- I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.
- Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web.
This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
- Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
- I've been working for a while on https://github.com/connet-dev/connet. It gives a different twist at the same problem - instead of an overlay network at L4 (wireguard, etc) or publicly accessible endpoint at L7 (like ngrok) it "projects" a remote endpoint locally (e.g. as if you are running the service on your computer). Of course "locally" can always be a VPS that has caddy in front to give you ngrok-like experience.
The reason connet exists is that nothing (at the time I started, including netbird, tailscale/headscale, frp, rathole, etc) gave the same easy to understand, FOSS, self-hosted, direct peer-to-peer way of remote access to your resources. I believe it does accomplish this and it is self-hosted. And while a cloud deployment at https://connet.dev exists, it is nothing more then repackaging the FOSS project with user/token management.
- (Shamless plug) I am also working on a similar FOSS, self-hosted project called Octelium https://github.com/octelium/octelium that you might find interesting if you are interested in this space. Octelium is, however, more of a generic/unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure. It provides unified client-based as well as clientless access for both humans and workloads; dynamic identity-based secretless access (e.g. access to HTTP/gRPC/k8s upstreams without sharing API keys and access tokens, SSH without distributing passwords/private keys, postgres/MySQL databases without sharing passwords, etc.); dynamic L7-aware, identity-based access control ABAC via CEL and OPA as well as dynamic routing to upstreams via policy-as-code; native Passkey login/WebAuthn/TOTP MFA and support for OIDC/SAML IdPs, OpenTelemetry-native L7-aware visibility and auditing; clientless access via OAuth2 for workloads, WireGuard and QUIC tunneling with dual-stack and automatic private DNS, including in rootless mode; passwordless SSH'ing into containers and IoT without SSH servers; deploying and securing access to containers; declarative k8s-like management with horizontal scalability among other features. You can read more in the README if you're interested.
by mittermayr
8 subcomments
- I can only recommend giving headscale a try. It's free, works extremely well, and can be used with the official Tailscale clients. Was super easy to set up.
https://headscale.net/stable/
- Looks good, congrats on progress.
are OpenZiti, Headscale, Nebula the 3 closest?
great resource here (no affiliation) for HN community:
https://github.com/anderspitman/awesome-tunneling
- I like Netbird, its a better VPN, but its not zero trust networking. Zero Trust requires identity to create connectivity itself—per service, per session—rather than granting network reachability and constraining it with routes and rules. I have had this conversation on Reddit many times... curious if anyone agrees/disagrees.
by sunshine-o
3 subcomments
- For someone who want to setup a private network between host/devices, I feel the dilemma is always:
1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.
2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.
- A bit lower level than most things discussed here but on the topic of overlay networks, I’ve used nebula for years and can recommend it
https://github.com/slackhq/nebula
- Sounds interesting. How is it different to tailscale (or headscale)? I was planning to setup tailscale to replace my custom wireguard setup.
- Going to mention my own project which aims to be 100% open source, free, and relies almost only on public infrastructure: https://github.com/robertsdotpm/p2pd
Basically, I'm building a framework for building NAT traversal plugins. Software like ngrok and P2P VPNs can then be built on top of it. Examples of plugins for the library include direct connect, reverse connect (connect back to you), TCP hole punching, and UPnP-based port forwarding.
The underlying network stack for the project was also built from scratch to better support IPv6 and multiple interfaces. This allows plugins to fully utilise the underlying network paths and interfaces on the machine. This took considerable time because most software simply uses the default interface.
I'm still in the middle of building the software so its not yet functional. But if anyone is interested throw me a star or an email at matthew@roberts.pm.
- https://github.com/netbirdio/netbird
- F-droid inclusion seems to be stalled https://gitlab.com/fdroid/rfp/-/issues/2688
Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."
That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).
- I tried migrating our organization from Twingate to self-hosted Netbird for cost savings but couldn't get it working reliably for 10-15% of users. The client failed intermittently with no clear pattern to troubleshoot. It became very frustrating for our end users. My advice: if you're considering self-hosted Netbird, set clear expectations that it's best-effort QoS, not enterprise-grade reliability. There's no such thing as a cheap VPN.
by nicolashenneaux
0 subcomment
- Working with it in a 1k active users setup, super efficient and stable! Clearly a revolution comparing to historical vpn solutions!
- But it's missing a tailscale funnel like feature, right?
