root servers.
| |
Docker Deployment: Nebula
Nebula’s simplicity is its greatest strength. A single binary handles everything — the CA, the lighthouse, and the client nodes.
Step 1: Generate Your CA
| |
This creates two files:
ca.crt— The public certificate (distribute to all nodes)ca.key— The private key (keep this secure — it signs all node certificates)
Step 2: Create Lighthouse and Node Certificates
| |
Step 3: Configure the Lighthouse (Docker)
| |
lighthouse-config/config.yml:
| |
Step 4: Configure a Client Node
node-config/config.yml:
| |
| |
Nebula Firewall Rules in Action
Nebula’s firewall is group-aware. A rule like this on the lighthouse:
| |
Allows SSH access only to nodes with the servers group, regardless of their IP address. This is identity-based access control that follows the node wherever it connects from.
Docker Deployment: Netmaker
Netmaker is the most feature-rich option but also the most complex to deploy. It includes a full web UI, user management, SSO, and DNS — all managed through a unified interface.
Docker Compose Setup
| |
Caddyfile for automatic TLS:
| |
Initial Setup
| |
Joining a Node
Netmaker uses netclient — a lightweight agent that handles WireGuard configuration automatically.
| |
Head-to-Head Comparison
Ease of Deployment
| Metric | ZeroTier | Nebula | Netmaker |
|---|---|---|---|
| Initial setup time | 10 minutes | 20 minutes | 30 minutes |
| Components required | Controller + Moon (optional) | CA + Lighthouse + Nodes | Server + Postgres + MQTT + Caddy |
| Learning curve | Low | Medium | Medium-High |
| Web UI | Third-party only | None | Full dashboard |
| Docker experience | network_mode: host | network_mode: host | Multi-container compose |
ZeroTier wins on simplicity. Nebula requires understanding certificates and groups. Netmaker has the most moving parts but rewards you with a polished management experience.
Performance and Resource Usage
| Metric | ZeroTier | Nebula | Netmaker (WireGuard) |
|---|---|---|---|
| Protocol overhead | ~44 bytes per packet | ~32 bytes per packet | ~32 bytes per packet |
| Throughput | ~400-600 Mbps | ~700-900 Mbps | ~1-2 Gbps (kernel) |
| Latency overhead | ~5-10ms | ~3-8ms | ~1-3ms |
| CPU usage (per node) | Low (userspace) | Low (userspace) | Very low (kernel) |
| Memory usage | ~50 MB | ~30 MB | ~10 MB (netclient) |
Netmaker’s WireGuard foundation gives it the performance edge — WireGuard runs in kernel space with minimal overhead. ZeroTier and Nebula run in userspace, adding a small penalty but offering more flexibility.
Security Model
| Aspect | ZeroTier | Nebula | Netmaker |
|---|---|---|---|
| Key exchange | Curve25519 | Curve25519 | Noise IK (Curve25519) |
| Encryption | ChaCha20-Poly1305 | AES-GCM or ChaCha20 | ChaCha20-Poly1305 |
| Authentication | Network membership + auth tokens | Certificate-based (PKI) | WireGuard key exchange + SSO |
| Access control | Flow rules (declarative) | Certificate groups + firewall | ACLs, user roles, SSO |
| Auditable | Controller logs | Certificate chain | Full audit trail in Postgres |
| Zero-trust ready | Partially | Yes (identity-based) | Yes (SSO + ACLs) |
Nebula has the strongest zero-trust story — every packet is authenticated against a certificate, and firewall rules follow identity, not IP address. Netmaker’s SSO integration and role-based access make it ideal for teams. ZeroTier’s flow rules are powerful but require learning a custom language.
Multi-Site and Subnet Routing
All three support subnet routing, but the approaches differ:
| |
ZeroTier: Declare routes in the network config. Nodes with --allow-default can advertise local subnets. The controller distributes routes to all members.
Nebula: Use lighthouse nodes as routers. Configure unsafe_routes in the client config to announce subnets. Firewall rules control which groups can access which subnets.
Netmaker: Designate nodes as “ingress” or “egress” gateways. The UI makes subnet routing a checkbox operation. DNS resolution works across subnets automatically.
Production Readiness
| Scenario | Recommended Tool |
|---|---|
| Simple homelab, 5-20 nodes | ZeroTier (easiest to set up) |
| Enterprise zero-trust, identity-based access | Nebula (certificate-based, proven at Slack scale) |
| Team collaboration, need UI and SSO | Netmaker (dashboard, user management, DNS) |
| **IoT devices, minimal resoukubernetesebula (smallest binary, ~30MB RAM) | |
| Kubernetes cluster networking | Nebula or Netmaker (better integration patterns) |
| Replacing Tailscale with self-hosted | Netmaker (closest feature parity) |
| Maximum performance | Netmaker/WireGuard (kernel-level, 1-2 Gbps) |
Common Pitfalls and Solutions
NAT Traversal Failures
All three tools use UDP hole-punching to establish direct connections. On symmetric NATs (common in corporate networks), this can fail.
