I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.
We tried netbird but could not get the client to register to a self hosted server. It ignored the setting or failed.
Good chance it was user error on our part.
Most of their documentation is very unclear about what is a cloud offering feature and what is possible using self-hosting. There are features not available on the community edition and you have to be very careful reading their doc.
Just putting it out there so people do not think it's an easy solution. It will require appropriate planning.
I do think its a more promising solution than headscale if you want to self host as it is a complete package, unlike tailscale where you need to modify registry keys to change the cloud URL and headscale is a simplified, non-multi-tenant signaler.
Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web.
This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
Use tag-based node authentication. Login as a user and then switch the device to use a tag. I just recently did that and retained the usual 6 months expiry. I can also disable key expiry completely.
Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
But paid Tailscale is $5 a month right? So you gotta be paying more to self host and deal with all the problems yourself, not have derp servers all over the world, etc. Why?
Also long time zerotier user here, I run a controller for our company. I'm starting to experience infrequent but annoying drops in connection, and DNS is a headache.
I've been working for a while on https://github.com/connet-dev/connet. It gives a different twist at the same problem - instead of an overlay network at L4 (wireguard, etc) or publicly accessible endpoint at L7 (like ngrok) it "projects" a remote endpoint locally (e.g. as if you are running the service on your computer). Of course "locally" can always be a VPS that has caddy in front to give you ngrok-like experience.
The reason connet exists is that nothing (at the time I started, including netbird, tailscale/headscale, frp, rathole, etc) gave the same easy to understand, FOSS, self-hosted, direct peer-to-peer way of remote access to your resources. I believe it does accomplish this and it is self-hosted. And while a cloud deployment at https://connet.dev exists, it is nothing more then repackaging the FOSS project with user/token management.
This is meant just for computers, right? A quick check of the readme showed that devices must run this or that commands, which seems difficult to do on an smartphone. I guess the ngrok-like setup would be the way to go for that case, given the increasing prevalence of phones and tablets as the single form of computing for lots of people
A neat idea, but projecting all of these services onto localhost is a bit of a security nightmare. Have you considered looking at what something like Twingate does? Using the CGNAT IP space for the projection allows you to give every individual service its own IP address, which helps quite a bit in terms of allowing you to isolate the services from e.g. malicious web pages.
(Shamless plug) I am also working on a similar FOSS, self-hosted project called Octelium https://github.com/octelium/octelium that you might find interesting if you are interested in this space. Octelium is, however, more of a generic/unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure. It provides unified client-based as well as clientless access for both humans and workloads; dynamic identity-based secretless access (e.g. access to HTTP/gRPC/k8s upstreams without sharing API keys and access tokens, SSH without distributing passwords/private keys, postgres/MySQL databases without sharing passwords, etc.); dynamic L7-aware, identity-based access control ABAC via CEL and OPA as well as dynamic routing to upstreams via policy-as-code; native Passkey login/WebAuthn/TOTP MFA and support for OIDC/SAML IdPs, OpenTelemetry-native L7-aware visibility and auditing; clientless access via OAuth2 for workloads, WireGuard and QUIC tunneling with dual-stack and automatic private DNS, including in rootless mode; passwordless SSH'ing into containers and IoT without SSH servers; deploying and securing access to containers; declarative k8s-like management with horizontal scalability among other features. You can read more in the README if you're interested.
It took me too long to understand the difference between the two so I'll leave it here for others. Octelium operates on OSI Layer 7 and Tailscale operates on OSI Layer 3 and 4.
I've been keeping my eye on this one, it's very interesting.
Feel free to ignore this, but, what's your long term plan here? I see you have Enterprise plans (especially that allow different licenses). From what I can tell you're the only contributor, but, I assume that if you accepted contributions there'd be a CLA?
I can only recommend giving headscale a try. It's free, works extremely well, and can be used with the official Tailscale clients. Was super easy to set up.
Could you give a brief description of your use case? I'm looking at all the tailscale buzzwords on their site, but am not really understanding what I would use this for in my home setup
Headscale is good. We're using to manage a two isolated networks of about 400 devices each. It just works. It's in China so official Tailscale DERPs do not work, but enabling built-in DERP was very easy.
headscale is an awesome project. And I love tailscale as a product.
But this is where netbird beats tailscale: coordinator server open sourced out/self hosted out the gate.
