跪拜 Guibai
← Back to the summary

NetBird: A WireGuard Overlay That Ditches the Control-Plane Middleman

image.png

Still using public IPs, port mapping, FRP, ZeroTier, or Tailscale? NetBird is built on WireGuard, supporting P2P direct connections, TCP relay, fully private deployment, and a built-in web management console.

I wonder if you've ever run into the following problems.

A server deployed in the cloud, and a NAS at home.

Kubernetes clusters scattered across multiple cloud providers, hoping to form a unified network.

Development, testing, and production environments distributed in different regions, hoping to communicate with each other as if on a local network.

To meet these needs, we usually think of the following solutions:

Each of these solutions has its advantages, but after long-term use, you'll find various limitations.

For example:

If you share these frustrations, then the project recommended today is well worth bookmarking.

It is — NetBird.

It has already gained 26K+ Stars on GitHub and is one of the fastest-growing open-source networking projects in recent years.

Many people call it:

The open-source Tailscale + enterprise-grade ZeroTier.

It not only supports high-performance encrypted communication via WireGuard, but also includes a complete control plane, management dashboard, identity authentication, and relay service, enabling truly fully private deployment.

It is very friendly for operations, development, and enterprises.

What is NetBird

NetBird is a modern, secure, open-source Overlay Network platform.

Simply put, it can connect any device on the internet into a virtual local area network (Virtual Network).

Regardless of whether your device is located in:

They can all access each other as if connected to the same switch.

The entire process does not require:

After installing the client, the entire network can be set up in just a few minutes.

NetBird Core Features

Based on WireGuard, very high performance

NetBird's underlying layer directly uses WireGuard.

Compared to traditional VPNs:

The biggest advantages of WireGuard are:

For heavy SSH, database access, and file synchronization, you barely feel the VPN's presence.

Because the underlying layer is WireGuard, network performance is very close to native network speed.

Prioritizes P2P Direct Connection

This is one of NetBird's biggest highlights.

Under normal circumstances, when two devices establish a connection, they automatically attempt:

Device A
    ↓
NAT Traversal
    ↓
Device B

Once successful, it's a peer-to-peer direct connection.

Data does not pass through a central server.

The advantages this brings are very clear:

For remote development, SSH, RDP, and file synchronization, the experience is excellent.

TCP Relay as a Fallback

In real-world environments, not all networks can complete P2P hole-punching.

For example:

Many VPNs fail completely in these situations.

NetBird provides a Relay mechanism.

When a P2P connection cannot be established:

A
↓
Relay
↓
B

It automatically switches to TCP relay.

The user barely notices.

Although the speed might be slightly slower than a direct connection, the network remains available at all times.

For enterprises, this is very important.

Because:

Being able to connect is more important than connecting quickly.

Built-in Web Management Dashboard

The biggest problem with many open-source VPNs is:

They rely entirely on the command line.

Maintenance is very painful.

NetBird comes with a complete web console.

The dashboard allows you to:

The entire experience is very modern.

Operations staff no longer need to log into servers to modify configuration files.

For teams, the improvement in management efficiency is very noticeable.

Truly Fully Private Deployment

This is also a key concern for many enterprises.

Many people like Tailscale.

But they also worry about:

Although Tailscale offers an alternative self-hosted control plane, the overall ecosystem and maintenance complexity are not low.

NetBird supports from the very beginning:

Self-deployment of all components.

Including:

All can be placed on your own servers.

Truly achieving:

Complete control over data, users, and the network in your own hands.

This is very attractive for scenarios in finance, government, healthcare, and manufacturing.

Supports SSO Identity Authentication

NetBird has rich built-in authentication capabilities.

For example:

Enterprises can fully integrate their own unified identity authentication platform.

When an employee leaves, you only need to disable their account.

There is no need to delete devices one by one.

ACL Permission Control

Not all devices should communicate with each other.

For example:

Development Server
↓
Test Server
↓
Database

The database cannot be directly exposed to everyone.

NetBird provides fine-grained ACLs.

You can control:

The entire permission system is very suitable for enterprises.

NetBird Architecture Introduction

NetBird is not just a simple VPN software, but a complete networking platform.

The overall architecture can be understood as four layers:

image.png

The entire process is as follows:

  1. The client logs into the control plane.
  2. It retrieves network configuration and policies.
  3. It attempts NAT traversal to establish a WireGuard tunnel.
  4. If successful, it communicates directly via P2P.
  5. If the direct connection fails, it automatically switches to a Relay.

The separation of the control flow and data flow ensures the control plane does not become a performance bottleneck, while data prioritizes the peer-to-peer path.

Deployment

NetBird officially provides a very mature deployment solution.

Docker Compose is recommended Reference Documentation.

The entire deployment process is roughly as follows:

Step 1: Deploy the Management Service

It is recommended to prepare a Linux host and open the necessary ports 80, 443, and 3478.

Run the official one-click installation script:

curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash

Follow the prompts to configure the domain name, certificates, etc., Nginx proxy configuration reference. After the basic information is configured, the service will automatically start via docker compose.

Step 2: Install the Client

The supported platforms are very extensive:

After the client logs in, it automatically joins the network without the need to manually exchange keys.

The entire process can basically be completed within a few tens of minutes. Adding new devices later simply requires installing the client and logging in.

image.png

Final Thoughts

Over the past few years, more and more enterprises have begun to rethink their network architecture.

On one hand, they want the high performance and low latency brought by WireGuard; on the other hand, they hope to break free from dependence on third-party control planes and achieve true data autonomy and control.

NetBird has stood out precisely under these demands.

It not only provides the stable communication capability of P2P direct connection + TCP relay fallback, but also integrates enterprise-grade capabilities such as web management, identity authentication, permission control, and private deployment into a complete platform. For individual developers, a secure private network can be set up in minutes; for enterprises, it can also meet the requirements for security, compliance, and unified operations management.