NebularStack
Website

Nebula VPN

Overview

NebulaVPN is a managed VPN service that provides secure connectivity between remote sites and endpoints.

Purpose

NebulaVPN was built for connecting remote network elements to services transparently over the Internet. It enables south-bound API communication with devices at remote sites.

On the user interface, NebulaVPN is located at Networking > NebulaVPN

This is not a WireGuard service — it is a VPN service that supports multiple tunnel technologies. WireGuard is the first supported instance type. Additional types including L2TP, IPSec, and OpenVPN are planned.

How It Works

NebulaVPN uses a two-tier architecture:

  1. A VPN defines the network — the shared address space that all peers belong to.

  2. Instances are created under a VPN to provide the actual tunnelling using a specific protocol (e.g., WireGuard, L2TP).

A single VPN can contain multiple instances of different types. All instances within a VPN share the same network, which means peers on different instance types can communicate with each other. For example, a site connected via WireGuard and a site connected via L2TP on the same VPN will be able to reach each other seamlessly.

VPN (my-network)
├── WireGuard Instance
│   ├── Peer A (10.0.0.2) ──── can reach Peer C
│   └── Peer B (10.0.0.3) ──── can reach Peer C
└── L2TP Instance (future)
    └── Peer C (10.0.0.4) ──── can reach Peer A and B

Connecting

To connect to a VPN instance from any peer, use either:

  • Hostname: za-gp-xnl-vpn.interstellio.io

  • IP address: 102.205.120.7

The service is fully redundant behind the scenes.

VPN

A VPN is the top-level entity that defines your network. All instances and peers within a VPN share the same address space regardless of which tunnel protocol they use.

WireGuard Instance

A WireGuard instance is a VPN tunnel created under a VPN using the WireGuard protocol. When created, a server keypair and listen port are generated automatically. You only need to provide the server IP address.

The server IP address is the internal IP address of the WireGuard instance within the VPN network. This is not the public address that clients connect to; it is the instance's own address inside the VPN address space.

WireGuard Peers

A peer (client) is a remote endpoint connected via a WireGuard instance.

  • Name — alphanumeric characters, underscores, and hyphens only.

  • IP address — the peer's IP within the VPN address range.

  • Public key — the client's WireGuard public key.

  • Hub (optional) — designate the peer as a hub node.

When viewing an individual peer, the system queries the active router to display status information including whether the peer is currently connected (last handshake within 3 minutes), the peer's current endpoint address, last handshake time, and traffic counters (bytes received and transmitted).

Hub and Spoke

NebulaVPN uses a hub-spoke traffic model:

  • Hub peers can communicate with all other peers.

  • Spoke (non-hub) peers can only communicate with hub peers — not directly with other spoke peers.

This is useful for topologies where one or more central sites (hubs) need to reach all remote sites (spokes), while spoke-to-spoke traffic is not required.

WireGuard Routes

A route is a network prefix routed through a specific peer. This allows traffic destined for a remote network to be forwarded through the VPN to the appropriate peer.

  • Description — a label for the route.

  • Prefix — the CIDR network prefix (e.g., 192.168.1.0/24).

If the peer is a hub, the route prefix is also included in the hub's reachable address space.

API Reference

See the NebulaVPN API for endpoint details.