ZeroTier: Deploy a Moon server with a public IP. Nodes will use it as a relay fallback.
| |
Nebula: Ensure at least one lighthouse has a public IP. Configure static_host_map with the lighthouse’s public address.
Netmaker: Configure a relay node with a public IP. Netmaker automatically routes through relays when direct peering fails.
Certificate Rotation (Nebula)
Nebula certificates don’t expire by default. When you need to rotate them:
| |
Network Recovery After Controller Downtime
ZeroTier: Nodes maintain peer connections even if the controller goes down. New nodes can’t join, and IP assignments won’t update, but existing connections persist.
Nebula: Fully decentralized after bootstrapping. Lighthouse downtime means new nodes can’t discover peers, but existing connections continue uninterrupted.
Netmaker: If the Netmaker server goes down, existing WireGuard connections persist. The netclient agent caches its configuration locally. New enrollments and config updates are blocked until the server recovers.
Migration Paths
From Tailscale to Self-Hosted
If you’re currently using Tailscale and want to self-host:
- Netmaker is the closest drop-in replacement — same WireGuard foundation, similar feature set (DNS, subnet routing, user management)
- Install
netclienton each node alongside the Tailscale client - Create equivalent networks and subnets in Netmaker
- Update DNS and routing configurations
- Decommission Tailscale clients once migration is verified
From OpenVPN/WireGuard Manual Setup
If you’re managing individual WireGuard configs:
- Netmaker will automate your existing WireGuard setup — import existing keys, let it manage peer discovery and DNS
- ZeroTier requires a fresh network — you’ll need to reassign IPs and reconfigure services to use the new virtual network
- Nebula is ideal if you want certificate-based identity — migrate one node at a time, verify connectivity, then switch over
Cost Comparison
Assuming 50 nodes across 3 sites:
| Tool | Infrastructure Cost | Operational Effort | Total 1-Year Cost |
|---|---|---|---|
| ZeroTier (self-hosted) | $5/mo VPS (controller) | Low | ~$60/yr |
| Nebula | $5/mo VPS (lighthouse) | Low-Medium | ~$60/yr |
| Netmaker | $10/mo VPS (server + Postgres) | Medium | ~$120/yr |
| Tailscale (hosted) | Free (25 nodes) / $720/yr (50 nodes) | Very Low | $720/yr |
| ZeroTier (hosted) | Free (25 nodes) / $600/yr (50 nodes) | Very Low | $600/yr |
Self-hosting saves $480–660 per year for 50 nodes, with the added benefit of full control and no vendor lock-in.
Verdict: Which Should You Choose?
Choose ZeroTier if you want the simplest path to a working overlay network. The controller is easy to deploy, the client is available for every platform, and NAT traversal just works. It’s the best choice for homelab users and small teams who need connectivity without complexity.
Choose Nebula if you need zero-trust, certificate-based security with minimal infrastructure. Nebula’s group-based firewall rules and decentralized architecture make it ideal for security-conscious deployments. The lack of a web UI is its biggest drawback, but the CLI is straightforward and automation-friendly.
Choose Netmaker if you’re replacing Tailscale or need a team-friendly platform with a web dashboard, SSO, DNS, and the performance of WireGuard. It has the steepest initial setup but the most complete feature set for production environments.
All three are production-ready, open-source, and free to run. The best choice depends on your team size, security requirements, and tolerance for operational complexity. For most homelab users starting out, ZeroTier offers the fastest path to a working network. For enterprise deployments, Nebula’s identity-based security or Netmaker’s management features will serve you better.
Frequently Asked Questions (FAQ)
Which one should I choose in 2026?
The best choice depends on your specific requirements:
- For beginners: Start with the simplest option that covers your core use case
- For production: Choose the solution with the most active community and documentation
- For teams: Look for collaboration features and user management
- For privacy: Prefer fully open-source, self-hosted options with no telemetry
Refer to the comparison table above for detailed feature breakdowns.
Can I migrate between these tools?
Most tools support data import/export. Always:
- Backup your current data
- Test the migration on a staging environment
- Check official migration guides in the documentation
Are there free versions available?
All tools in this guide offer free, open-source editions. Some also provide paid plans with additional features, priority support, or managed hosting.
How do I get started?
- Review the comparison table to identify your requirements
- Visit the official documentation (links provided above)
- Start with a Docker Compose setup for easy testing
- Join the community forums for troubleshooting