NetBird: Full Install Guide on Hetzner Cloud
Interested in managed NetBird hosting or installation on your own infrastructure? At WZ-IT we take care of consulting, installation, support, operation, maintenance and monitoring of your NetBird deployment - whether on our infrastructure or yours. Arrange your free and non-binding consultation here: Schedule a meeting.
NetBird is a WireGuard-based zero-trust overlay network that gives you a central management plane (users, devices, routes, policies) while keeping traffic encrypted end-to-end. This article walks through a practical self-hosted deployment on a Hetzner Cloud CPX server using Docker and NetBird's official "Self-hosted quickstart with Zitadel" approach.
We'll install NetBird on a fresh Ubuntu server and use the example domain: netbird-demo.wz-it.com
Table of Contents
- High-Level Architecture
- Prerequisites
- Step 1: Create the Server on Hetzner Cloud
- Step 2: SSH into the Server and Update Packages
- Step 3: Install Docker Engine and Docker Compose
- Step 4: Verify DNS is Correct
- Step 5: Run NetBird Self-Hosted Quickstart
- Step 6: Check Containers and Logs
- Step 7: Open the Dashboard and Zitadel Console
- Step 8: Add Users and Enroll Your First Device
- Step 9: Connectivity Validation
- Step 10: Basic Ops - Backup and Upgrades
- Conclusion
- Sources
High-Level Architecture
The quickstart spins up multiple services via Docker Compose, including:
- NetBird management + dashboard (web UI)
- NetBird signal service
- STUN/TURN (Coturn) for NAT traversal/relay
- Zitadel as Identity Provider (SSO/MFA/user management)
NetBird's quickstart is meant to get you running quickly; for custom identity providers and a more tailored production setup, NetBird also provides an advanced self-hosting guide.
Prerequisites
1. Hetzner Cloud Server
- A Hetzner Cloud CPX instance (CPX11 or higher is typically fine)
- Ubuntu 22.04 LTS (or Debian; commands below assume Ubuntu/Debian)
- A public IPv4 address
2. Domain and DNS
Create an A record pointing to your server:
netbird-demo.wz-it.com -> YOUR_SERVER_PUBLIC_IPV4
3. Required Ports (NetBird Self-Hosted)
NetBird's self-host docs state your VM should be publicly accessible on:
| Protocol | Ports |
|---|---|
| TCP | 80, 443, 33073, 10000, 33080 |
| UDP | 3478, 49152-65535 |
Important Note About Hetzner Cloud Firewalls
By default, if you do NOT attach a Hetzner Cloud Firewall to a server, Hetzner is not automatically blocking all inbound ports for you. The server behaves like a normal public VM (what's reachable depends on your OS/services).
The "implicit deny" behavior applies when you attach and use the Hetzner Cloud Firewall product:
- Hetzner Firewall rules define what is allowed inbound, and there is an implicit deny at the end for inbound traffic
- If you attach a firewall and set no inbound rules, inbound traffic will be blocked
Correct guidance:
- No cloud firewall attached: Your OS/services decide what's open
- Cloud firewall attached: You must explicitly allow the required inbound ports above, otherwise traffic is dropped by the firewall
Step 1: Create the Server on Hetzner Cloud
- Create a new server (Ubuntu 22.04)
- Add your SSH key
- (Optional, recommended) Attach a Hetzner Cloud Firewall
If you attach a firewall, add inbound rules for:
| Protocol | Ports | Note |
|---|---|---|
| TCP | 22 | Restrict to your IP if possible |
| TCP | 80, 443, 33073, 10000, 33080 | NetBird services |
| UDP | 3478 | STUN |
| UDP | 49152-65535 | TURN relay range |
Step 2: SSH into the Server and Update Packages
SSH into your server:
ssh root@YOUR_SERVER_IP
Update packages:
apt update && apt -y upgrade
Install basic dependencies:
apt -y install ca-certificates curl gnupg git jq
Step 3: Install Docker Engine and Docker Compose
NetBird self-hosting uses Docker and docker compose (Compose v2). Install Docker from the official sources:
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
rm get-docker.sh
Verify the installation:
docker --version
docker compose version
Step 4: Verify DNS is Correct
Before running the quickstart, verify your DNS is properly configured. From your local machine, check the A record:
dig netbird-demo.wz-it.com +short
This should return your server's IP address. If DNS isn't correct yet, Let's Encrypt / TLS provisioning may fail later during the quickstart.
Step 5: Run NetBird Self-Hosted Quickstart
NetBird's official quickstart deploys everything with a single script and Docker containers.
Create a working directory:
mkdir -p /opt/netbird
cd /opt/netbird
Download and run the quickstart script:
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh -o getting-started-with-zitadel.sh
chmod +x getting-started-with-zitadel.sh
./getting-started-with-zitadel.sh
During setup, you'll be prompted to:
- Provide your domain
netbird-demo.wz-it.com - Ensure ports 80/443 are reachable for certificate issuance
What the script does:
- Generates configuration (docker compose, reverse proxy/TLS config)
- Pulls NetBird + Zitadel + Coturn images
- Creates TLS/HTTPS setup for the dashboard using your domain
- Starts the stack
After successful installation, the script displays credentials and URLs:
Step 6: Check Containers and Logs
From the install directory (where docker compose files are located):
docker compose ps
All containers should show as "healthy" or "running".