Headscale is currently maintained by a few tailscale employees on their spare time. Currently, Tailscale allows this to happen but clearly there’s some internal management of what gets downstreamed to headscale.
What I don’t like about headscale is that you can only host a single coordinator server as well. If I need to do maintenance on the server, it means an impact to the tailnet. It’s rare but annoying.
Headscale mostly works pretty well but its pretty finicky to get set up in a way where the tailscale clients on linux and android aren't always complaining with warnings or having route or DNS issues. I'm considering investigating one of these non commericial solutions where the entire stack was built to work together.
Apparently they've deprecated Postgres support and now only recommend sqlite as the storage backend. I have nothing against sqlite but to me this looks like Tailscale actively signaling what they think the expected use of headscale is.
So instead of opening a port on my firewall for WireGuard, I must have these ports public exposed:
* tcp/80
* tcp/443
* udp/3478
* tcp/50443
I don't know about you but that seems the most insane approach.
Even if HTTP-01 challenge is not used, you are still exposing 3 ports instead of 1 random-high port like 55555 for example.
Yeah yeah, you can use rever-proxy but still, you are exposing way more ports and services to the internet than just one port for WireGuard itself.
I like Netbird, its a better VPN, but its not zero trust networking. Zero Trust requires identity to create connectivity itself—per service, per session—rather than granting network reachability and constraining it with routes and rules. I have had this conversation on Reddit many times... curious if anyone agrees/disagrees.
NetBird doesn't require network reachability (it used relays for NAT traversal) and creates the keys itself. It doesn't do any routing. It uses wireguard underneath.
For someone who want to setup a private network between host/devices, I feel the dilemma is always:
1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.
2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.
You can conceal that open port with some form of port knocking. Though this does reinforce your "easy" point.
Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.
When I look at these zero trust solutions need 80/443 for what seems some type of bootstrapping
Better it happens using the same approach wireguard takes (udp/stateless). Though I'm not sure if there's more than just bootstrap taking place, maybe constant routing updates etc
You could use a solution that allows you to have E2E with private sovereign keys on the endpoint, as well as bring your own IdP/PKI, so the provider does not have your keys. Would that be good enough?
Going to mention my own project which aims to be 100% open source, free, and relies almost only on public infrastructure: https://github.com/robertsdotpm/p2pd
Basically, I'm building a framework for building NAT traversal plugins. Software like ngrok and P2P VPNs can then be built on top of it. Examples of plugins for the library include direct connect, reverse connect (connect back to you), TCP hole punching, and UPnP-based port forwarding.
The underlying network stack for the project was also built from scratch to better support IPv6 and multiple interfaces. This allows plugins to fully utilise the underlying network paths and interfaces on the machine. This took considerable time because most software simply uses the default interface.
I'm still in the middle of building the software so its not yet functional. But if anyone is interested throw me a star or an email at matthew@roberts.pm.
By the way I forgot to add: if anyone needs a list of public STUN, TURN, MQTT, or NTP servers I wrote a monitor for them last year and added a bunch of servers. This is basically the infrastructure I use for my P2P library. The public API is here: http://ovh1.p2pd.net:8000/servers or if you want to host it: https://github.com/robertsdotpm/dogdorm
Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."
That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).
I recently brought my first app to F-Droid. It was not friction free, but I was able to do it within a few weeks. Seems they put not much effort into this, e.g. the basic check marks are not even checked...
I tried migrating our organization from Twingate to self-hosted Netbird for cost savings but couldn't get it working reliably for 10-15% of users. The client failed intermittently with no clear pattern to troubleshoot. It became very frustrating for our end users. My advice: if you're considering self-hosted Netbird, set clear expectations that it's best-effort QoS, not enterprise-grade reliability. There's no such thing as a cheap VPN.
Would you mind sharing more about the issue? We have enterprises running NetBird with thousands of users with near zero issues. Apparently it is usually other way around - people migrating from Twingate to NetBird because of the former solution instability. Well, that is from our experience.
I suggest trying NetBird cloud to eliminate a potential misconfiguration of the self-hosted instance.
