NetBird
Replace your VPN with a zero-trust WireGuard overlay network that auto-connects devices, enforces SSO and posture checks, and deploys in under 5 minutes.
NetBird is an open-source Zero Trust Network Access (ZTNA) platform that replaces traditional VPNs with a peer-to-peer WireGuard-based overlay network. It automatically discovers and connects devices across cloud, on-prem, and remote environments without requiring firewall changes, port forwarding, or complex routing rules. Built for IT teams and DevOps engineers managing distributed infrastructure, NetBird unifies network connectivity, identity enforcement, and policy management into a single cohesive platform.
The platform integrates with major SSO providers including Okta, Microsoft Entra ID, and Google Workspace, enforcing MFA and periodic re-authentication for all network participants. Device posture checks can validate OS version, running processes, geo-location, and network range before granting access — enabling granular, compliance-friendly access control without a centralized proxy bottleneck.
NetBird’s self-hosted stack is deployed via a single Docker Compose script and includes management, signal, relay, and proxy services. Clients run natively on Linux, macOS, Windows, Android, iOS, FreeBSD, OpenWRT, Synology, Proxmox, and even serverless environments. Automation is first-class: a public REST API, Terraform provider, and Ansible collection allow teams to provision and manage network access as code. The latest releases have added a built-in reverse proxy with auto-TLS, IPv6 dual-stack support, browser-based SSH and RDP, and quantum-resistant key exchange via Rosenpass.
What You Get
- Kernel WireGuard connectivity - Uses the Linux kernel WireGuard implementation for high-performance, low-latency encrypted peer-to-peer tunnels with minimal CPU overhead compared to user-space alternatives.
- Automatic NAT traversal with relay fallback - Leverages WebRTC ICE, STUN, and QUIC-based relay servers to punch through restrictive NATs and carrier-grade NAT, ensuring connectivity even on mobile networks where direct P2P fails.
- SSO and MFA enforcement - Authenticates all network participants via Okta, Microsoft Entra ID, Google Workspace, Dex, Zitadel, or any OIDC-compatible provider, with periodic re-authentication policies and full MFA support.
- Granular access control policies - Define network access rules based on user groups, peer tags, IP ranges, and posture check results, enforcing least-privilege access without complex firewall rule management.
- Multi-dimensional device posture checks - Validate peer eligibility using OS version, NetBird client version, running process list, geo-location, and network range checks before granting network access, with allow/deny actions per check.
- Private DNS and custom zones - Route DNS queries to private resolvers, configure per-account custom DNS zones, and use domain-based DNS routes to reach internal services by hostname across the overlay network.
- Built-in reverse proxy with auto-TLS - Expose local services securely through the
netbird exposecommand with optional PIN, password, SSO group restrictions, and custom domains backed by managed TLS certificates. - Activity logging and SIEM integration - Record all peer connections, policy changes, and admin actions with structured audit logs that can stream to external SIEM platforms for compliance and forensic analysis.
- Quantum-resistant encryption via Rosenpass - Supplements WireGuard’s classical key exchange with post-quantum KEM using Rosenpass, making tunnels resistant to harvest-now-decrypt-later attacks.
- Terraform provider and public API - Automate peer registration, group management, policy assignment, and route configuration using the official Terraform provider or the RESTful management API.
- Exit nodes and network routing - Configure peers as exit nodes or subnet routers to route all traffic or specific CIDR ranges through the overlay, replacing site-to-site VPN gateways for multi-cloud and on-prem connectivity.
- Browser SSH and RDP - Access peers via in-browser SSH and RDP sessions directly from the NetBird admin dashboard without installing additional client software on the accessing machine.
Common Use Cases
- Secure remote access for distributed teams - A company with remote employees uses NetBird to give laptops encrypted access to internal databases, SSH servers, and dev environments without opening inbound firewall ports or managing VPN certificates.
- Multi-cloud private networking - An engineering team with workloads on AWS, GCP, and an on-prem data center deploys NetBird subnet routers in each environment, creating a unified private network without configuring BGP, Transit Gateway, or site-to-site IPSec tunnels.
- Zero-trust compliance enforcement - A fintech company enforces MFA, minimum OS patch level, and geo-fencing via posture checks to satisfy PCI DSS and SOC 2 requirements, blocking non-compliant devices from accessing payment infrastructure.
- CI/CD and ephemeral environment access - A DevOps team uses setup keys and the Terraform provider to automatically provision network access for ephemeral staging environments and CI runners, cleaning up access automatically when jobs complete.
- IoT and edge device management - An industrial IoT operator installs NetBird on OpenWRT routers and embedded Linux gateways to create authenticated encrypted tunnels for remote monitoring and firmware updates without exposing devices to the public internet.
- Replacing legacy SSL VPNs in SMBs - A 100-person company migrates off Cisco AnyConnect to NetBird, reducing VPN gateway costs, eliminating split-tunnel complexity, and giving non-technical staff a one-click SSO login experience on all platforms.
