{"id":50455129,"url":"https://github.com/cr0me1ve/anonbird","last_synced_at":"2026-06-01T02:00:57.918Z","repository":{"id":361686727,"uuid":"1254687809","full_name":"Cr0me1ve/anonbird","owner":"Cr0me1ve","description":"AnonBird: anonymous self-hosted mesh VPN fork with Tor/I2P transport hardening.","archived":false,"fork":false,"pushed_at":"2026-06-01T01:44:46.000Z","size":136610,"stargazers_count":0,"open_issues_count":16,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T02:00:48.387Z","etag":null,"topics":["anonbird","i2p","mesh-vpn","privacy","self-hosted","tor","wireguard"],"latest_commit_sha":null,"homepage":"https://github.com/Cr0me1ve/anonbird","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cr0me1ve.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":"CONTRIBUTOR_LICENSE_AGREEMENT.md"},"funding":{"github":["netbirdio"]}},"created_at":"2026-05-30T22:11:07.000Z","updated_at":"2026-06-01T01:44:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Cr0me1ve/anonbird","commit_stats":null,"previous_names":["cr0me1ve/anonbird"],"tags_count":336,"template":false,"template_full_name":null,"purl":"pkg:github/Cr0me1ve/anonbird","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr0me1ve%2Fanonbird","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr0me1ve%2Fanonbird/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr0me1ve%2Fanonbird/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr0me1ve%2Fanonbird/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cr0me1ve","download_url":"https://codeload.github.com/Cr0me1ve/anonbird/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr0me1ve%2Fanonbird/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33756581,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anonbird","i2p","mesh-vpn","privacy","self-hosted","tor","wireguard"],"created_at":"2026-06-01T02:00:47.124Z","updated_at":"2026-06-01T02:00:57.906Z","avatar_url":"https://github.com/Cr0me1ve.png","language":"Go","funding_links":["https://github.com/sponsors/netbirdio"],"categories":[],"sub_categories":[],"readme":"\n\u003cdiv align=\"center\"\u003e\n  \u003cp align=\"center\"\u003e\n    \u003cimg width=\"234\" src=\"docs/media/logo-full.png\" alt=\"AnonBird logo\"/\u003e\n  \u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/Cr0me1ve/anonbird/blob/main/LICENSE\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/license-BSD--3-blue\" alt=\"BSD-3 License\"/\u003e\n    \u003c/a\u003e\n    \u003ca href=\"docs/leak-map.md\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/privacy-leak%20map-orange\" alt=\"AnonBird leak map\"/\u003e\n    \u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003e\n    AnonBird is a NetBird fork focused on anonymous private mesh networking over Tor and I2P.\n    \u003cbr/\u003e\n    Start with the \u003ca href=\"docs/leak-map.md\"\u003eleak map\u003c/a\u003e, \u003ca href=\"docs/anonbird-i2p-operations.md\"\u003eI2P operations guide\u003c/a\u003e, and \u003ca href=\"docs/anonbird-release-hardening.md\"\u003erelease hardening notes\u003c/a\u003e.\n  \u003c/strong\u003e\n\u003c/p\u003e\n\n**AnonBird keeps the familiar WireGuard mesh, management, signal, relay, ACL and dashboard model, but adds anonymous transports and hardens the fork so anonymous deployments do not silently call upstream package, metrics, update, debug-upload, geolocation or cloud endpoints.**\n\n**Tor mode.** `tor-relay-only` forces management, signal and relay traffic through a SOCKS5 Tor path, disables STUN/ICE/direct UDP, and uses userspace WireGuard over relay streams.\n\n**I2P mode.** `i2p-datagram` uses I2P SAM for control and peer data transport, exchanges public I2P destinations through management, and keeps private destination keys local to the client profile.\n\n**AnonBird UX.** The CLI command is `anonbird`, the dashboard uses anonymous-aware install flows, and release packages install into AnonBird paths such as `/etc/anonbird`, `/var/lib/anonbird`, `/var/log/anonbird` and `/var/run/anonbird`.\n\n**Brand assets.** Current raster assets are checked in for the README, proxy web, dashboard, favicon and desktop UI. Visual identity can be replaced without changing the anonymous transport design.\n\n### Key features\n\n| Anonymous transport | Management | Security | Operations | Platforms |\n|---|---|---|---|---|\n| ✓ Tor SOCKS5 control plane | ✓ Anonymous-aware dashboard | ✓ STUN/ICE/direct UDP kill-switch | ✓ Fork release images and packages | ✓ Linux |\n| ✓ Tor relay data plane | ✓ Setup-key bootstrap | ✓ IP/location/serial redaction | ✓ Self-host scripts | ✓ macOS |\n| ✓ Tor stream multipath | ✓ Internal DNS and ACLs | ✓ Debug/upload/geolite fail-closed defaults | ✓ Systemd units | ✓ Windows |\n| ✓ I2P SAM STREAM control plane | ✓ Device approval support | ✓ Anonymous update checks disabled by default | ✓ Docker/Compose templates | ✓ Containers |\n| ✓ I2P SAM DATAGRAM peer transport | ✓ Setup invite tokens | ✓ Runtime anonymous checks | ✓ Release hardening audit commands | ✓ FreeBSD package helper |\n\n### One-command self-host quickstart\n\nAnonBird is self-hosted-first. The recommended open-source quickstart starts a\nsingle-host deployment with the dashboard, embedded IdP, management, signal and\nrelay combined server, and Traefik TLS routing.