I have been using Netbird for my small company of 10 people for about 2 years. Users on slow connections complained that they could not stay connected with services reliably. I could not reproduce the problem as I mostly connected from very fast connections. I thought that maybe the users or their ISPs were to blame. And then one time I was using the wifi on a plane. It was a slow connection and I was connected to an RDP server. I could not stay connected. I also has Cloudflare VPN connected to the same server. It worked really well over the same connection. I went back ad forth many times as I had trouble believing how bad the Netbird connection was. Long story short, we are now completely switching over to Cloudflare VPN. It is free for first 50 users and is very very reliable, in our experience.
Check out OpenZiti. Its open source, runs at prodution scale, and recently someone who used to work at Twingate said OpenZiti is many times more powerful than TG.
Please be aware that when you use tailscale funnel you announce to the whole world that your service exists (through certificate transparency), and you will get scanned immediately. If you don't believe me just put up a simple http server and watch the scanning request come in within seconds of running `tailscale funnel`.
Do not expose anything without authentication.
And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.
If you are aware of this, funnel works fine and is not insecure.
Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.
I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.
No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.
Out of curiosity, why? I use TS for all my homelab bits (including my HA instance), but connect to TS before opening the HA app. Is it just a case of making it easier/ possible to connect if you’re on another VPN? Are you not concerned with having something from your local network open to the internet?
We are developing a similar feature and is scheduled to be available really soon. We've discussed some details in our public slack. Any feedback there will be helpful.
I was previously using headscale and was finding it a bit finicky. Recently switched to self hosted netbird and its been great so far. However, if the Netbird teams sees this, please implement a built-in updater for the client apps! needing to download and install the package again is a bit annoying
I wish they'd chill on the release schedule and keep it to once a week or less. I keep it maintained in my Gentoo overlay but oftentimes when I go to bump it, they push another release. Since this submission was posted they've had yet another new release.
I've looked without success for external audit reports of either Tailscale and Netbird, like Mullvad gets. While I don't approve of the sort of auditor box-ticking we get at work, it would be reassuring to see a report from a proper security consultancy.
Netbird has supposedly done a penetration test, but it is only supplied upon request [0]. I haven't bothered trying to get my hands on it since I don't use their product. I don't agree with gatekeeping the results instead of making them public.
NetBird should also consider publishing an SBOM, similar to what Defguard does.[1].
I can't tell if Netbird provides this feature but looking at their access control feature it doesn't seem to.
I just want a roaming access Wireguard terminating endpoint to restrict access to a user to initial subnets, and open / allow routing to further subnets based on multi factor authentication. That way a user can connect and only have access to say a wiki and internal chat, but then escalate access by MFA to access resources on other subnets that have stuff like internal gitlab and whatever other critical resources exist.
We just evaluated this the other day and we were pretty impressed by it. We were looking for something we could self host for wireguard config but tbh we might just pay for the managed solution.
Has anybody looked at whether Tailscale is subject to the US CLOUD Act? If so I can imagine we might be moving towards an open source solution like this in future.
Tailscales founders are Canadian, principled, and are very sensitive to Canadian needs. I very much trust Avery and team to do what’s necessary to keep US hands off the data.
edit: someone pointed out they’ve signed new users on to a US co. 15 months ago. I made the statement without knowing this. they aren’t as capable as I originally claimed.
I've head Netbird running for the last few months... In general it works quite well, but it would keep messing with my dns-resolving, and I couldn't find the setting to stop it inserting itself into my resolv.conf.
During the last few weeks I've removed netbird from all my systems (about 12), mostly because of issues on laptops where resolving or networking would break after they moved to a different network/location.
Just for future reference, you can disable DNS management for specific groups [0].
You can find the option under "DNS > DNS Settings > Disable DNS management for these groups". Netbird will stop modifying the resolv.conf on those groups.
Could be intentional:
German privacy advocates really like that the limited ipv4 pool forces reusing IPs and prevents accidental imprinting a practically static address on a device.
If you're a homelab NixOS user, isn't it on you to try to answer these questions? A home lab is for learning, and if you don't want to do that, what's the point?
I have tried multiple different solutions of so called "zero trust networking". My personal favourite one is Netbird but.. it lacks one feature: switching between multiple setups (networks). I am helping to maintain some startups and it would be just nice to quickly change (or even better: have access to multiple at once!) networks.
> it would be just nice to quickly change (or even better: have access to multiple at once!) networks.
Accessing multiple corporate networks simultaneously from the same endpoint violates all sorts of access policies. If it doesn’t, the access policy is lacking. Even for startups.
