Netbird a German Tailscale alternative (P2P WireGuard-based overlay network)(netbird.io)

259 pointsby l1am03 hours ago25 comments

geoctl16 minutes ago
(Shamless plug) I am also working on a similar FOSS, self-hosted project called Octelium https://github.com/octelium/octelium that you might find interesting if you are interested in this space. Octelium is, however, more of a generic/unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure. It provides unified client-based as well as clientless access for both humans and workloads; dynamic identity-based secretless access (e.g. HTTP/gRPC/k8s without sharing API keys and access tokens, SSH without distributing passwords/private keys, postgres/MySQL databases without sharing passwords, etc.); dynamic L7-aware, identity-based access control ABAC via CEL and OPA as well as dynamic routing to upstreams via policy-as-code; native Passkey login/WebAuthn/TOTP MFA and support for OIDC/SAML IdPs, OpenTelemetry-native L7-aware visibility and auditing; clientless access via OAuth2 for workloads, WireGuard and QUIC tunneling, including in rootless mode; SSH'ing into containers and IoT without SSH servers; deploying and securing access to containers; declarative k8s-like management with horizontal scalability among other features. You can read more in the README if you're interested.
mittermayran hour ago
I can only recommend giving headscale a try. It's free, works extremely well, and can be used with the official Tailscale clients. Was super easy to set up.
https://headscale.net/stable/
- db043 minutes ago
  [dead]
regisso28 minutes ago
I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.
aarondsan hour ago
A bit lower level than most things discussed here but on the topic of overlay networks, I’ve used nebula for years and can recommend it
https://github.com/slackhq/nebula
- ysleepya minute ago
  I've used it for some time, it feels very much like it is in maintenance mode.
  You manage a PKI and have to distribute the keys yourself, no auth/login etc.
  it's much better than wireguard, not requiring O(N) config changes to add a node, and allowing peoxy nodes etc.
  iirc key revocation and so on are not easy.
- sreekanth85018 minutes ago
  it his much complex to setup then wireguard based?
edentrey2 hours ago
Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web. This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
- tass2 hours ago
  Tailscale allows you to disable the expiration time - I do this for my gateways.
  My other simplifier is having everything at home get a .home dns name, and telling Tailscale to route all these via tailnet.
  - edentrey2 hours ago
    can you please tell me how to disable expiration time? I see auth keys have an Expiration which says it "Must be between 1 and 90 days." I do use a custom domain name as well with a Nameservers rule to have all my services reachable as subdomains of my custom domain.
    aidosan hour ago
    You can create an oauth client that can generate keys as you need them.
    https://tailscale.com/kb/1215/oauth-clients#generating-long-...
    29 minutes ago
    undefined
    2 hours ago
    undefined
    matthewmacleodan hour ago
    There is some confusion here because while you can disable node key expiration, you can’t disable auth key expiration. But that’s less of a problem than it seems - auth keys are only useful for adding new nodes, so long expiry times are probably not necessary outside of some specific use-cases.
    Edit: in fact from your original post it sounds like you’re trying to avoid re-issuing auth keys to embedded devices. You don’t need to do this; auth keys should ideally be single-use and are only required to add the node to the network. Once the device is registered, it does not need them any more - there is a per-device key. You can then choose to disable key expiration for that device.
- tecleandor2 hours ago
  You can manually disable key expiration for hosts in Tailscale, and I think you can do it with tags too...
  https://tailscale.com/kb/1028/key-expiry#disabling-key-expir...
  - katdorkan hour ago
    The word "auth keys" meant nothing to you, I guess: https://tailscale.com/kb/1085/auth-keys
    matthewmacleodan hour ago
    What would be your use-case for auth keys with long expiry times? Auth keys are only required for registering new nodes.
    stingraycharles40 minutes ago
    When managing your infrastructure as code, it’s quite common to deploy new instances for upgrades etc. Having these keys expire after 3 months is a big pain. Eg doing a routine update by rebuilding an AMI.
    I don’t understand how they can have such a strategy, and then not having any decent way to programmatically allocate new keys.
- inapisan hour ago
  Use tag-based node authentication. Login as a user and then switch the device to use a tag. I just recently did that and retained the usual 6 months expiry. I can also disable key expiry completely.
- atmosx2 hours ago
  Headscale is a self hosted drop-in control plane replacement that has been pretty stable for us.
pranaysy24 minutes ago
Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
junon31 minutes ago
We just evaluated this the other day and we were pretty impressed by it. We were looking for something we could self host for wireguard config but tbh we might just pay for the managed solution.
no_timean hour ago
F-droid inclusion seems to be stalled https://gitlab.com/fdroid/rfp/-/issues/2688
Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."
That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).
- Borealid23 minutes ago
  https://codeberg.org/bg443/JetBird appears to use the same core library (and is just a different Android frontend wrapper).
speedgoosean hour ago
I replaced Teleport by a bunch of various tools, and I had to chose between tailscale/headscale and netbird for the network connectivity. I’m pleased with netbird so far.
