Deploy NetBird as a self-hosted WireGuard mesh VPN. Connect devices across networks with zero-config peer discovery, SSO authentication, access control lists, and a management dashboard.
Why NetBird?
Traditional VPNs route everything through one server. NetBird creates a peer-to-peer mesh using WireGuard:
- Peer-to-peer — Direct device-to-device tunnels, no central bottleneck.
- Zero config — No port forwarding, no static IPs, no manual key exchange.
- SSO login — OIDC authentication (Google, Azure AD, Okta, Keycloak).
- Access control — ACLs by device, user, or group.
- NAT traversal — Works behind any firewall.
- Fully self-hosted — Management, signal, and TURN servers.
- Multi-platform — Linux, macOS, Windows, iOS, Android.
Prerequisites
- Docker with docker-compose for self-hosting the management server.
- OIDC provider (Keycloak, Google, Azure AD) for authentication.
Architecture
| Component | Purpose | Self-Hosted? |
|---|
| Management server | Web UI, ACLs, peer registry | Yes |
| Signal server | Peer discovery and negotiation | Yes |
| STUN/TURN server | NAT traversal and relay | Yes (coturn) |
| NetBird agent | WireGuard tunnel on each device | Client install |
NetBird vs VPN Alternatives
| Feature | NetBird | Tailscale | WireGuard (raw) | OpenVPN |
|---|
| Topology | Mesh P2P | Mesh P2P | Point-to-point | Hub-and-spoke |
| Self-hosted control | Fully | Headscale only | Manual | Yes |
| NAT traversal | Built-in | Built-in | Manual | Needs port forward |
| SSO/OIDC | Built-in | Built-in | No | Plugin |
| ACLs | Built-in | Built-in | iptables | Server config |
| Management UI | Web dashboard | Web dashboard | CLI only | CLI / web |
| Open source | Fully | Client only | Fully | Fully |
| Cost | Free (self-hosted) | Free / $6/user | Free | Free |
Access Control Examples
| Rule | Effect |
|---|
Developers → Staging | Devs can reach staging servers |
Developers ⊘ Production-DB | Devs cannot reach production databases |
All → DNS Server | Everyone can reach internal DNS |
Mobile → Office-Printers | Mobile devices can print on office network |
Troubleshooting
| Problem | Solution |
|---|
| Peer not connecting | Check agent is running and authenticated; verify STUN/TURN server reachable |
| High latency | Connection may be relayed via TURN; check NAT type (symmetric NAT is hardest) |
| SSO login fails | Verify OIDC config in management server; check redirect URIs |
| Device not showing in dashboard | Re-authenticate agent: netbird down && netbird up |
Summary
- WireGuard mesh VPN — peer-to-peer tunnels, no central bottleneck.
- Fully self-hosted — management, signal, and TURN servers.
- SSO + ACLs — enterprise-grade access control.
- Zero-config — no port forwarding or manual key exchange.
Related Articles