And no, unless you build it and enforce it from the start, no one ever succeeds in bolting on a reasonably security posture after implementing all their other processes no one will dare touch.
I replaced Teleport by a bunch of various tools, and I had to chose between tailscale/headscale and netbird for the network connectivity. I’m pleased with netbird so far.
I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.
I'm really missing something like Cisco DMVPN. A VPN mesh between different routers where all routers have a connection to each other, so that all traffic doesn't have to pass through the hub. And that runs on a router, because all these solutions only run on a regular computer with a complete OS.
Most of the self-hosted zero trust solutions require opening 80/443. It would be nice if they could adopt Wireguards approach of using UDP only, and only responding if the request is valid.
Maybe it's possible without modification to Netbird to setup a staging network.
What is the issue with one Wireguard port open? You vpn to home LAN and everything is there.
The issue with these VPN companies is that they log data, you have to run an agent running as root, reliance on several other companies too like IdP, etc. Very large attack surface.
Always my problem with Tailscale and similar solutions is that I already run VPNs in my personal devices and especially with android devices, I need to switch between two VPNs, which I find a friction that I do not want. Does anybody know a solution to this?
Tailscale has some integration with Mullvad. If you have a Mullvad subscription you can use their servers as exit nodes without dropping your Tailscale connection: https://tailscale.com/kb/1258/mullvad-exit-nodes
Outside of the particular combination of Mullvad and Tailscale I don't think there is any other way apart from switching between the two.
Maybe I don't understand, but the tailscale Linux clients definitely supports multiple accounts. I use that to reach multiple headscale networks and a tailscale one. No issues for me using it this way.
I tried installing it and it was a pain, if you don’t use the very very default scripts.
Also their scripts regenerate secrets and the setup is weird in general (you need a complicated rp configuration and scripts to generate the config files)
All these higher level VPN/tunnel solutions are so popular but functionally I’ve only ever wanted layer 2 VPN. Inside the tunnel, I want the ability to reason about a remote network as if it’s local, not on a per-host basis.
I'm currently comparing it with pangolin and headscale for my small scale company infrastructure access. Been running headscale for my own setup for a while but maybe netbird or pangolin might be better for real production.
Pangolin recently added desktop clients for win/mac/linux[0] and the Private Resource feature (similar to Netbird's Network Routes/DNS), so it's starting to overlap with Netbird more and more.
That said, it seems focused on client-to-site (newt) connections, and I don't see support for client-to-client connections like Netbird’s SSH access. Also, their Private Resources don't seem to support TLS termination yet. (Correct me if I’m wrong!)
In my case, I have a k3s cluster running on Netbird with a Traefik ingress for TLS termination inside my home network. Thanks to netbird's P2P nature, traffic stays entirely local as long as I'm on my home WiFi. (I suppose one could achieve the same with a Netbird + Caddy + DNS-01 setup, too.)
I am in the same position but currently using Tailscale and realize how important and critical it has become for my whole family infrastructure. A self-hosted solution which allowed me to use Nameservers and TLS termination as I currently do would be awesome.
I'm aware of how old Tinc is, but I've yet to find anything compelling enough to get me to switch. Tinc is a little annoying to set up, but once it's going I literally forget about it.
Marginally relevant as I am looking into Netbird and Headscale: Anybody can recommand a europe-based VPS hosting provider that gives you an IPv4 range (4-5 IPs) that I can route over headscale?
Missing some technical bits to be a true contender for me but I bet they are getting there. That said I've seen so many shadcn based scam sites that my brain starts associating shadcn with scams.
Netbird's flexibility with IdPs is really nice. I recently switched mine to Pocket ID. Overall, it's perfectly sufficient and lightweight for homelab use.
I immediately looked at this and thought it was a tailscale clone.
I looked further into it and it’s essentially the same.
Implementation over ease of use of wireguard setup. Peer to peer modeling. Mesh networking. "Zero trust".
However, what I find interesting is netbird has open sourced their _coordinator server_. This allows for self hosting to be end to end.
yes with tailscale there exists "headscale", but it’s clearly a side project that few people within the tailscale company maintain on spare time.
One of the fears i have with headscale is a sudden change in leadership at tailscale, then the support from tailscale dies. Significant divergence occurs between headscale coordinator server and clients. Enshittification occurs and now forcing those smaller use cases onto their SaaS.