I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.
bragininian hour ago
https://github.com/netbirdio/netbird
usagisushian hour ago
Netbird's flexibility with IdPs is really nice. I recently switched mine to Pocket ID. Overall, it's perfectly sufficient and lightweight for homelab use.
- m_santos15 minutes ago
  Thanks for your feedback. I have a question: What do you think about the number of containers in our quick start deployment? Was that a concern?
RedShift12 hours ago
I'm really missing something like Cisco DMVPN. A VPN mesh between different routers where all routers have a connection to each other, so that all traffic doesn't have to pass through the hub. And that runs on a router, because all these solutions only run on a regular computer with a complete OS.
- rwkyan hour ago
  Check https://tinc-vpn.org/ it may run on your router if you're running openwrt or similar
lwde2 hours ago
But it's missing a tailscale funnel like feature, right? That's one of the main features that I use for some home assistant instances.
- gnyman39 minutes ago
  Please be aware that when you use tailscale funnel you announce to the whole world that your service exists (through certificate transparency), and you will get scanned immediately. If you don't believe me just put up a simple http server and watch the scanning request come in within seconds of running `tailscale funnel`.
  Do not expose anything without authentication.
  And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.
  If you are aware of this, funnel works fine and is not insecure.
  Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.
  I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.
  No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.
  https://infosec.exchange/@gnyman/115571998182819369
- m_santosan hour ago
  We are developing a similar feature and is scheduled to be available really soon. We've discussed some details in our public slack. Any feedback there will be helpful.
- ethangk2 hours ago
  Out of curiosity, why? I use TS for all my homelab bits (including my HA instance), but connect to TS before opening the HA app. Is it just a case of making it easier/ possible to connect if you’re on another VPN? Are you not concerned with having something from your local network open to the internet?
  - m_santos30 minutes ago
    Besides the use cases listed, we see this as an opportunity for homelabers and organizations to add authentication with access control to already exposed services.
  - an hour ago
    undefined
  - Galanwe2 hours ago
    I use funnels for things like Vaultwarden, that are secure enough to be exposed on internet, and would be cumbersome if behind the tailnet.
    I use serve for everything else, just for the clean SSL termination for things that should stay within the telnet, like *arr stacks, immich, etc.
    ethangk2 hours ago
    Ah neat, that makes sense. Thanks.
    Do you have anything that’ll trigger a notification if there’s suspicious traffic on your local network? I may be overly paranoid about exposing things on my local network to the internet.
    Galanwe2 hours ago
    Not really, but these stuff are in an isolated DMZ vlan, so theres not much to escalate to.
    I fancy a bit upgrading to a smarter router like unify's with integrated firewall and stuff like like though.
    edentrey2 hours ago
    After a decade with KeePass, I’ve finally moved to Vaultwarden. I’ll admit, self-hosting such a critical service still feels a bit scary, but the seamless syncing across all my devices is a huge upgrade. To balance the risk, I keep it tucked safely behind Tailscale for that extra peace of mind.
- Galanwe2 hours ago
  Agree, I use funnels and serves a lot as well. Very useful for homelabers.
ZoomZoomZoom23 minutes ago
Tailscale is great and headscale is an important step to gain trust. However, headscale is useless without the clients, and Tailscale geoblock installing clients where they can. If the platform requires jailbreak for installing user-chosen software, as is the case with iOS, then it all becomes useless.
Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?
- nixosbestos13 minutes ago
  Why would Tailscale seek to limit access to their clients, other than where required by law?
  The Android client, at least is FOSS. It's hardly Tailscale's fault that people buy iOS devices.
  - ZoomZoomZoom7 minutes ago
    I don't care why. They do nothing to circumvent this so they are not a reliable solution for those who have network participants using the restricted platforms.
    There could be a million reasons, but not a technical one — "headscale client", for example, could exist in current hostile app stores, but there isn't one.
hollow-moe2 hours ago
I'm currently comparing it with pangolin and headscale for my small scale company infrastructure access. Been running headscale for my own setup for a while but maybe netbird or pangolin might be better for real production.
- usagisushi14 minutes ago
  Pangolin recently added desktop clients for win/mac/linux[0] and the Private Resource feature (similar to Netbird's Network Routes/DNS), so it's starting to overlap with Netbird more and more.
  That said, it seems focused on client-to-site (newt) connections, and I don't see support for client-to-client connections like Netbird’s SSH access. Also, their Private Resources don't seem to support TLS termination yet. (Correct me if I’m wrong!)
  In my case, I have a k3s cluster running on Netbird with a Traefik ingress for TLS termination inside my home network. Thanks to netbird's P2P nature, traffic stays entirely local as long as I'm on my home WiFi. (I suppose one could achieve the same with a Netbird + Caddy + DNS-01 setup, too.)
