ConfigsApr 10, 2026·3 min read

NetBird — Open Source WireGuard Mesh VPN with Zero Trust

NetBird connects devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls. Modern zero-trust networking with beautiful management UI.

AI Open Source
AI Open Source · Community
TL;DR
NetBird builds secure WireGuard mesh VPNs with SSO, MFA, and zero-trust access controls.
§01

What it is

NetBird is an open-source, WireGuard-based mesh VPN and zero-trust networking platform. It connects devices (laptops, servers, mobile phones) into a secure overlay network with end-to-end encryption, SSO authentication, multi-factor authentication, and fine-grained access controls, all managed through a web dashboard.

NetBird targets teams and organizations that need secure peer-to-peer connectivity without the complexity of traditional VPN infrastructure. It is a modern alternative to Tailscale and ZeroTier, offering a fully open-source stack with enterprise features like posture checks and network routing.

§02

How it saves time or tokens

NetBird eliminates the need to manually configure WireGuard tunnels between each pair of devices. Traditional WireGuard setup requires generating keys, exchanging public keys, and maintaining configuration files on every node. NetBird automates all of this through its management plane. SSO integration means no separate VPN credentials to manage. Setup keys enable headless device registration for servers and CI runners, removing manual approval bottlenecks.

§03

How to use

  1. Install the NetBird client on any device:
curl -fsSL https://pkgs.netbird.io/install.sh | sh
  1. Connect to your network using a setup key:
netbird up --setup-key your-setup-key
  1. For self-hosted deployments, run the full stack with the provided bootstrap script:
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
§04

Example

A typical NetBird network configuration with access groups:

# NetBird network topology example
peers:
  - name: dev-laptop
    groups: [developers]
    os: macOS

  - name: staging-server
    groups: [servers, staging]
    os: Linux

  - name: prod-db
    groups: [servers, production, database]
    os: Linux

access_policies:
  - name: dev-to-staging
    sources: [developers]
    destinations: [staging]
    ports: [22, 443, 5432]

  - name: no-direct-prod
    sources: [developers]
    destinations: [production]
    action: deny
§05

Related on TokRepo

  • Self-hosted tools — Browse more self-hostable infrastructure tools on TokRepo.
  • DevOps tools — Networking, deployment, and infrastructure automation resources.
§06

Common pitfalls

  • Forgetting to configure DNS resolution for NetBird peers causes hostname-based connections to fail. Use the built-in DNS feature or configure your resolver to forward the NetBird domain.
  • Running NetBird alongside another WireGuard instance on the same machine creates interface conflicts. Disable the standalone WireGuard interface before starting NetBird.
  • Posture checks that require specific OS versions will block legitimate devices from connecting if not updated. Test posture policies in audit mode before enforcing them.

Frequently Asked Questions

How does NetBird compare to Tailscale?+

Both use WireGuard for encrypted tunnels and provide mesh networking with NAT traversal. NetBird is fully open-source (BSD-3-Clause) and can be entirely self-hosted, including the coordination server. Tailscale has a proprietary coordination layer. NetBird also includes built-in posture checks and network routing features.

Can I self-host NetBird completely?+

Yes. NetBird provides a bootstrap script that deploys the management server, signal server, and Zitadel (for SSO) on your own infrastructure. All components are open-source and containerized.

What SSO providers does NetBird support?+

NetBird integrates with Google, Microsoft, Auth0, Keycloak, Zitadel, and Authentik for single sign-on authentication. It supports OIDC-compatible identity providers.

Does NetBird work on mobile devices?+

Yes. NetBird has clients for Android and iOS in addition to Linux, macOS, and Windows. All clients participate in the same mesh network with the same access policies.

What is the difference between access groups and setup keys?+

Access groups organize devices into logical categories for policy enforcement (e.g., developers, servers, production). Setup keys are pre-shared tokens that let new devices join the network without manual approval, typically used for automated server provisioning.

Citations (3)
Related on TokRepo
Self-hosted toolsDevOps toolsSecurity tools

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Conda — Cross-Platform Package and Environment Manager

Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.

AI Open Source

Sphinx — Python Documentation Generator

Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.

AI Open Source

Neutralinojs — Lightweight Cross-Platform Desktop Apps

Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.

AI Open Source
Home🔍Search👤Me