Zero-Trust Mesh VPN with Nebula

For this project, I designed and deployed a modern mesh VPN using Nebula, enabling secure, low-latency access across a globally distributed infrastructure — without punching holes in firewalls or juggling SSH bastions.

The client had a mix of dev laptops, production servers, and internal services spread across cloud providers and home labs. They needed internal service access without exposing anything to the public internet, while also segmenting access by role and environment.

I stood up a central Lighthouse node, generated short-lived certificates with embedded metadata (e.g., environment, team), and enforced group-based access policies using Nebula’s built-in firewall engine.

Full end-to-end encrypted access between nodes, without NAT headaches.

No public IPs required on production systems.

Isolated traffic between dev, prod, and internal observability tooling.

Onboarding a new machine takes ~30 seconds with the right key and config.

The client can now SSH, proxy, and monitor systems securely from anywhere — no VPN appliance, no split-tunnel drama, no OpenVPN legacy stack to maintain.