I’m posting here not for the first time as we are continiusly developing NetBird - open-source and self-hostable network security platform. It is point-to-point, based on WireGuard and has quite a few features on top of it (see the screenshot above).
The reason I’m posting it now is that we started adding Zero Trust related features (like device posture checks) to our platform that might trigger the interest of some community members here. I remember, that there were a few Redditors asking about Zero Trust, here and here, for instance.
It is likely that NetBird’s zero trust features might be more of an interest for organizations, not private use cases like homelab. But, maybe someone with a NAS at home would want to limit access by location? xD
We also don’t claim that by using NetBird your infra will be 100% Zero Trust (as many proprietary providers do ). What is 100% Zero Trust even? It is a vague term. But we are collecting the most demanded network security features and adding them on top of our point-to-point WireGuard network.
If you had a way to do tunneling (like hosting a tunnel endpoint in DO, but the UI handles the tunnel config and the individual endpoints provide the actual service) similiarish to how Cloudflare tunnels work I would be 100% sold on this. But at the moment I use Cloudflare Tunnels, and because of that I also just use their Zero Trust offerings because it’s easy to use.
I switched from ZeroTier w/self-hosted controller to Netbird a few weeks ago.
The Windows client needs to be updated to allow the users to “self-update” from within the app itself. Getting tired of downloading and installing the app over and over again.
Linux clients are updated with a simple apt update && apt upgrade.
Other than that, the “killer app” in Netbird for me is the baked-in DNS lookup of DEVICENAME.netbird.cloud.
As long as one remembers their server/device name they can easily hit it from any other Netbird-enabled server/device without having to memorize a bunch of random IP addresses.
I’m not having any real issues with Netbird itself.
Thanks for this, the part I am not understanding with netbird is what DNS is used? Whatever is in my self hosted? Say I want to use NextDNS or ControlD for DNS?
When I log in to https://app.netbird.io/peers with a new account, I see the dialog to add peers. But the entire browser tab gets extremely unresponsive (seems to use lots of CPU power), UI hangs and responds to clicks after about 2 seconds. When I closed the “add new peer”-dialog, the behavior seems to stop and come back when I open it again.
Edit: hmm, nevermind I guess. After a reboot of my system, I cannot reproduce…
I’m sure you have plenty of ideas, but an option on the client to lock down servers and devices so they only accept inbound connections via Netbird would be very cool.
And of course another great ZT-relevant feature would be a posture check whether the user is authenticated against the auth system.
Finally, as the ACLs and partial mesh start getting complicated, some sort of topology visualisation would be super helpful.
Hey, nice platform. I’ve read this name several times, but only after a YouTube video I actually decided to try it and I really liked what I saw so far. Do you have a list of the locations you offer relays on?
I have another question: If I wanted to access a Jellyfin server hosted at my home network, from my parents TV on a remote location (I have devices there that can have Netbird install), would it be possible?
Also, because using both this and Tailscale is not possible, in order to test it more I will need to disable Tailscale in several remote machines and this is something I would like to understand first. Sometimes Tailscale rewrites resolv.conf as explained here and this breaks the setup of some of my servers and in turn, I need to disable their MagicDNS feature which is a neat feature for avoiding using IP address. Would I have a similar issue with Netbird?
Hi there , noob question . Can I use netbird to expose a localhost app to the internet like cloudflare tunnels ? I don’t see any docs on that. If it’s possible then I’d like some some steps to take
Zero Trust is more interesting in connection to a reverse proxy tunnel like Cloudflare Tunnel. The pain point is that many US users don’t get a ip4 address anymore and when they want to self host something and expose that to the outside world, it gets tricky.
Zero Trust is the security mechanism to protect the tunnel.
If somebody already uses Wireguard, they already have a secure connection to a public ip4 address.
Zerotrust adds only a marginal benefit.
If you add your own tunnel, now that would make it a real contender for Cloudflare and I think a lot of peoplr would switch.
Does this use anything like Tunneling where you do not need to port forward, instead allowing you to make direct communication to the server in the home network?
and the install went fine, but it’s verrrrrrry slow. I get frequent crashes/errors from cockroachdb about slow disk (* WARNING: disk slowness detected: unable to sync log files within 10s)
After installing, there was an issue with nextjs but I restarted the container and that seems to have fixed itself. But now, just hitting the index, it times out about 90% of the time.
Any advice?
Edited to add: Looking at top on the VM, it looks like cockroachdb is using 99% of the CPU and kswapd0 is using about 44%. Maybe the 1gb of RAM is insufficient? The docs said 1GB was the minimum required. I guess I could buy more and see if that helps…
Thank you for the feedback, I DMed you for more details.
EDIT. The advantage of NetBird is that there is a direct tunnel between your machines. No need to open ports and you can hide your infra from the outside world by blocking inbound connections.
On top of that, the NetBird traffic is peer-to-peer encrypted and, we as a provider (talking our cloud service here) can’t decrypt it. Not sure if this is true for the Cloudflare tunnel.
). What is 100% Zero Trust even? It is a vague term. But we are collecting the most demanded network security features and adding them on top of our point-to-point WireGuard network.