That's one of the main features that I use for some home assistant instances.
by Factor1177
1 subcomments
- I was previously using headscale and was finding it a bit finicky. Recently switched to self hosted netbird and its been great so far. However, if the Netbird teams sees this, please implement a built-in updater for the client apps! needing to download and install the package again is a bit annoying
by joecool1029
0 subcomment
- I wish they'd chill on the release schedule and keep it to once a week or less. I keep it maintained in my Gentoo overlay but oftentimes when I go to bump it, they push another release. Since this submission was posted they've had yet another new release.
- I've looked without success for external audit reports of either Tailscale and Netbird, like Mullvad gets. While I don't approve of the sort of auditor box-ticking we get at work, it would be reassuring to see a report from a proper security consultancy.
by sunshine-o
0 subcomment
- For those interested, I just found out that mycelium can, like yggdrasil [0], be used to create private overlay networks [1].
What could be used as an alternative to Tailscale, netbird, etc.
- [0] https://changelog.complete.org/archives/10478-easily-accessi...
- [1] https://github.com/threefoldtech/mycelium/blob/master/docs/p...
by commandersaki
0 subcomment
- I can't tell if Netbird provides this feature but looking at their access control feature it doesn't seem to.
I just want a roaming access Wireguard terminating endpoint to restrict access to a user to initial subnets, and open / allow routing to further subnets based on multi factor authentication. That way a user can connect and only have access to say a wiki and internal chat, but then escalate access by MFA to access resources on other subnets that have stuff like internal gitlab and whatever other critical resources exist.
- Met the founders in Berlin and was quite convinced of technical depth and vision. Great to have a European alternative to tailscale.
- We just evaluated this the other day and we were pretty impressed by it. We were looking for something we could self host for wireguard config but tbh we might just pay for the managed solution.
by Benedicht
1 subcomments
- Using it self hosted for almost a year now, no issues, just works for me.
- Has anybody looked at whether Tailscale is subject to the US CLOUD Act? If so I can imagine we might be moving towards an open source solution like this in future.
- I've head Netbird running for the last few months... In general it works quite well, but it would keep messing with my dns-resolving, and I couldn't find the setting to stop it inserting itself into my resolv.conf.
During the last few weeks I've removed netbird from all my systems (about 12), mostly because of issues on laptops where resolving or networking would break after they moved to a different network/location.
by gonzalohm
1 subcomments
- What's the advantage over running plain wireguard?
by shtrophic
2 subcomments
- Last time I checked it couldn't do ipv6... in 2026?
- For the guys at Netbird, please create an entry in the https://wiki.nixos.org explaining how to use it with nixos.
- Tailscale has one entry
- Pangolin is getting one
I would like to see, even if brief:
1. Getting started
2. Hardware requirements
3. Security considerations
4. Recommended architecture, like running in a VPS if it
makes sense
5. Configuring a server
6. Configuring devices
7. Resources (links to read more on netbird)
Thank you from the home lab community
- I use Headscale with Tailscale clients, and the Apple TV is very nice to have. Netbird seems to be working on one but it’s not out yet?
- I have tried multiple different solutions of so called "zero trust networking". My personal favourite one is Netbird but.. it lacks one feature: switching between multiple setups (networks). I am helping to maintain some startups and it would be just nice to quickly change (or even better: have access to multiple at once!) networks.
by speedgoose
0 subcomment
- I replaced Teleport by a bunch of various tools, and I had to chose between tailscale/headscale and netbird for the network connectivity. I’m pleased with netbird so far.
I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.
by RedShift1
2 subcomments
- I'm really missing something like Cisco DMVPN. A VPN mesh between different routers where all routers have a connection to each other, so that all traffic doesn't have to pass through the hub. And that runs on a router, because all these solutions only run on a regular computer with a complete OS.
- What is the issue with one Wireguard port open? You vpn to home LAN and everything is there.
The issue with these VPN companies is that they log data, you have to run an agent running as root, reliance on several other companies too like IdP, etc. Very large attack surface.
by littlecranky67
0 subcomment
- Marginally relevant as I am looking into Netbird and Headscale: Anybody can recommand a europe-based VPS hosting provider that gives you an IPv4 range (4-5 IPs) that I can route over headscale?
by CommanderData
0 subcomment
- Most of the self-hosted zero trust solutions require opening 80/443. It would be nice if they could adopt Wireguards approach of using UDP only, and only responding if the request is valid.
Maybe it's possible without modification to Netbird to setup a staging network.
- I tried installing it and it was a pain, if you don’t use the very very default scripts.