I love tailscale/headscale but will definitely give this a try.
Defguard is a *Secure by Design* solution, which means security is important (if not more) then functionality.
Lower latency or peer-to-peer communication does not automatically mean better security often it means a larger attack surface.
Defguard is also *the only solution that enforces MFA on every connection*, aligning with true Zero Trust principles never trust a user or device by default.
Why Peer-to-Peer Is Not Safer?
Peer-to-peer and mesh solutions can be faster because traffic flows directly between peers, but they almost always expose all components publicly and make it easier to hijack the network or inject unauthorized peers.
So what does Defguard’s Secure-by-Design Architecture mean?
1. Minimal gateway exposure
The Defguard gateway exposes only a WireGuard port. Compromising it would require a Linux kernel or WireGuard zero-day at that point, no solution is safe.
2. Isolated, stateless proxy
The only Internet-facing "application" component is a stateless proxy, deployed in a separate network segment. It has no access to the gateway, core, or internal resources.
3. Protected control plane
The core (control plane) runs strictly inside the intranet (local network that should not be exposed anywhere). No user data are exposed to the Internet or DMZ/other network segments. Also the MFA validation process is done in secure network segments (for example when doing MFA with Desktop + Mobile client biometry/faceID combined).
Why This Is Different from Mesh Solutions?
Most mesh VPN solutions expose their control and peer-discovery components publicly by design. This significantly increases the risk of compromise and peer injection.
Defguard as of my knowledge is a traditional VPN with a central gateway. NetBird is an overlay network with a full mesh capabilities. Though you can set it up in a gateway-like style with NetBird Networks but without opening ports and with HA out of the box: https://docs.netbird.io/manage/networks
Tailscale is great and headscale is an important step to gain trust. However, headscale is useless without the clients, and Tailscale geoblock installing clients where they can. If the platform requires jailbreak for installing user-chosen software, as is the case with iOS, then it all becomes useless.
Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?
The NetBird docs [1] talk about "Zero Trust" being defined by NIST SP 800-207 and NIST SP 1800-35. This is also one of the definitions Wikipedia describes, with only one (uncited) mention of BeyondCorp.
Anyway, I still have no idea how this stuff is supposed to be "zero trust". It seems to place almost complete trust in the external authentication provider and also in the agent software that's rummaging around on all the clients while, as Wikipedia puts it, "checking the identity and integrity of users" (perhaps by examining the purity of the their precious bodily fluids).
If you are reading this thread and think that’s an interesting project to work on, shoot us a message. We are always looking for talented engineers that are passionate about open source :)
regisso|29 days ago
smashed|28 days ago
Good chance it was user error on our part.
Most of their documentation is very unclear about what is a cloud offering feature and what is possible using self-hosting. There are features not available on the community edition and you have to be very careful reading their doc.
Just putting it out there so people do not think it's an easy solution. It will require appropriate planning.
I do think its a more promising solution than headscale if you want to self host as it is a complete package, unlike tailscale where you need to modify registry keys to change the cloud URL and headscale is a simplified, non-multi-tenant signaler.
edentrey|29 days ago
tass|29 days ago
My other simplifier is having everything at home get a .home dns name, and telling Tailscale to route all these via tailnet.
inapis|29 days ago
tecleandor|29 days ago
https://tailscale.com/kb/1028/key-expiry#disabling-key-expir...
atmosx|29 days ago
nagaiaida|25 days ago
Lucasoato|28 days ago
pranaysy|29 days ago
chillfox|28 days ago
How easy is it to make it manage an already configured Wireguard mesh network?
mac-attack|28 days ago
pkulak|28 days ago
benoliver999|28 days ago
How is netbird on iOS?
Ingon|28 days ago
The reason connet exists is that nothing (at the time I started, including netbird, tailscale/headscale, frp, rathole, etc) gave the same easy to understand, FOSS, self-hosted, direct peer-to-peer way of remote access to your resources. I believe it does accomplish this and it is self-hosted. And while a cloud deployment at https://connet.dev exists, it is nothing more then repackaging the FOSS project with user/token management.
j1elo|28 days ago
mirashii|28 days ago
geoctl|29 days ago
nszceta|29 days ago
CubsFan1060|28 days ago
Feel free to ignore this, but, what's your long term plan here? I see you have Enterprise plans (especially that allow different licenses). From what I can tell you're the only contributor, but, I assume that if you accepted contributions there'd be a CLA?
mittermayr|29 days ago
https://headscale.net/stable/
FazJaxton|28 days ago
mstaoru|28 days ago
xyst|28 days ago
But this is where netbird beats tailscale: coordinator server open sourced out/self hosted out the gate.