Tail logs to check for issues:
docker compose logs -f --tail=200
If something isn't healthy, logs usually point to one of:
- DNS not pointing to the VM
- Firewall missing ports
- Docker/Compose not installed correctly
Step 7: Open the Dashboard and Zitadel Console
Open the NetBird dashboard in your browser:
https://netbird-demo.wz-it.com
For Zitadel user administration, the quickstart provides a console endpoint (described in the quickstart output).
The Zitadel Console is used for managing users and authentication:
Step 8: Add Users and Enroll Your First Device
- Create or invite users in the IdP (Zitadel)
- Install NetBird client on a device (Windows/macOS/Linux)
- Log in via your hosted NetBird domain (SSO)
- Confirm the device appears in the NetBird dashboard
Step 9: Connectivity Validation
A) Confirm Required Ports are Listening
TCP listeners:
ss -tulpn | grep -E ':(80|443|33073|10000|33080)\b'
UDP listeners:
ss -uulpn | grep -E ':(3478)\b'
B) Confirm Firewall Allows Inbound Ports
If you attached a Hetzner Cloud Firewall, re-check your inbound rules. Remember: inbound has implicit deny and only allowed rules pass.
C) Confirm NAT Traversal/Relay Readiness
If peers are behind strict NATs, TURN/relay ports matter most:
- UDP 3478
- UDP 49152-65535
Step 10: Basic Ops - Backup and Upgrades
Backups
At minimum, back up:
- Your generated config files (compose files, env files)
- Persistent docker volumes (Zitadel data, NetBird management data)
# List volumes
docker volume ls
# Backup a volume
docker run --rm -v netbird_management:/data -v $(pwd):/backup ubuntu tar czf /backup/netbird-management-backup.tar.gz /data
Upgrades
A safe upgrade pattern:
cd /opt/netbird
# Backup first
docker compose down
# Pull new images
docker compose pull
# Start with new images
docker compose up -d
If you're moving beyond quickstart into production standards, review the advanced self-hosting guide and version notes.
Conclusion
With the steps above, you get a fully working, self-hosted NetBird control plane on Hetzner Cloud using netbird-demo.wz-it.com. The key success factors are:
- Correct DNS pointing to your server
- Docker/Compose installed properly
- Required TCP/UDP ports reachable (especially the UDP relay range for real-world NAT scenarios)
NetBird's quickstart is ideal for getting value quickly; if your environment needs a custom identity provider or production-grade tailoring, use their advanced self-hosting guide as the next step.
Our NetBird Services
Don't want to manage NetBird yourself? At WZ-IT we offer:
- Managed NetBird Hosting - We run and maintain your NetBird infrastructure
- Installation on your infrastructure - We set up NetBird on your own servers
- Consulting & Support - Expert help with planning, configuration and troubleshooting
Schedule a free consultation to discuss your requirements.
Sources
Frequently Asked Questions
Answers to important questions about this topic
The NetBird server can be installed on all common Linux distributions that support Docker - including Debian, Ubuntu, CentOS, RHEL, Rocky Linux, AlmaLinux, Fedora and openSUSE. Other systems with Docker support are also possible.
NetBird's quickstart/self-host docs state the VM should be publicly accessible on: TCP 80, 443, 33073, 10000, 33080 and UDP 3478, 49152-65535.
Only if you attach and use the Hetzner Cloud Firewall product. In that case, inbound traffic has an implicit deny and only traffic matching your allow rules is passed through. If you do not attach a firewall, your VM behaves like a normal public server.
The quickstart configures HTTPS/TLS for the dashboard. For TLS automation, DNS must point to the VM and ports 80/443 must be reachable.
Yes. NetBird provides an advanced self-hosted guide that targets custom identity providers rather than the quickstart's Zitadel-based deployment.
The most common cause is missing UDP allowances for NAT traversal/relay: UDP 3478 and UDP 49152-65535. Also verify the additional TCP ports required by the self-hosted setup are reachable.
You can, but be careful not to double-block required ports. If you attach a Hetzner Cloud Firewall and also run ufw, you must allow the same NetBird ports in both places.
Quickstart is optimized for fast, working, self-hosted deployment with a bundled IdP (Zitadel). Advanced is for more control with custom IdP and more tailored deployment choices.
NetBird stores the getting-started-with-zitadel.sh script in their GitHub repository; it's useful for auditing what gets created and how environment variables/config are generated.
Let's Talk About Your Idea
Whether a specific IT challenge or just an idea – we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Trusted by leading companies
Timo Wevelsiep & Robin Zins
CEOs of WZ-IT