N
Story
Netbird a German Tailscale alternative (P2P WireGuard-based overlay network)
  • geoctl
  • ·
  • 2 minutes ago
  • ·
  • [ - ]
(Shamless plug) I am also working on a similar FOSS, self-hosted project called Octelium https://github.com/octelium/octelium that you might find interesting if you are interested in this space. Octelium is, however, more of a generic/unified zero trust secure access platform that can operate as a remote access VPN, a ZTNA platform, API/AI/MCP gateway, a PaaS, an ngrok-alternative and a homelab infrastructure. It provides unified client-based as well as clientless access for both humans and workloads; dynamic identity-based secretless access (e.g. HTTP/gRPC/k8s without sharing API keys and access tokens, SSH without distributing passwords/private keys, postgres/MySQL databases without sharing passwords, etc.); dynamic L7-aware, identity-based access control ABAC via CEL and OPA as well as dynamic routing to upstreams via policy-as-code; native Passkey login/WebAuthn/TOTP MFA and support for OIDC/SAML IdPs, OpenTelemetry L7-aware visibility and auditing; clietless access via OAuth2 for workloads, WireGuard and QUIC tunneling; declarative k8s-like management with horizontal scalability among other features. You can read more in the README if you're interested.
I can only recommend giving headscale a try. It's free, works extremely well, and can be used with the official Tailscale clients. Was super easy to set up.

https://headscale.net/stable/

Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
A bit lower level than most things discussed here but on the topic of overlay networks, I’ve used nebula for years and can recommend it

https://github.com/slackhq/nebula

it his much complex to setup then wireguard based?
I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.
  • junon
  • ·
  • 17 minutes ago
  • ·
  • [ - ]
We just evaluated this the other day and we were pretty impressed by it. We were looking for something we could self host for wireguard config but tbh we might just pay for the managed solution.
Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web. This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
  • tass
  • ·
  • 1 hour ago
  • ·
  • [ - ]
Tailscale allows you to disable the expiration time - I do this for my gateways.

My other simplifier is having everything at home get a .home dns name, and telling Tailscale to route all these via tailnet.

can you please tell me how to disable expiration time? I see auth keys have an Expiration which says it "Must be between 1 and 90 days." I do use a custom domain name as well with a Nameservers rule to have all my services reachable as subdomains of my custom domain.
  • ·
  • 15 minutes ago
  • ·
  • [ - ]
  • aidos
  • ·
  • 1 hour ago
  • ·
  • [ - ]
You can create an oauth client that can generate keys as you need them.

https://tailscale.com/kb/1215/oauth-clients#generating-long-...

  • ·
  • 1 hour ago
  • ·
  • [ - ]
There is some confusion here because while you can disable node key expiration, you can’t disable auth key expiration. But that’s less of a problem than it seems - auth keys are only useful for adding new nodes, so long expiry times are probably not necessary outside of some specific use-cases.

Edit: in fact from your original post it sounds like you’re trying to avoid re-issuing auth keys to embedded devices. You don’t need to do this; auth keys should ideally be single-use and are only required to add the node to the network. Once the device is registered, it does not need them any more - there is a per-device key. You can then choose to disable key expiration for that device.

You can manually disable key expiration for hosts in Tailscale, and I think you can do it with tags too...

https://tailscale.com/kb/1028/key-expiry#disabling-key-expir...

The word "auth keys" meant nothing to you, I guess: https://tailscale.com/kb/1085/auth-keys
What would be your use-case for auth keys with long expiry times? Auth keys are only required for registering new nodes.
When managing your infrastructure as code, it’s quite common to deploy new instances for upgrades etc. Having these keys expire after 3 months is a big pain. Eg doing a routine update by rebuilding an AMI.

I don’t understand how they can have such a strategy, and then not having any decent way to programmatically allocate new keys.

  • inapis
  • ·
  • 45 minutes ago
  • ·
  • [ - ]
Use tag-based node authentication. Login as a user and then switch the device to use a tag. I just recently did that and retained the usual 6 months expiry. I can also disable key expiry completely.
Headscale is a self hosted drop-in control plane replacement that has been pretty stable for us.
F-droid inclusion seems to be stalled https://gitlab.com/fdroid/rfp/-/issues/2688

Having it in F-droid, vetted by their policies is kind of my benchmark for "software that is guaranteed to be not crapware."