Headscale is currently maintained by a few tailscale employees on their spare time. Currently, Tailscale allows this to happen but clearly there’s some internal management of what gets downstreamed to headscale.
What I don’t like about headscale is that you can only host a single coordinator server as well. If I need to do maintenance on the server, it means an impact to the tailnet. It’s rare but annoying.
colordrops|28 days ago
markonen|29 days ago
rpastuszak|28 days ago
db04|29 days ago
h4kunamata|28 days ago
So instead of opening a port on my firewall for WireGuard, I must have these ports public exposed:
* tcp/80
* tcp/443
* udp/3478
* tcp/50443
I don't know about you but that seems the most insane approach. Even if HTTP-01 challenge is not used, you are still exposing 3 ports instead of 1 random-high port like 55555 for example.
Yeah yeah, you can use rever-proxy but still, you are exposing way more ports and services to the internet than just one port for WireGuard itself.
gz5|28 days ago
are OpenZiti, Headscale, Nebula the 3 closest?
great resource here (no affiliation) for HN community:
https://github.com/anderspitman/awesome-tunneling
PLG88|28 days ago
smashed|28 days ago
If the user is forced to authenticate to start the VPN session, would that make it zero trust?
I think once the VPN is on, it's on, and the remote service cannot get identity info from the network layer.
Seems like what you want to achieve can only be built on the application layer?
junon|28 days ago
sunshine-o|29 days ago
1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.
2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.
abcd_f|29 days ago
Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.
CommanderData|29 days ago
Better it happens using the same approach wireguard takes (udp/stateless). Though I'm not sure if there's more than just bootstrap taking place, maybe constant routing updates etc
PLG88|28 days ago
aaronds|29 days ago
https://github.com/slackhq/nebula
eddyg|29 days ago
ysleepy|29 days ago
You manage a PKI and have to distribute the keys yourself, no auth/login etc.
it's much better than wireguard, not requiring O(N) config changes to add a node, and allowing peoxy nodes etc.
iirc key revocation and so on are not easy.
blue_pants|28 days ago
sreekanth850|29 days ago
jsattler|28 days ago
Uptrenda|28 days ago
Basically, I'm building a framework for building NAT traversal plugins. Software like ngrok and P2P VPNs can then be built on top of it. Examples of plugins for the library include direct connect, reverse connect (connect back to you), TCP hole punching, and UPnP-based port forwarding.
The underlying network stack for the project was also built from scratch to better support IPv6 and multiple interfaces. This allows plugins to fully utilise the underlying network paths and interfaces on the machine. This took considerable time because most software simply uses the default interface.
I'm still in the middle of building the software so its not yet functional. But if anyone is interested throw me a star or an email at matthew@roberts.pm.
Uptrenda|28 days ago
braginini|29 days ago
no_time|29 days ago
Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."
That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).
Borealid|29 days ago
micw|29 days ago
binnacle|28 days ago
braginini|28 days ago
I suggest trying NetBird cloud to eliminate a potential misconfiguration of the self-hosted instance.
cheema33|28 days ago
PLG88|28 days ago
lwde|29 days ago
gnyman|29 days ago
Do not expose anything without authentication.
And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.
If you are aware of this, funnel works fine and is not insecure.
Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.
I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.
No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.
https://infosec.exchange/@gnyman/115571998182819369
ethangk|29 days ago
m_santos|29 days ago
Galanwe|29 days ago
nicolashenneaux|28 days ago
Factor1177|28 days ago
preisschild|28 days ago
joecool1029|28 days ago
gnufx|29 days ago
somepleb|28 days ago
NetBird should also consider publishing an SBOM, similar to what Defguard does.[1].
[0] https://trust.netbird.io/
[1] https://defguard.net/sbom/
sunshine-o|28 days ago
What could be used as an alternative to Tailscale, netbird, etc.
- [0] https://changelog.complete.org/archives/10478-easily-accessi...
