https://github.com/netbirdio/netbird
Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://github.com/netbirdio/netbird
golang mesh mesh-networks nat-traversal netbird vpn wireguard wireguard-vpn wiretrustee zero-trust-network-access
Last synced: about 10 hours ago
JSON representation
Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
- Host: GitHub
- URL: https://github.com/netbirdio/netbird
- Owner: netbirdio
- License: bsd-3-clause
- Created: 2021-04-14T12:27:20.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2025-04-29T14:19:25.000Z (7 days ago)
- Last Synced: 2025-04-29T15:35:03.969Z (7 days ago)
- Topics: golang, mesh, mesh-networks, nat-traversal, netbird, vpn, wireguard, wireguard-vpn, wiretrustee, zero-trust-network-access
- Language: Go
- Homepage: https://netbird.io
- Size: 37.9 MB
- Stars: 13,436
- Watchers: 101
- Forks: 642
- Open Issues: 863
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
- Authors: AUTHORS
Awesome Lists containing this project
- awesome - netbirdio/netbird - Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls. (golang)
- awesome-pion - netbirdio/netbird - A Wireguard-based VPN which transports datagrams over an `pion/ice` connection. (Other APIs)
- my-awesome-github-stars - netbirdio/netbird - Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. (Go)
- awesome-starred - netbirdio/netbird - Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls. (golang)
- awesome-starred - netbirdio/netbird - Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. (Go)
- awesome-starred - netbirdio/netbird - Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. (Go)
- awesome-wireguard - NetBird - (Previously Wiretrustee) NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home. Technically, it creates an overlay network using ICE protocol (WebRTC) to negotiate P2P connections and WG (kernel module, when possible) to create a fast and encrypted tunnel between machines, falling back to relay (TURN) in case a P2P connection isn't possible. Pretty much just a client app is needed, the rest is done by the software. Their vision is to go beyond traditional VPN by bringing advanced NetSec (Zero Trust security model) like OpenZiti. (Projects / Mesh Network)
- definitive-opensource - NetBird - based overlay network with SSO, MFA and granular access controls. | `Cross` | **13.5k** | (Table of Contents / VPN)
- stars - netbirdio/netbird - Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. (Go)
- Compose-Examples - Netbird - Quickly connect your computers, servers, cloud instances, and IoT devices into a secure private network. No configuration required. (🐳 Project List / Virtual Private Network (VPN) & Remote Access)
- awesome-repositories - netbirdio/netbird - Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. (Go)
README
Start using NetBird at netbird.io
See Documentation
Join our Slack channel
New: NetBird Kubernetes Operator
**NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
**Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
**Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
### Open-Source Network Security in a Single Platform
### NetBird on Lawrence Systems (Video)
[](https://www.youtube.com/watch?v=Kwrff6h0rEw)
### Key features
| Connectivity | Management | Security | Automation| Platforms |
|----|----|----|----|----|
|
- - \[x] Kernel WireGuard
- - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)
- - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)
- - \[x] [Public API](https://docs.netbird.io/api)
- - \[x] Linux
|
- - \[x] Peer-to-peer connections
- - \[x] Auto peer discovery and configuration |
- - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) |
- - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) |
- - \[x] Mac |
- - \[x] Connection relay fallback |
- - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) |
- - \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) |
- - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) |
- - \[x] Windows |
- - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) |
- - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) |
- - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) |
- - \[x] IdP groups sync with JWT |
- - \[x] Android |
- - \[x] NAT traversal with BPF |
- - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) |
- - \[x] Peer-to-peer encryption ||
- - \[x] iOS |
- - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) ||
- - \[x] OpenWRT |
- - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) ||
- - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
- - \[x] Docker |
|
|
|
|||
|||
|||||
### Quickstart with NetBird Cloud
- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
- Check NetBird [admin UI](https://app.netbird.io/).
- Add more machines.
### Quickstart with self-hosted NetBird
> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
**Infrastructure requirements:**
- A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
- **Public domain** name pointing to the VM.
**Software requirements:**
- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
- [jq](https://jqlang.github.io/jq/) installed. In most distributions
Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
- [curl](https://curl.se/) installed.
Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
**Steps**
- Download and run the installation script:
```bash
export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
```
- Once finished, you can manage the resources via `docker-compose`
### A bit on NetBird internals
- Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
- Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
- NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
- Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
- Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
- Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server.
[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
### Community projects
- [NetBird installer script](https://github.com/physk/netbird-installer)
- [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
**Note**: The `main` branch may be in an *unstable or even broken state* during development.
For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
### Support acknowledgement
In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
### Testimonials
We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
### Legal
_WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.