That being said I'm rooting for the devs, having an alternative for tailscale+headscale would be nice, because as it stands it's kind of dependant on the goodwill of a for profit company (finite).

https://codeberg.org/bg443/JetBird appears to use the same core library (and is just a different Android frontend wrapper).
I replaced Teleport by a bunch of various tools, and I had to chose between tailscale/headscale and netbird for the network connectivity. I’m pleased with netbird so far.

I had some weird bugs on a few old servers during the transition, and the support was helpful even though I am a small customer. We eventually switched to user space wireguard on those servers.

Tailscale is great and headscale is an important step to gain trust. However, headscale is useless without the clients, and Tailscale geoblock installing clients where they can. If the platform requires jailbreak for installing user-chosen software, as is the case with iOS, then it all becomes useless.

Open (preferably free software) clients without idiotic restrictions could be one of the main advantages for any competing solution. Does Netbird provide them?

Netbird's flexibility with IdPs is really nice. I recently switched mine to Pocket ID. Overall, it's perfectly sufficient and lightweight for homelab use.
Thanks for your feedback. I have a question: What do you think about the number of containers in our quick start deployment? Was that a concern?
I'm really missing something like Cisco DMVPN. A VPN mesh between different routers where all routers have a connection to each other, so that all traffic doesn't have to pass through the hub. And that runs on a router, because all these solutions only run on a regular computer with a complete OS.
  • rwky
  • ·
  • 1 hour ago
  • ·
  • [ - ]
Check https://tinc-vpn.org/ it may run on your router if you're running openwrt or similar
Last time I checked it couldn't do ipv6... in 2026?
Could be intentional: German privacy advocates really like that the limited ipv4 pool forces reusing IPs and prevents accidental imprinting a practically static address on a device.
Can't do IPv6 internally or externally? Internally there should be zero need for ~infinite addresses. Externally though I certainly hope all software is capable of operating via IPv6 at this point because otherwise it will only be increasingly broken.
Makes a lot of sense.

But self-hosting still require at least a public domain name [0], so here goes your privacy right?

- [0] https://docs.netbird.io/selfhosted/selfhosted-quickstart#inf...

> The VM must be publicly accessible on TCP ports 80 and 443, and UDP port 3478.

> A public domain name that resolves to the VM’s public IP address.

Since it already uses DNS it's disappointing that it hardcodes ports instead of using SRV records. IMO anything that can use SRV records should. It makes for a more robust internet.

IPv6 is coming soon to NetBird.
  • lwde
  • ·
  • 2 hours ago
  • ·
  • [ - ]
But it's missing a tailscale funnel like feature, right? That's one of the main features that I use for some home assistant instances.
  • gnyman
  • ·
  • 26 minutes ago
  • ·
  • [ - ]
Please be aware that when you use tailscale funnel you announce to the whole world that your service exists (through certificate transparency), and you will get scanned immediately. If you don't believe me just put up a simple http server and watch the scanning request come in within seconds of running `tailscale funnel`.

Do not expose anything without authentication.

And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.

If you are aware of this, funnel works fine and is not insecure.

Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.

I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.

No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.

https://infosec.exchange/@gnyman/115571998182819369

We are developing a similar feature and is scheduled to be available really soon. We've discussed some details in our public slack. Any feedback there will be helpful.
Out of curiosity, why? I use TS for all my homelab bits (including my HA instance), but connect to TS before opening the HA app. Is it just a case of making it easier/ possible to connect if you’re on another VPN? Are you not concerned with having something from your local network open to the internet?
Besides the use cases listed, we see this as an opportunity for homelabers and organizations to add authentication with access control to already exposed services.
  • ·
  • 1 hour ago
  • ·
  • [ - ]
I use funnels for things like Vaultwarden, that are secure enough to be exposed on internet, and would be cumbersome if behind the tailnet.

I use serve for everything else, just for the clean SSL termination for things that should stay within the telnet, like *arr stacks, immich, etc.

Ah neat, that makes sense. Thanks.

Do you have anything that’ll trigger a notification if there’s suspicious traffic on your local network? I may be overly paranoid about exposing things on my local network to the internet.