- [1] https://github.com/threefoldtech/mycelium/blob/master/docs/p...
commandersaki|28 days ago
I just want a roaming access Wireguard terminating endpoint to restrict access to a user to initial subnets, and open / allow routing to further subnets based on multi factor authentication. That way a user can connect and only have access to say a wiki and internal chat, but then escalate access by MFA to access resources on other subnets that have stuff like internal gitlab and whatever other critical resources exist.
junon|29 days ago
Benedicht|29 days ago
braginini|29 days ago
cedws|28 days ago
nebezb|28 days ago
edit: someone pointed out they’ve signed new users on to a US co. 15 months ago. I made the statement without knowing this. they aren’t as capable as I originally claimed.
sigio|28 days ago
During the last few weeks I've removed netbird from all my systems (about 12), mostly because of issues on laptops where resolving or networking would break after they moved to a different network/location.
usagisushi|28 days ago
You can find the option under "DNS > DNS Settings > Disable DNS management for these groups". Netbird will stop modifying the resolv.conf on those groups.
[0] https://docs.netbird.io/manage/dns#4-dns-management-modes
shtrophic|29 days ago
niemandhier|29 days ago
moonlightbandit|29 days ago
gonzalohm|28 days ago
Tajnymag|28 days ago
mduett|27 days ago
woile|28 days ago
- Tailscale has one entry - Pangolin is getting one
I would like to see, even if brief:
1. Getting started
2. Hardware requirements
3. Security considerations
4. Recommended architecture, like running in a VPS if it makes sense
5. Configuring a server
6. Configuring devices
7. Resources (links to read more on netbird)
Thank you from the home lab community
patmorgan23|28 days ago
__float|28 days ago
If you're a homelab NixOS user, isn't it on you to try to answer these questions? A home lab is for learning, and if you don't want to do that, what's the point?
ErneX|28 days ago
flashu|28 days ago
bc569a80a344f9c|28 days ago
Accessing multiple corporate networks simultaneously from the same endpoint violates all sorts of access policies. If it doesn’t, the access policy is lacking. Even for startups.
And no, unless you build it and enforce it from the start, no one ever succeeds in bolting on a reasonably security posture after implementing all their other processes no one will dare touch.
speedgoose|29 days ago
I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.
RedShift1|29 days ago
rwky|29 days ago
PLG88|28 days ago
CommanderData|29 days ago
Maybe it's possible without modification to Netbird to setup a staging network.
aborsy|28 days ago
The issue with these VPN companies is that they log data, you have to run an agent running as root, reliance on several other companies too like IdP, etc. Very large attack surface.
k8sToGo|28 days ago
Second it's super easy to add a new device. Managing wireguard keys is annoying.
Third I don't have to open the port, worry about ddns etc.
Finally, for me it allows me to manage my DNS easily and I can leave tailscale running at all times. Also good luck implementing ACL on your own.
I don't see an issue with them logging when I connect to my stuff. The convenience for me is worth it more than the risk.
alturp|29 days ago
ksynwa|29 days ago
Outside of the particular combination of Mullvad and Tailscale I don't think there is any other way apart from switching between the two.
xrd|28 days ago
mlrtime|29 days ago
You could have a exit node that is setup only for that vpn that advertises it's routes. So connecting to tailscale gives you access to that network.
augunrik|28 days ago
user3939382|28 days ago
hollow-moe|29 days ago
usagisushi|29 days ago
That said, it seems focused on client-to-site (newt) connections, and I don't see support for client-to-client connections like Netbird’s SSH access. Also, their Private Resources don't seem to support TLS termination yet. (Correct me if I’m wrong!)
In my case, I have a k3s cluster running on Netbird with a Traefik ingress for TLS termination inside my home network. Thanks to netbird's P2P nature, traffic stays entirely local as long as I'm on my home WiFi. (I suppose one could achieve the same with a Netbird + Caddy + DNS-01 setup, too.)
[0] https://docs.pangolin.net/manage/clients/understanding-clien...
edentrey|29 days ago
jrm4|28 days ago
I'm aware of how old Tinc is, but I've yet to find anything compelling enough to get me to switch. Tinc is a little annoying to set up, but once it's going I literally forget about it.
littlecranky67|28 days ago
BoredPositron|29 days ago
braginini|29 days ago
FloatArtifact|29 days ago
Still haven't figured out how to do Termux on Android with netbird ssh yet.
edentrey|29 days ago
usagisushi|29 days ago
m_santos|29 days ago
neofrommatrix|28 days ago
PLG88|28 days ago
xyst|28 days ago
I looked further into it and it’s essentially the same.