  [0] https://docs.pangolin.net/manage/clients/understanding-clien...
- edentrey2 hours ago
  I am in the same position but currently using Tailscale and realize how important and critical it has become for my whole family infrastructure. A self-hosted solution which allowed me to use Nameservers and TLS termination as I currently do would be awesome.
shtrophic41 minutes ago
Last time I checked it couldn't do ipv6... in 2026?
- niemandhier39 minutes ago
  Could be intentional: German privacy advocates really like that the limited ipv4 pool forces reusing IPs and prevents accidental imprinting a practically static address on a device.
  - fc417fc80231 minutes ago
    Can't do IPv6 internally or externally? Internally there should be zero need for ~infinite addresses. Externally though I certainly hope all software is capable of operating via IPv6 at this point because otherwise it will only be increasingly broken.
  - sunshine-o33 minutes ago
    Makes a lot of sense.
    But self-hosting still require at least a public domain name [0], so here goes your privacy right?
    - [0] https://docs.netbird.io/selfhosted/selfhosted-quickstart#inf...
    fc417fc80229 minutes ago
    > The VM must be publicly accessible on TCP ports 80 and 443, and UDP port 3478.
    > A public domain name that resolves to the VM’s public IP address.
    Since it already uses DNS it's disappointing that it hardcodes ports instead of using SRV records. IMO anything that can use SRV records should. It makes for a more robust internet.
- moonlightbandit30 minutes ago
  IPv6 is coming soon to NetBird.
Benedicht2 hours ago
Using it self hosted for almost a year now, no issues, just works for me.
- bragininian hour ago
  That is awesome!
FloatArtifact2 hours ago
If the VPN connection would stay connected despite having it set up that way in the web UI.. It would be a good product.
Still haven't figured out how to do Termux on Android with netbird ssh yet.
- edentrey2 hours ago
  can you please elaborate on this? I use termux on android with tailscale and it works flawless, is it not possible on Netbird?
vlovich1232 hours ago
How does this compare with Defguard? Also European but seems more featureful maybe?
- bragininian hour ago
  Defguard as of my knowledge is a traditional VPN with a central gateway. NetBird is an overlay network with a full mesh capabilities. Though you can set it up in a gateway-like style with NetBird Networks but without opening ports and with HA out of the box: https://docs.netbird.io/manage/networks
oaiey3 hours ago
Sweet. Alternatives are always something good.
sunshine-o39 minutes ago
For someone who want to setup a private network between host/devices, I feel the dilemma is always:
1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.
2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.
- abcd_f28 minutes ago
  You can conceal that open port with some form of port knocking. Though this does reinforce your "easy" point.
  Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.
BoredPositron2 hours ago
Missing some technical bits to be a true contender for me but I bet they are getting there. That said I've seen so many shadcn based scam sites that my brain starts associating shadcn with scams.
- bragininian hour ago
  For example? Curious what is missing
  - BoredPositronan hour ago
    It funnels and lets encrypt certs for me and I am really not a fan of the android client.
    bragininian hour ago
    Got you. We are on it. One feature that is coming very soon is a reverse proxy .Similar to cloudflare tunnels. With auth, TLs, etc. Would it suffice?
    oriettaxx12 minutes ago
    +1 from me.
    In general I would keep an eye on the path CF is following with warp: which is great, but since they are so big and in fast evolution, it is a bit of a mess (their doc is outdated and changes too frequently) not to count (literally) their support (free version, and our company's opinion only, of course) since on warp it is totally useless.
    m_santosan hour ago
    Would love to learn more around your android experience
thenaturalist2 hours ago
Besides the solid product, Misha & Maycon are just great and friendly people to work with.
- bragininian hour ago
  love it! :)
genie3io2 hours ago
[dead]
estsauver2 hours ago
There's also https://pangolin.net/ which is kind of similar, and I believe a YC company.
- bragininian hour ago
  Not quite similar tho. Pangolin is a reverse proxy, NetBird is p2p mesh for internal resources remote access
- OtomotO2 hours ago
  Does that have ties to the US? If so it's not playing in the same ballpark.
  US citizens may not be aware, but due to POTUS "made and maintained in Europe" is becoming more and more important to EU.
  - edentrey2 hours ago
    I see Pangolin has a Self-Host Community Edition, doesn't that already give something over digital sovereignity for EU users? I am considering both for a migration from Tailscale, any suggestion on their differences?
    moonlightbandit20 minutes ago
    They solve different problems.
    For a Tailscale migration, NetBird is the direct swap. Pangolin won't give you device-to-device connectivity.
    On EU sovereignty: NetBird is Germany-based and explicitly positions itself as a European alternative. Self-hosted gives full control with no callbacks to their servers. Pangolin is US/YC-backed, so while self-hosting gives you control of the data plane, the project itself is American.
    Also, NetBird has a reverse proxy feature coming this quarter, which would cover the Pangolin use case within the same platform.