NetBird

NetBird is an open source zero-trust network access (ZTNA) platform that uses WireGuard as its underlying tunneling protocol to create secure, mesh private networks between devices, services, and servers, without the need for traditional VPN concentrators, complex firewall rules, or centralized traffic bottlenecks.

The zero-trust architecture of NetBird fundamentally differs from traditional VPN approaches. In a conventional VPN, all traffic is routed through a central gateway, creating a single point of failure and a performance bottleneck. NetBird creates direct peer-to-peer WireGuard tunnels between devices whenever possible, with a management server that coordinates key exchange and peer discovery but does not route application traffic. This architecture delivers better performance, lower latency, and eliminates the gateway as a choke point.

WireGuard is the cryptographic foundation of NetBird. As a modern, high-performance VPN protocol, WireGuard provides state-of-the-art cryptography (Noise protocol framework, Curve25519, ChaCha20, and Poly1305) with minimal code complexity, fast connection establishment, and excellent performance on all platforms. NetBird builds its peer-to-peer mesh networking and access control layer on top of WireGuard's secure tunnel primitives.

The peer-to-peer tunneling model means that each device in a NetBird network establishes direct encrypted connections to other peers it needs to communicate with. NAT traversal techniques including STUN and TURN servers are used to establish connections even when devices are behind NAT gateways or restrictive firewalls. When a direct connection cannot be established, traffic is relayed through a TURN server, but always remains encrypted end-to-end.

Access control policies in NetBird define which peers can communicate with which other peers. Policies are expressed as rules that specify source and destination groups and the allowed traffic direction. Groups are logical collections of peers based on attributes such as user identity, device type, location, or function. Fine-grained policies replace the traditional "once inside the VPN, access everything" model with explicit least-privilege access rules.

The management server handles user authentication (via SSO providers), peer registration, policy evaluation, and peer discovery. It can be self-hosted using Docker or deployed through the NetBird Cloud managed service. The self-hosting option is particularly attractive for organizations with strict data sovereignty requirements or air-gapped environments.

NetBird works seamlessly across all major operating systems including Linux, macOS, Windows, iOS, and Android, making it practical for organizations with diverse device fleets. The Kubernetes operator enables deploying NetBird peers in Kubernetes clusters for secure access to cluster services.