Cette page est affichée en anglais. Une traduction française est en cours.
SkillsApr 10, 2026·3 min de lecture

NetBird — Open Source WireGuard Mesh VPN with Zero Trust

NetBird connects devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls. Modern zero-trust networking with beautiful management UI.

Prêt pour agents

Installation avec revue préalable

Cet actif nécessite une revue. Le prompt copié demande un dry-run, affiche les écritures, puis continue seulement après confirmation.

Needs Confirmation · 64/100Policy : confirmer
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
step-1.md
Commande avec revue préalable
npx -y tokrepo@latest install d3796427-3530-11f1-9bc6-00163e2b0d79 --target codex

Dry-run d'abord, confirmez les écritures, puis lancez cette commande.

TL;DR
NetBird builds secure WireGuard mesh VPNs with SSO, MFA, and zero-trust access controls.
§01

What it is

NetBird is an open-source, WireGuard-based mesh VPN and zero-trust networking platform. It connects devices (laptops, servers, mobile phones) into a secure overlay network with end-to-end encryption, SSO authentication, multi-factor authentication, and fine-grained access controls, all managed through a web dashboard.

NetBird targets teams and organizations that need secure peer-to-peer connectivity without the complexity of traditional VPN infrastructure. It is a modern alternative to Tailscale and ZeroTier, offering a fully open-source stack with enterprise features like posture checks and network routing.

§02

How it saves time or tokens

NetBird eliminates the need to manually configure WireGuard tunnels between each pair of devices. Traditional WireGuard setup requires generating keys, exchanging public keys, and maintaining configuration files on every node. NetBird automates all of this through its management plane. SSO integration means no separate VPN credentials to manage. Setup keys enable headless device registration for servers and CI runners, removing manual approval bottlenecks.

§03

How to use

  1. Install the NetBird client on any device:
curl -fsSL https://pkgs.netbird.io/install.sh | sh
  1. Connect to your network using a setup key:
netbird up --setup-key your-setup-key
  1. For self-hosted deployments, run the full stack with the provided bootstrap script:
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
§04

Example

A typical NetBird network configuration with access groups:

# NetBird network topology example
peers:
  - name: dev-laptop
    groups: [developers]
    os: macOS

  - name: staging-server
    groups: [servers, staging]
    os: Linux

  - name: prod-db
    groups: [servers, production, database]
    os: Linux

access_policies:
  - name: dev-to-staging
    sources: [developers]
    destinations: [staging]
    ports: [22, 443, 5432]

  - name: no-direct-prod
    sources: [developers]
    destinations: [production]
    action: deny
§05

Related on TokRepo

  • Self-hosted tools — Browse more self-hostable infrastructure tools on TokRepo.
  • DevOps tools — Networking, deployment, and infrastructure automation resources.
§06

Common pitfalls

  • Forgetting to configure DNS resolution for NetBird peers causes hostname-based connections to fail. Use the built-in DNS feature or configure your resolver to forward the NetBird domain.
  • Running NetBird alongside another WireGuard instance on the same machine creates interface conflicts. Disable the standalone WireGuard interface before starting NetBird.
  • Posture checks that require specific OS versions will block legitimate devices from connecting if not updated. Test posture policies in audit mode before enforcing them.

Questions fréquentes

How does NetBird compare to Tailscale?+

Both use WireGuard for encrypted tunnels and provide mesh networking with NAT traversal. NetBird is fully open-source (BSD-3-Clause) and can be entirely self-hosted, including the coordination server. Tailscale has a proprietary coordination layer. NetBird also includes built-in posture checks and network routing features.

Can I self-host NetBird completely?+

Yes. NetBird provides a bootstrap script that deploys the management server, signal server, and Zitadel (for SSO) on your own infrastructure. All components are open-source and containerized.

What SSO providers does NetBird support?+

NetBird integrates with Google, Microsoft, Auth0, Keycloak, Zitadel, and Authentik for single sign-on authentication. It supports OIDC-compatible identity providers.

Does NetBird work on mobile devices?+

Yes. NetBird has clients for Android and iOS in addition to Linux, macOS, and Windows. All clients participate in the same mesh network with the same access policies.

What is the difference between access groups and setup keys?+

Access groups organize devices into logical categories for policy enforcement (e.g., developers, servers, production). Setup keys are pre-shared tokens that let new devices join the network without manual approval, typically used for automated server provisioning.

Sources citées (3)

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires