NetBird — Open Source WireGuard Mesh VPN with Zero Trust
NetBird connects devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls. Modern zero-trust networking with beautiful management UI.
先审查再安装
这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。
npx -y tokrepo@latest install d3796427-3530-11f1-9bc6-00163e2b0d79 --target codex先 dry-run,确认写入项后再运行此命令。
What it is
NetBird is an open-source, WireGuard-based mesh VPN and zero-trust networking platform. It connects devices (laptops, servers, mobile phones) into a secure overlay network with end-to-end encryption, SSO authentication, multi-factor authentication, and fine-grained access controls, all managed through a web dashboard.
NetBird targets teams and organizations that need secure peer-to-peer connectivity without the complexity of traditional VPN infrastructure. It is a modern alternative to Tailscale and ZeroTier, offering a fully open-source stack with enterprise features like posture checks and network routing.
How it saves time or tokens
NetBird eliminates the need to manually configure WireGuard tunnels between each pair of devices. Traditional WireGuard setup requires generating keys, exchanging public keys, and maintaining configuration files on every node. NetBird automates all of this through its management plane. SSO integration means no separate VPN credentials to manage. Setup keys enable headless device registration for servers and CI runners, removing manual approval bottlenecks.
How to use
- Install the NetBird client on any device:
curl -fsSL https://pkgs.netbird.io/install.sh | sh
- Connect to your network using a setup key:
netbird up --setup-key your-setup-key
- For self-hosted deployments, run the full stack with the provided bootstrap script:
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
Example
A typical NetBird network configuration with access groups:
# NetBird network topology example
peers:
- name: dev-laptop
groups: [developers]
os: macOS
- name: staging-server
groups: [servers, staging]
os: Linux
- name: prod-db
groups: [servers, production, database]
os: Linux
access_policies:
- name: dev-to-staging
sources: [developers]
destinations: [staging]
ports: [22, 443, 5432]
- name: no-direct-prod
sources: [developers]
destinations: [production]
action: deny
Related on TokRepo
- Self-hosted tools — Browse more self-hostable infrastructure tools on TokRepo.
- DevOps tools — Networking, deployment, and infrastructure automation resources.
Common pitfalls
- Forgetting to configure DNS resolution for NetBird peers causes hostname-based connections to fail. Use the built-in DNS feature or configure your resolver to forward the NetBird domain.
- Running NetBird alongside another WireGuard instance on the same machine creates interface conflicts. Disable the standalone WireGuard interface before starting NetBird.
- Posture checks that require specific OS versions will block legitimate devices from connecting if not updated. Test posture policies in audit mode before enforcing them.
常见问题
Both use WireGuard for encrypted tunnels and provide mesh networking with NAT traversal. NetBird is fully open-source (BSD-3-Clause) and can be entirely self-hosted, including the coordination server. Tailscale has a proprietary coordination layer. NetBird also includes built-in posture checks and network routing features.
Yes. NetBird provides a bootstrap script that deploys the management server, signal server, and Zitadel (for SSO) on your own infrastructure. All components are open-source and containerized.
NetBird integrates with Google, Microsoft, Auth0, Keycloak, Zitadel, and Authentik for single sign-on authentication. It supports OIDC-compatible identity providers.
Yes. NetBird has clients for Android and iOS in addition to Linux, macOS, and Windows. All clients participate in the same mesh network with the same access policies.
Access groups organize devices into logical categories for policy enforcement (e.g., developers, servers, production). Setup keys are pre-shared tokens that let new devices join the network without manual approval, typically used for automated server provisioning.
引用来源 (3)
- NetBird GitHub— NetBird is an open-source WireGuard-based mesh VPN
- WireGuard Official— WireGuard protocol specification and design
- NIST SP 800-207— Zero-trust networking architecture principles
讨论
相关资产
Headscale — Open Source Self-Hosted Tailscale Control Server
Headscale is an open-source implementation of the Tailscale control server. Run your own private mesh VPN with WireGuard, no Tailscale subscription needed.
Pomerium — Identity-Aware Zero Trust Access Proxy
Pomerium is an open source reverse proxy that provides secure, identity-aware access to internal applications without a VPN, implementing BeyondCorp-style zero trust networking with SSO integration.
Istio — Open Source Service Mesh for Microservices
Istio is the leading open-source service mesh. Connect, secure, control, and observe services with mTLS encryption, traffic management, and observability — all without changing application code.
Innernet — Simplified WireGuard Mesh Networking
Innernet is a tool for managing private WireGuard-based mesh networks with a central coordination server, CIDR-based access control, and automatic peer discovery for teams and infrastructure.