Under The Hood
Architecture NetBird is organized as a distributed system of loosely coupled services: a client agent, a management server, a signal server, a relay service, and an optional reverse proxy. Each service has a clearly scoped responsibility and communicates via protobuf-defined gRPC contracts, enforcing strong API boundaries throughout. The management server acts as the control plane, maintaining per-account network state, distributing policy-derived WireGuard peer configurations to agents, and streaming real-time updates through a controller layer backed by an update channel abstraction. The client agent’s internal engine drives connection lifecycle through a separation between ICE candidate negotiation (delegated to the signal service), WireGuard interface configuration (via the iface package), and posture enforcement (evaluated before network map updates are applied). The result is a modular, event-driven architecture where core networking logic is decoupled from platform-specific WireGuard implementations, allowing the same engine to target Linux kernel WireGuard, user-space WireGuard-go, and WASM for browser environments.
Tech Stack The entire codebase is written in Go, organized across a monorepo with versioned modules for client, management, signal, relay, proxy, DNS, and shared packages. WireGuard is the foundational transport layer, wrapped by the wgctrl library for kernel interface management and wireguard-go for user-space and WASM targets. Peer negotiation uses the pion/ice library for WebRTC ICE candidate gathering, while STUN is used for reflexive address discovery and QUIC-based relay servers handle fallback connectivity. The management server uses gRPC for peer streaming, a Gorilla Mux HTTP router for the REST API, SQLite or PostgreSQL for persistent state via a store abstraction, and Redis for distributed caching in multi-node deployments. Post-quantum key exchange is implemented using the go-rosenpass library. The reverse proxy component uses CertMagic for automated TLS, coder/websocket for WebSocket bridging, and CrowdSec for optional bot protection. Build tooling includes GoReleaser for multi-platform binary packaging including DEB and RPM, golangci-lint with gosec and staticcheck for security-focused linting, and GitHub Actions for CI across all supported platforms.
Code Quality NetBird has extensive test coverage with hundreds of Go test files spanning unit, integration, and end-to-end scenarios across client, management, posture, relay, and proxy packages. The test suite employs gomock for interface mocking, testify for assertions, and ginkgo/gomega for BDD-style end-to-end tests, reflecting a mature and disciplined testing culture. Error handling is explicit throughout, using typed errors, structured logrus logging with contextual fields, and careful propagation through gRPC status codes. The protobuf-defined API contracts enforce type safety at service boundaries, while Go interfaces in critical packages like the WireGuard iface layer and network map controller enable clean dependency injection and testability. The CI pipeline runs linting, security checks, and integration tests on every pull request, and the codebase shows consistent idiomatic Go conventions with well-named packages and descriptive function signatures.
What Makes It Unique
NetBird’s most distinctive capability is its policy-driven network map: rather than statically configuring WireGuard peers, the management server continuously evaluates access policies, group memberships, and posture check results to compute the exact set of allowed peer connections for each device, then streams WireGuard configuration diffs to agents in real time. This makes the network topology dynamic and identity-aware by design, not by convention. The built-in device posture system evaluates five independent check types including running process detection and geo-location without relying on external MDM integration, covering use cases typically reserved for enterprise NAC platforms. The netbird expose reverse proxy command turns any local port into a TLS-secured, SSO-authenticated public endpoint in one command, a capability not found in traditional WireGuard managers. Combined with Rosenpass post-quantum key exchange running as a standard feature rather than an experimental add-on, NetBird occupies a rare position as a self-hosted ZTNA platform with genuine security depth rather than marketing terminology.
Self-Hosting
NetBird uses a split licensing model that self-hosters must understand before deployment. The client agent and several supporting packages are released under the BSD 3-Clause license, which permits commercial use, modification, and redistribution with minimal restrictions and no copyleft obligations. However, the management server, signal server, relay service, and combined deployment package are licensed under the GNU Affero General Public License version 3 (AGPLv3). This is a strong copyleft license: if you modify these components and make them available over a network, you are legally required to provide the corresponding source code to your users. For most enterprises running NetBird internally for their own employees or infrastructure, this does not impose a practical burden, but any organization building a managed service or white-labeled product on top of NetBird’s server-side components must either release their modifications as AGPLv3 or obtain a commercial license from NetBird GmbH.
Operationally, self-hosting NetBird requires a Linux VM with at least 1 CPU and 2 GB of RAM, a public domain name with DNS control, and Docker with Compose v2. The quickstart bash script handles certificate provisioning via Let’s Encrypt and launches management, signal, relay, and Coturn TURN services in a single Compose stack. Beyond initial setup, operators are responsible for SSL certificate renewal, database backups (SQLite or PostgreSQL), security patching of the host OS and Docker images, and keeping the management server updated to stay compatible with client agents. The project releases frequently — averaging multiple releases per week — so staying current requires operational discipline. The self-hosted stack also lacks built-in high availability out of the box; scaling to multi-region or HA configurations requires additional infrastructure work not covered by the quickstart.
NetBird’s managed cloud offering at netbird.io handles all of the above automatically, including HA relay infrastructure, managed upgrades, and 24/7 support SLAs. The cloud tier adds features not available or not yet fully documented in self-hosted deployments, such as hosted relay nodes for the netbird expose reverse proxy, advanced observability dashboards, and enterprise support contracts. Self-hosters gain full data sovereignty and can operate air-gapped or within private network boundaries, but accept the trade-off of managing infrastructure reliability, update cadence, and the operational overhead that the NetBird team absorbs for cloud customers.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.
Traefik
MITVaultwarden
Password Manager · Security
Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.