Also their scripts regenerate secrets and the setup is weird in general (you need a complicated rp configuration and scripts to generate the config files)
- Always my problem with Tailscale and similar solutions is that I already run VPNs in my personal devices and especially with android devices, I need to switch between two VPNs, which I find a friction that I do not want. Does anybody know a solution to this?
- How does this compare to Tinc?
I'm aware of how old Tinc is, but I've yet to find anything compelling enough to get me to switch. Tinc is a little annoying to set up, but once it's going I literally forget about it.
by user3939382
0 subcomment
- All these higher level VPN/tunnel solutions are so popular but functionally I’ve only ever wanted layer 2 VPN. Inside the tunnel, I want the ability to reason about a remote network as if it’s local, not on a per-host basis.
by hollow-moe
2 subcomments
- I'm currently comparing it with pangolin and headscale for my small scale company infrastructure access. Been running headscale for my own setup for a while but maybe netbird or pangolin might be better for real production.
by BoredPositron
1 subcomments
- Missing some technical bits to be a true contender for me but I bet they are getting there. That said I've seen so many shadcn based scam sites that my brain starts associating shadcn with scams.
by throw20251220
0 subcomment
- The cofounder is a Russian national, studied in Moscow. Possibly worth massaging that into your threat model.
by FloatArtifact
1 subcomments
- If the VPN connection would stay connected despite having it set up that way in the web UI.. It would be a good product.
Still haven't figured out how to do Termux on Android with netbird ssh yet.
- We've deployed self-hosted NetBird on AWS ECS and we're quite happy with the setup and the outcome.
by usagisushi
1 subcomments
- Netbird's flexibility with IdPs is really nice. I recently switched mine to Pocket ID. Overall, it's perfectly sufficient and lightweight for homelab use.
by neofrommatrix
1 subcomments
- What is the industry opinion on ngrok? They seem to be in a market where their product is considered a commodity and there are many alternatives.
- I immediately looked at this and thought it was a tailscale clone.
I looked further into it and it’s essentially the same.
Implementation over ease of use of wireguard setup. Peer to peer modeling. Mesh networking. "Zero trust".
However, what I find interesting is netbird has open sourced their _coordinator server_. This allows for self hosting to be end to end.
yes with tailscale there exists "headscale", but it’s clearly a side project that few people within the tailscale company maintain on spare time.
One of the fears i have with headscale is a sudden change in leadership at tailscale, then the support from tailscale dies. Significant divergence occurs between headscale coordinator server and clients. Enshittification occurs and now forcing those smaller use cases onto their SaaS.
I love tailscale/headscale but will definitely give this a try.
by jonas_scholz
0 subcomment
- we love and support netbird at sliplane <3 https://docs.sliplane.io/private-networking/netbird
- Sweet. Alternatives are always something good.
by OsamaJaber
0 subcomment
- Finally
Debugging slow queries without seeing what's happening inside the plan is just guessing
by thenaturalist
1 subcomments
- Besides the solid product, Misha & Maycon are just great and friendly people to work with.
by catlifeonmars
0 subcomment
- Anyone know who the board members are and/or major stakeholders?
by analog8374
0 subcomment
- In the old days we'd just trade a few family members to keep as hostages.
by vlovich123
2 subcomments
- How does this compare with Defguard? Also European but seems more featureful maybe?
by sigmonsays
0 subcomment
- what is the difference between netbird and tailscale?
- My favorite feature of netbird might be no search in the client
or network names literally overlapping in the "overlapping networks" tab
or maybe it's the need to toggle the network on and off a few times to get it to work
One of the few pieces of software I actually despise but have to use, and I use win11.
by ZoomZoomZoom
1 subcomments
- Tailscale is great and headscale is an important step to gain trust. However, headscale is useless without the clients, and Tailscale geoblock installing clients where they can. If the platform requires jailbreak for installing user-chosen software, as is the case with iOS, then it all becomes useless.
Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?
by colesantiago
0 subcomment
- Unfortunately Netbird is VC backed. :( So the service will enshittify very soon.
Glad it is open source so we can have "zero trust" in VC backed dev tools services.
- [dead]
by maximgeorge
0 subcomment
- [dead]
by nsadeghi97
1 subcomments
- If you are reading this thread and think that’s an interesting project to work on, shoot us a message. We are always looking for talented engineers that are passionate about open source :)
by glub103011
0 subcomment
- [dead]
by RiceNBananas
0 subcomment
- [dead]
- [dead]
by sieabahlpark
0 subcomment
- [dead]
by estsauver
2 subcomments
- There's also https://pangolin.net/ which is kind of similar, and I believe a YC company.
Hacker News