\n\n- A Linux VM with at least **1 CPU** and **2 GB** of memory.\n- Docker with the Compose plugin.\n- A DNS name pointing to the VM.\n- Open inbound `80/tcp` and `443/tcp`.\n- Tor and/or i2pd available on clients for anonymous transports.\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/getting-started.sh \\\n  | bash -s -- --domain anonbird.your-domain.com --email admin@your-domain.com --yes\n```\n\nThis renders `docker-compose.yml`, `dashboard.env` and `config.yaml`, then starts\nthe stack. When it finishes, open:\n\n```text\nhttps://anonbird.your-domain.com\n```\n\nThe one-command installer uses the built-in Traefik mode by default and checks\nthat the required AnonBird Docker images are available before it starts the\nstack. Anonymous-safe server defaults are used: management version checks,\ngeolocation downloads, anonymous metrics and STUN/UDP are disabled unless you\nexplicitly opt in.\n\nAfter startup, check the deployment from the server:\n\n```bash\ndocker compose ps\ncurl -fsS https://anonbird.your-domain.com/oauth2/.well-known/openid-configuration \u003e/dev/null\ncurl -ksS -o /dev/null -w '%{http_code}\\n' https://anonbird.your-domain.com/api/users\n```\n\nThe unauthenticated API check should return `401`.\n\nTo bootstrap an unattended setup key for anonymous clients:\n\n```bash\ndocker compose exec -T anonbird-server \\\n  /go/bin/anonbird-server setup-key bootstrap --config /etc/anonbird/config.yaml\n```\n\nSave the printed setup key once. Then enroll clients with the dashboard command\nor a join URL that points at your onion/I2P management address.\n\nFor a dry configuration render without starting containers:\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/getting-started.sh \\\n  | bash -s -- --domain anonbird.your-domain.com --email admin@your-domain.com --yes --render-only\n```\n\nTo check release image availability without writing files or starting\ncontainers:\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/getting-started.sh \\\n  | bash -s -- --domain anonbird.your-domain.com --email admin@your-domain.com --yes --preflight-only\n```\n\nRelease-candidate and private registry tests can override images without\nediting the script:\n\n```bash\nexport ANONBIRD_DASHBOARD_IMAGE=registry.example.com/anonbird-dashboard:rc\nexport ANONBIRD_SERVER_IMAGE=registry.example.com/anonbird-server:rc\nexport ANONBIRD_PROXY_IMAGE=registry.example.com/anonbird-reverse-proxy:rc\n\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/getting-started.sh \\\n  | bash -s -- --domain anonbird.your-domain.com --email admin@your-domain.com --yes\n```\n\nThe `NETBIRD_*` environment names are still accepted in deployment scripts for\ncompatibility with the inherited configuration contract. New generated artifacts\nuse AnonBird images, commands and filesystem paths.\n\nIf you deliberately need legacy clearnet/STUN behavior for a compatibility\ntest, make that choice explicit:\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/getting-started.sh \\\n  | bash -s -- --domain anonbird.your-domain.com --email admin@your-domain.com --yes --enable-clearnet-stun\n```\n\nDo not use that mode for anonymous clients unless you have accepted the real-IP\nexposure risk.\n\n### Linux client install\n\nThe release installer places the `anonbird` command in `PATH`, installs\n`anonbird.service`, and uses `/etc/anonbird`, `/var/lib/anonbird`,\n`/var/log/anonbird` and `/var/run/anonbird.sock`.\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/install.sh \\\n  | sudo bash -s --\n```\n\nAfter a fresh install the daemon can be active while still waiting for\nenrollment:\n\n```bash\nsudo systemctl status anonbird\nanonbird status\nanonbird debug anonymous-check\n```\n\nBefore enrollment, `anonymous-check` should report `pending enrollment`,\n`Default connection policy: anonymous tor-relay-only`, and `Result: OK`. After\nenrollment it should report the actual Tor or I2P management/signal/relay\ntransports.\n\nFor migration dry-runs where old scripts still call `netbird`, add a temporary\ncompatibility symlink without making it the canonical command:\n\n```bash\ncurl -fsSL https://github.com/Cr0me1ve/anonbird/releases/latest/download/install.sh \\\n  | sudo bash -s -- --compat-symlink --no-start\n```\n\n### Dashboard and anonymous peer URLs\n\nThe admin dashboard can be exposed on clearnet, a private network, or an onion\nservice. Anonymous peer privacy depends on the management/signal/relay URL used\nby clients, not on where the administrator opens the dashboard.