Not really, but these stuff are in an isolated DMZ vlan, so theres not much to escalate to.

I fancy a bit upgrading to a smarter router like unify's with integrated firewall and stuff like like though.

After a decade with KeePass, I’ve finally moved to Vaultwarden. I’ll admit, self-hosting such a critical service still feels a bit scary, but the seamless syncing across all my devices is a huge upgrade. To balance the risk, I keep it tucked safely behind Tailscale for that extra peace of mind.
Agree, I use funnels and serves a lot as well. Very useful for homelabers.
I'm currently comparing it with pangolin and headscale for my small scale company infrastructure access. Been running headscale for my own setup for a while but maybe netbird or pangolin might be better for real production.
Pangolin recently added desktop clients for win/mac/linux[0] and the Private Resource feature (similar to Netbird's Network Routes/DNS), so it's starting to overlap with Netbird more and more.

That said, it seems focused on client-to-site (newt) connections, and I don't see support for client-to-client connections like Netbird’s SSH access. Also, their Private Resources don't seem to support TLS termination yet. (Correct me if I’m wrong!)

In my case, I have a k3s cluster running on Netbird with a Traefik ingress for TLS termination inside my home network. Thanks to netbird's P2P nature, traffic stays entirely local as long as I'm on my home WiFi. (I suppose one could achieve the same with a Netbird + Caddy + DNS-01 setup, too.)

[0] https://docs.pangolin.net/manage/clients/understanding-clien...

I am in the same position but currently using Tailscale and realize how important and critical it has become for my whole family infrastructure. A self-hosted solution which allowed me to use Nameservers and TLS termination as I currently do would be awesome.
If the VPN connection would stay connected despite having it set up that way in the web UI.. It would be a good product.

Still haven't figured out how to do Termux on Android with netbird ssh yet.

can you please elaborate on this? I use termux on android with tailscale and it works flawless, is it not possible on Netbird?
Using it self hosted for almost a year now, no issues, just works for me.
That is awesome!
How does this compare with Defguard? Also European but seems more featureful maybe?
Defguard as of my knowledge is a traditional VPN with a central gateway. NetBird is an overlay network with a full mesh capabilities. Though you can set it up in a gateway-like style with NetBird Networks but without opening ports and with HA out of the box: https://docs.netbird.io/manage/networks
  • oaiey
  • ·
  • 2 hours ago
  • ·
  • [ - ]
Sweet. Alternatives are always something good.
For someone who want to setup a private network between host/devices, I feel the dilemma is always:

1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.

2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.

  • abcd_f
  • ·
  • 14 minutes ago
  • ·
  • [ - ]
You can conceal that open port with some form of port knocking. Though this does reinforce your "easy" point.

Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.

Missing some technical bits to be a true contender for me but I bet they are getting there. That said I've seen so many shadcn based scam sites that my brain starts associating shadcn with scams.
For example? Curious what is missing
It funnels and lets encrypt certs for me and I am really not a fan of the android client.
Got you. We are on it. One feature that is coming very soon is a reverse proxy .Similar to cloudflare tunnels. With auth, TLs, etc. Would it suffice?
Would love to learn more around your android experience
Besides the solid product, Misha & Maycon are just great and friendly people to work with.
love it! :)
[dead]
There's also https://pangolin.net/ which is kind of similar, and I believe a YC company.
Not quite similar tho. Pangolin is a reverse proxy, NetBird is p2p mesh for internal resources remote access
Does that have ties to the US? If so it's not playing in the same ballpark.

US citizens may not be aware, but due to POTUS "made and maintained in Europe" is becoming more and more important to EU.

I see Pangolin has a Self-Host Community Edition, doesn't that already give something over digital sovereignity for EU users? I am considering both for a migration from Tailscale, any suggestion on their differences?
They solve different problems.

For a Tailscale migration, NetBird is the direct swap. Pangolin won't give you device-to-device connectivity.

On EU sovereignty: NetBird is Germany-based and explicitly positions itself as a European alternative. Self-hosted gives full control with no callbacks to their servers. Pangolin is US/YC-backed, so while self-hosting gives you control of the data plane, the project itself is American.

Also, NetBird has a reverse proxy feature coming this quarter, which would cover the Pangolin use case within the same platform.