What Is NetBird? Zero-Trust Mesh VPN for Secure Infrastructure Access

Remote-maintaining distributed infrastructure on your own terms? WZ-IT builds remote-management platforms with NetBird as the encrypted network backend. See our remote-management platforms

NetBird is an open-source, WireGuard-based zero-trust overlay or mesh VPN that connects devices, servers and sites directly and encrypted - identity-based and without open inbound ports. Instead of a VPN gateway, jump host and port forwards, NetBird spans an encrypted overlay network in which every participant (peer) talks peer-to-peer to its permitted counterparts. A central control plane distributes keys, routes and access rules, while the actual traffic flows directly between peers over WireGuard. As of mid-2026 NetBird is at version 0.73 (github.com/netbirdio/netbird), fully self-hostable and also available as the managed NetBird Cloud.

Table of Contents

• How NetBird works
• Zero trust: identity-based access
• Self-hosted vs. NetBird Cloud
• NetBird vs. Tailscale vs. Headscale vs. plain WireGuard
• Access to infrastructure without open ports
• Remote maintenance of distributed machines and plants
• External access to Kubernetes services
• Exposing internal services in a controlled way: NetBird Networks
• Sovereignty and how WZ-IT uses NetBird
• Further guides

---

How NetBird works

NetBird cleanly separates the control plane from the data plane. The control plane consists of three server components (docs.netbird.io):

• Management service: the central coordinator. It keeps the network state, manages the peers' public WireGuard keys, authenticates them and distributes configuration and access rules into the mesh.
• Signal service: handles peer discovery and connection negotiation. Peers exchange their connection candidates (ICE) through Signal; the messages are end-to-end encrypted, and Signal "steps out" once the direct connection is up.
• Relay service: a TURN-style fallback that relays traffic when a direct connection is impossible. Because the WireGuard traffic is point-to-point encrypted, the relay cannot decrypt the data.

The data plane is WireGuard. For NAT traversal NetBird uses ICE (Pion implementation) and STUN to establish a direct peer-to-peer connection wherever possible; only when that fails does the tunnel run through the relay. All peers establish the connection outbound-only, so no port has to be reachable from the internet. More on the data plane in our WireGuard expertise and in the guide WireGuard for site-to-site connectivity.

Zero trust: identity-based access

NetBird follows the zero-trust principle: nothing is reachable until a policy says so (default-deny). Access is not governed by network topology but by identity and policy:

• Groups and access policies (ACLs): peers are assigned to groups, and policies grant targeted access from source to destination groups, optionally restricted to specific protocols and ports.
• SSO/IdP integration: NetBird connects identity providers over OIDC, such as Keycloak, Authentik, Microsoft Entra ID (Azure AD), Google or Okta. Since version 0.62 (January 2026) the self-hosted variant ships with built-in identity and no longer requires an external IdP.
• Posture checks: access can be tied to device posture - operating system, NetBird client version, geographic location or running processes.
• Peer approval and identity-aware SSH: new devices must be approved; the built-in SSH access maps sessions to authenticated user identities and produces a clean audit trail.

This combination makes NetBird more than a VPN: it is an identity-based access layer. Background on our NetBird expertise.

Self-hosted vs. NetBird Cloud

NetBird comes in two operating models. Self-hosted, you run management, signal and relay yourself; since version 0.65 (February 2026) there is a unified server binary that bundles all services into a single container. A VM with 1 CPU and 2 GB RAM is enough for a working mesh. The NetBird Cloud is the managed SaaS service with a free entry tier and paid plans - no infrastructure to run, but with the control plane at the provider.

On licensing: the clients and most components are under the permissive BSD-3-Clause, while the server directories management/, signal/, relay/ and combined/ (the unified binary) are under AGPLv3. Self-hosting is therefore free and the entire control plane is open source.

NetBird vs. Tailscale vs. Headscale vs. plain WireGuard

The decisive difference is the control plane. Tailscale is polished, but its coordination server is proprietary and cloud-only. Headscale is an open-source reimplementation of that server that reuses the official Tailscale clients - without an official web UI and with a reduced feature set (/en/expertises/headscale/). Plain WireGuard has no control plane at all; you maintain keys, routes and access by hand. NetBird is the only one of the four that is open source and self-hostable end to end, including its own clients, dashboard and IdP integration.

