Published: Last updated:

NetBird

NetBird is an open-source WireGuard-based overlay network that makes encrypted peer-to-peer connections between distributed sites and servers self-hostable.


Secure networking across site boundaries without open ports

NetBird connects devices, servers, and sites into a single private network, regardless of which data centre, which cloud, or behind which connection they sit. Traffic flows directly between participants, encrypted end to end. Classic VPN concentrators, manually maintained firewall rules, and externally exposed ports become unnecessary. The result is a flat, consistently encrypted network that grows with the number of connected machines instead of growing more complex.

The data plane and the control plane are cleanly separated

The defining design of NetBird is the separation between the data plane and the control plane.

The data plane is WireGuard. WireGuard is a lean, modern VPN protocol in the Linux kernel and establishes the actual encrypted tunnels between participants. Payload traffic flows exclusively through these WireGuard tunnels, directly from peer to peer. The private key never leaves the machine.

The control plane is NetBird itself. It distributes the public keys, assigns addresses, holds the network state, and enforces the access policies. It therefore determines who may talk to whom, but it carries no payload data. Concretely, it consists of three services:

  • Management maintains the network state, assigns the participants' addresses, and distributes configuration and policies.
  • Signal brokers participants with one another and exchanges the connection information so that two machines can find each other.
  • Relay serves as a fallback path when a direct connection between two participants cannot be established.

On every machine an agent additionally runs, which builds the local WireGuard configuration and reconciles it with the control plane.

architecture-beta
    group control(cloud)["NetBird control"]
    group siteA(cloud)["Site A"]
    group siteB(cloud)["Site B"]
    service management(server)["Management"] in control
    service signal(server)["Signal"] in control
    service relay(server)["Relay"] in control
    service peerA(server)["Peer A"] in siteA
    service peerB(server)["Peer B"] in siteB
    management:R -- L:peerA
    management:R -- L:peerB
    signal:R -- L:peerA
    signal:R -- L:peerB
    relay:B -- T:peerA
    relay:B -- T:peerB
    peerA:R -- L:peerB

The sketch shows the principle: the control plane coordinates and enforces policies, while the actual traffic runs directly between the agents through the WireGuard tunnel. Even when traffic falls back through the relay, it stays unreadable to the relay thanks to the WireGuard encryption.

NAT traversal connects machines without a public address

Most servers and devices sit behind a router or a firewall and have no directly reachable public address. NetBird solves this with NAT traversal: the control plane helps participants negotiate a direct connection through methods such as ICE and STUN, even across nested NAT layers. When this succeeds, the machines talk to each other directly. Only when no direct path is possible, for example behind particularly restrictive networks, does the relay step in as an encrypted fallback path. No inbound ports need to be opened anywhere for this.

Self-hostable and open source

NetBird is open source and can be run entirely on the organisation's own infrastructure, which keeps the network and the control plane in its own hands. The source code is dual-licensed: the bulk of the code under the permissive BSD-3-Clause licence, the Management, Signal, and Relay components under the AGPLv3. Alongside self-hosting, the vendor also offers a managed cloud service. Integration with existing identities is possible through common sign-in methods, which makes the approach compatible with Zero Trust and with an overarching Security Strategy. Self-hosting also supports Digital Sovereignty, because neither the network control nor the traffic has to pass through a third-party provider.

References

Related topics

  • Zero Trust, the security model behind identity- and policy-based connection instead of network trust.
  • Security Strategy, how overlay networks fit into a resilient overall architecture.
  • Digital Sovereignty, why an independent control plane and traffic paths matter.
  • Tailscale, the close comparison for WireGuard-based overlay networks.
  • authentik, the matching self-hosted identity provider for access control and SSO.

Ask AI

These links open external AI services, the conversation and its content are sent to their providers.