NetBird is an open-source Zero Trust Network Access (ZTNA) platform that replaces traditional VPNs with a peer-to-peer WireGuard® overlay network. It automatically connects devices across cloud, on-prem, and remote environments without requiring firewall changes or port forwarding. Designed for IT teams and DevOps engineers managing distributed infrastructure, NetBird solves the complexity of secure remote access by unifying network connectivity, identity enforcement, and policy management in a single platform.
Built with Go and leveraging WireGuard®, Pion ICE, Coturn, and Rosenpass, NetBird supports self-hosting via Docker or Kubernetes, integrates with SSO providers like Okta and Google, and offers a public API and Terraform provider for automation. It runs on Linux, macOS, Windows, Android, iOS, and OpenWRT, with optional relay fallback for strict NAT environments.
What You Get
- Kernel WireGuard® connectivity - Uses the Linux kernel’s WireGuard implementation for high-performance, encrypted peer-to-peer tunnels without user-space overhead.
- Automatic peer discovery and NAT traversal - Uses WebRTC ICE and STUN/TURN protocols to establish direct connections between devices, even behind restrictive NATs, with fallback to relay servers.
- SSO & MFA integration - Supports authentication via Okta, Microsoft Entra ID, Google Workspace, and other Identity Providers with full MFA enforcement and session-based login.
- Granular access control policies - Define rules based on user groups, device posture, IP ranges, and network segments to enforce least-privilege access across your infrastructure.
- Dynamic device posture checks - Enforce security policies such as firewall status, antivirus presence, managed device status, geo-location, and network context before granting network access.
- Centralized Admin Web UI and API - Manage users, devices, routes, DNS, and policies through a visual dashboard and programmatically via a RESTful public API for automation and integration.
- Private DNS and routing - Configure custom DNS servers and route traffic to private networks (VPCs, on-prem) without exposing them to the public internet.
- Activity logging and SIEM integration - Log all network configuration changes, connection events, and user actions; stream audit logs to external SIEM platforms in real time.
- Self-hosting with Docker and setup keys - Deploy and manage your own NetBird management server using a single bash script, with bulk device provisioning via setup keys for scalable deployments.
- Quantum-resistant encryption with Rosenpass - Implements post-quantum cryptography via Rosenpass for future-proof key exchange, enhancing long-term security of encrypted tunnels.
- Multiplatform support - Native clients for Linux, macOS, Windows, Android, iOS, and OpenWRT routers, plus serverless and Docker deployments for containerized environments.
- Terraform provider - Automate network provisioning, user assignments, and policy enforcement using Infrastructure-as-Code via the official NetBird Terraform provider.
Common Use Cases
- Securing remote access for distributed teams - A company with employees working from home uses NetBird to securely connect their laptops to internal services (SSH, RDP, databases) without opening firewall ports or managing complex VPN configurations.
- Connecting multi-cloud and on-prem networks - An enterprise with VPCs in AWS, Azure, and on-prem data centers uses NetBird to create a unified private network, enabling secure cross-environment communication without site-to-site VPNs.
- Enforcing Zero Trust for compliance - A financial services firm enforces MFA, device posture checks, and periodic re-authentication to meet PCI DSS and ISO 27001 requirements, using NetBird to ensure only compliant devices access sensitive systems.
- Automating network provisioning for DevOps - A DevOps team uses the NetBird API and Terraform provider to automatically provision secure network access for CI/CD runners, staging environments, and ephemeral test instances.
- Managing IoT and edge devices securely - An industrial IoT provider uses NetBird on OpenWRT routers and embedded Linux devices to create encrypted, authenticated tunnels for remote monitoring and management without public IP exposure.
- Replacing legacy VPNs in SMBs - A small business with 50+ employees replaces its outdated Cisco AnyConnect or OpenVPN setup with NetBird to reduce costs, improve performance, and enable SSO-based access for non-technical staff.
Under The Hood
Architecture
- Clear separation of concerns through distinct modules for management server, client agent, and UI, with minimal cross-dependencies
- Service-layer design using Go interfaces and composition to decouple networking logic from platform-specific implementations
- Modular build pipeline with environment-aware flags and post-install scripts ensuring consistent cross-platform packaging
- Centralized versioning and build metadata injection for full traceability of binaries to source commits
Tech Stack
- Go (1.20+) backend organized as a modular microservice architecture spanning client, management, signal, relay, and proxy components
- WireGuard as the foundational peer-to-peer networking layer, extended with custom Go-based orchestration logic
- Goreleaser for automated multi-platform binary generation, including DEB/RPM packages and cross-compilation
- GolangCI-Lint with comprehensive security and style checks, including gosec and staticcheck
- WASM compilation for browser-based client components and GitTown with pre-push hooks for disciplined development workflows
Code Quality
- Extensive test coverage across unit, integration, and end-to-end scenarios with robust mocking and assertion frameworks
- Strong type safety and structured error handling via protobuf contracts and comprehensive validation in both client and server layers
- Clean, domain-driven code organization with well-defined packages for management, proxy, client, and infrastructure concerns
- Consistent idiomatic Go practices throughout, including descriptive naming, proper logging, and clear test structure
- Build tags and CI/CD integration ensure platform-specific code remains isolated and reliably tested
What Makes It Unique
- Dynamic, policy-driven network map system that auto-generates WireGuard peer configurations based on identity and posture checks
- Built-in DNS forwarding with per-account name server isolation, eliminating external dependencies for multi-tenant routing
- Real-time peer connection streaming and context-aware topology updates for instant network-wide consistency
- Ephemeral peer tracking with automatic cleanup and posture validation, enabling a secure, transient device model