Implementation over ease of use of wireguard setup. Peer to peer modeling. Mesh networking. "Zero trust".
However, what I find interesting is netbird has open sourced their _coordinator server_. This allows for self hosting to be end to end.
yes with tailscale there exists "headscale", but it’s clearly a side project that few people within the tailscale company maintain on spare time.
One of the fears i have with headscale is a sudden change in leadership at tailscale, then the support from tailscale dies. Significant divergence occurs between headscale coordinator server and clients. Enshittification occurs and now forcing those smaller use cases onto their SaaS.
I love tailscale/headscale but will definitely give this a try.
throw20251220|27 days ago
oaiey|29 days ago
ktaf|28 days ago
OsamaJaber|28 days ago
thenaturalist|29 days ago
braginini|29 days ago
jonas_scholz|27 days ago
vlovich123|29 days ago
teon|27 days ago
Defguard is a *Secure by Design* solution, which means security is important (if not more) then functionality. Lower latency or peer-to-peer communication does not automatically mean better security often it means a larger attack surface.
Defguard is also *the only solution that enforces MFA on every connection*, aligning with true Zero Trust principles never trust a user or device by default.
Why Peer-to-Peer Is Not Safer?
Peer-to-peer and mesh solutions can be faster because traffic flows directly between peers, but they almost always expose all components publicly and make it easier to hijack the network or inject unauthorized peers.
So what does Defguard’s Secure-by-Design Architecture mean?
1. Minimal gateway exposure
The Defguard gateway exposes only a WireGuard port. Compromising it would require a Linux kernel or WireGuard zero-day at that point, no solution is safe.
2. Isolated, stateless proxy
The only Internet-facing "application" component is a stateless proxy, deployed in a separate network segment. It has no access to the gateway, core, or internal resources.
3. Protected control plane
The core (control plane) runs strictly inside the intranet (local network that should not be exposed anywhere). No user data are exposed to the Internet or DMZ/other network segments. Also the MFA validation process is done in secure network segments (for example when doing MFA with Desktop + Mobile client biometry/faceID combined).
Why This Is Different from Mesh Solutions?
Most mesh VPN solutions expose their control and peer-discovery components publicly by design. This significantly increases the risk of compromise and peer injection.
So that's about it.
braginini|29 days ago
analog8374|28 days ago
the_real_cher|23 days ago
catlifeonmars|28 days ago
sigmonsays|28 days ago
winrid|28 days ago
or network names literally overlapping in the "overlapping networks" tab
or maybe it's the need to toggle the network on and off a few times to get it to work
One of the few pieces of software I actually despise but have to use, and I use win11.
ZoomZoomZoom|29 days ago
Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?
nixosbestos|29 days ago
The Android client, at least is FOSS. It's hardly Tailscale's fault that people buy iOS devices.
colesantiago|28 days ago
Glad it is open source so we can have "zero trust" in VC backed dev tools services.
newzino|28 days ago
[deleted]
systemf_omega|28 days ago
ptx|28 days ago
The NetBird docs [1] talk about "Zero Trust" being defined by NIST SP 800-207 and NIST SP 1800-35. This is also one of the definitions Wikipedia describes, with only one (uncited) mention of BeyondCorp.
Anyway, I still have no idea how this stuff is supposed to be "zero trust". It seems to place almost complete trust in the external authentication provider and also in the agent software that's rummaging around on all the clients while, as Wikipedia puts it, "checking the identity and integrity of users" (perhaps by examining the purity of the their precious bodily fluids).
[1] https://docs.netbird.io/use-cases/implement-zero-trust
maximgeorge|28 days ago
[deleted]
nsadeghi97|28 days ago
cpach|28 days ago
glub103011|28 days ago
[deleted]
genie3io|29 days ago
[deleted]
RiceNBananas|28 days ago
[deleted]
sieabahlpark|28 days ago
[deleted]
estsauver|29 days ago
OtomotO|29 days ago
US citizens may not be aware, but due to POTUS "made and maintained in Europe" is becoming more and more important to EU.
braginini|29 days ago