\n\nCommon split deployment:\n\n```text\nAdmin browser:\n  https://admin.example.com\n\nAnonBird peers:\n  http://managementxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion\n```\n\nSet the dashboard runtime configuration so browser API calls use the admin API\norigin, while generated peer setup commands use the onion/I2P management origin:\n\n```text\nNETBIRD_MGMT_API_ENDPOINT=https://admin.example.com\nNETBIRD_MGMT_GRPC_API_ENDPOINT=http://managementxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion\n```\n\nWith that split, the administrator's browser can use clearnet, while peers still\njoin through Tor/I2P and do not publish real endpoint candidates.\n\n### Anonymous Client Examples\n\nTor relay-only:\n\n```bash\nanonbird up \\\n  --management-url http://examplehiddenservice.onion \\\n  --setup-key \"$SETUP_KEY\" \\\n  --anonymous-transport tor-relay-only \\\n  --tor-socks5 127.0.0.1:9050\n```\n\nI2P datagram:\n\n```bash\nanonbird up \\\n  --management-url http://example.b32.i2p \\\n  --setup-key \"$SETUP_KEY\" \\\n  --anonymous-transport i2p-datagram \\\n  --i2p-sam 127.0.0.1:7656\n```\n\nAnonymous mode is enabled by default for new CLI connections. Non-anonymous\nclearnet mode is intentionally hard to invoke: it prints a real-IP leak warning\nand requires an explicit override.\n\n```bash\nanonbird up \\\n  --no-anonymous-mode \\\n  --allow-unsafe-clearnet \\\n  --yes-i-understand-this-may-leak-my-ip\n```\n\nRun the local safety audit any time:\n\n```bash\nanonbird debug anonymous-check\n```\n\nExpected anonymous output includes:\n\n```text\nAnonymous mode: enabled\nSTUN: disabled\nICE: disabled\nDirect UDP: disabled\nClearnet fallback: disabled\nPublished endpoints: none\nResult: OK\n```\n\n### Migration From NetBird\n\nMigration defaults to dry-run mode and prints the exact file/service actions\nbefore changing anything.\n\nClient migration:\n\n```bash\nanonbird migrate client --dry-run\nsudo anonbird migrate client --apply --rejoin \"anonbird://join?server=http%3A%2F%2Fexample.onion\u0026setup_key=...\"\n```\n\nIf a legacy NetBird config contains a non-anonymous management URL, apply mode\nrefuses to start AnonBird unless you provide `--rejoin` or explicitly accept an\nunsafe clearnet migration:\n\n```bash\nsudo anonbird migrate client --apply \\\n  --allow-unsafe-clearnet \\\n  --yes-i-understand-this-may-leak-my-ip\n```\n\nWith `--rejoin`, migrated config files are rewritten to anonymous mode and\n`DisableAutoConnect=true` before the service starts, so the old clearnet profile\ndoes not connect during migration.\n\nSelf-hosted server migration uses the packaged AnonBird migration script for the\nlegacy Docker Compose stack:\n\n```bash\nanonbird migrate server --install-dir /opt/netbird --dry-run\nsudo anonbird migrate server --install-dir /opt/netbird --apply --yes\n```\n\nRollback for client filesystem migration:\n\n```bash\nsudo anonbird migrate rollback --backup-dir /var/backups/anonbird/migration-YYYYMMDD-HHMMSS --apply\n```\n\n### Release-readiness status\n\nThe current branch contains a working anonymous MVP plus post-MVP production\nhardening tasks. Treat it as a release candidate, not a final production tag,\nuntil the release-readiness plan in `anonbird_netbird_fork_plan.md` is fully\ngreen.\n\nBefore a public production release, the final manual run must prove:\n\n- one-command server/dashboard install from published images;\n- Linux package install, upgrade, uninstall/reinstall and rollback from release\n  artifacts;\n- migration from ordinary self-hosted NetBird for the server and at least two\n  clients;\n- Tor and I2P remote smoke tests on the fixed release testbed;\n- a real application test over the overlay, currently Marton master+edge\n  subscription flow;\n- focused leak and secret sweeps over logs, git tree and artifacts;\n- an explicit verdict on whether a test project can replace NetBird with\n  AnonBird without manual patches.\n\n### Internals\n\n- Every machine runs the [AnonBird agent](client/), which manages userspace WireGuard in anonymous mode.\n- Every agent connects to the [Management Service](management/) and [Signal Service](signal/) through the configured anonymous transport.\n- Tor mode uses relay WebSockets over SOCKS5 and disables direct candidate discovery.\n- I2P mode uses SAM STREAM for control and SAM DATAGRAM for direct peer transport when possible.\n- The [Relay Service](relay/) remains encrypted transport infrastructure, not a trust anchor.\n\n### Acknowledgements\n\nAnonBird builds on the NetBird codebase and open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), I2P SAM, Tor, and Rosenpass.\n\n### Legal\nThis repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.\nThose directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.\n\n_WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr0me1ve%2Fanonbird","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcr0me1ve%2Fanonbird","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr0me1ve%2Fanonbird/lists"}