Access to infrastructure without open ports

A core use of NetBird is secure access to infrastructure: servers, internal services, databases and admin interfaces become reachable only through the encrypted mesh, never directly from the internet. This replaces open ports, jump hosts and bastion servers. Instead of exposing an SSH or database port, the server joins the mesh as a peer; it is reachable only for the identities permitted by policy.

In practice that means SSH without port exposure, database access only for defined groups, admin UIs behind default-deny. Combined with posture checks (for example only company-owned, up-to-date devices) and identity-aware SSH, you get traceable, identity-bound access - the basis for RBAC and audit for remote access.

Remote maintenance of distributed machines and plants

NetBird is widely used for remote maintenance of distributed machines, plants and IoT devices - as the network and backend layer. Every site is connected outbound-only, with no port to open on site. Two access patterns run on top:

• Direct tool access: technicians reach SSH, RDP, VNC or an HMI on the plant directly over the mesh, as if they were on the local network.
• Under a browser gateway: in sovereign platforms, a browser gateway such as Apache Guacamole sits on top of NetBird and delivers RDP, VNC and SSH clientless in the browser. NetBird is the invisible network backend, the gateway the auditable access layer. Details in What is Apache Guacamole? and Remote maintenance without a VPN client.

External access to Kubernetes services

For Kubernetes, NetBird offers the NetBird Kubernetes Operator (docs.netbird.io). It extends the Kubernetes API with custom resources (CRDs) and automates the integration declaratively - the same way you manage the rest of your infrastructure:

• Routing peers as pods: the operator deploys rootless NetBird clients as pods in the netbird namespace. They join the mesh and forward traffic to cluster-internal services.
• Service exposure via annotation: annotations on services publish them as resources into the NetBird network, making them reachable for permitted peers.

This lets developers, on-call SREs or other clusters access the kubectl/API server, dashboards and internal services over the encrypted overlay, without exposing the cluster or its services to the public internet. It is especially suited to multi-cluster and hybrid-cloud scenarios.

Exposing internal services in a controlled way: NetBird Networks

With the NetBird Networks feature you map entire parts of your infrastructure onto the overlay, including devices that cannot run a NetBird client themselves. A Network consists of four building blocks (docs.netbird.io):

• Routing peers: NetBird clients inside the private network that forward traffic from the mesh to devices without a client (typically 2 vCPU / 4 GB RAM).
• Resources: the destinations - single IPs, CIDR ranges, domains or wildcard domains.
• Access policies: access from source groups to resources, default-deny.
• Network: the container that bundles the routing peers and resources of a site or VPC.

For services that should be publicly reachable, NetBird adds a reverse proxy feature (currently in beta) with automatic TLS and authentication - without open ports. Since version 0.67 (March 2026) a self-hosted instance can also proxy TCP/UDP/TLS, so VPN, reverse-proxy and tunnel functions collapse into a single stack. (The older "Network Routes" option mainly remains relevant for exit nodes.)

Sovereignty and how WZ-IT uses NetBird

NetBird is a sovereign choice: fully self-hostable, open source and backed by a European vendor (NetBird, Berlin). You keep the control plane, keys and audit data in your own infrastructure, for example inside the EU - a clear advantage over purely cloud-based mesh services and relevant for regulation such as the NIS2 directive. This article is general information and not legal advice.

At WZ-IT we use NetBird as the encrypted network backend of our remote-management and remote-maintenance platforms: sites connected outbound-only, access identity-based and default-deny, with an auditable browser gateway on top. The ABCO Water Systems case study shows how this runs in production for distributed plants in Australia. On request we handle design, build and operation end to end as part of our remote-management platforms.

Further guides

• NetBird expertise - usage and operations
• WireGuard for site-to-site connectivity - the data plane under NetBird
• Remote maintenance without a VPN client
• Secure remote maintenance of machines and plants

Want infrastructure reachable without open ports? Get to know us or take a look at our remote-management platforms.