netbird

module
v0.71.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 21, 2026 License: BSD-3-Clause

README ยถ

Start using NetBird at netbird.io
See Documentation
Join our Slack channel or our Community forum

๐Ÿš€ We are hiring! Join us at careers.netbird.io

NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.

Connect. NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

Secure. NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

Self-host NetBird (video)

Watch the video

Key features

Connectivity Management Security Automation Platforms
โœ“ Kernel WireGuard โœ“ Admin Web UI โœ“ SSO & MFA support โœ“ Public API โœ“ Linux
โœ“ Peer-to-peer connections โœ“ Auto peer discovery and configuration โœ“ Access control: groups & rules โœ“ Setup keys for bulk provisioning โœ“ macOS
โœ“ Connection relay fallback โœ“ IdP integrations โœ“ Activity logging โœ“ Self-hosting quickstart script โœ“ Windows
โœ“ Routes to external networks โœ“ Private DNS โœ“ Traffic events โœ“ IdP groups sync with JWT โœ“ Android
โœ“ Domain-based DNS routes โœ“ Custom DNS zones โœ“ Device posture checks โœ“ Terraform provider โœ“ Android TV
โœ“ Exit nodes โœ“ Multiuser support โœ“ Peer-to-peer encryption โœ“ Ansible collection โœ“ iOS
โœ“ IPv6 dual-stack overlay โœ“ Multi-account profile switching โœ“ SSH with central access policies โœ“ Apple TV
โœ“ Browser SSH & RDP โœ“ Quantum-resistance with Rosenpass โœ“ FreeBSD
โœ“ Reverse proxy with auto-TLS โœ“ Periodic re-authentication โœ“ pfSense
โœ“ OPNsense
โœ“ MikroTik RouterOS
โœ“ OpenWRT
โœ“ Synology
โœ“ TrueNAS
โœ“ Proxmox
โœ“ Raspberry Pi
โœ“ Serverless
โœ“ Container

Quickstart with NetBird Cloud

Quickstart with self-hosted NetBird

This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the Advanced guide with a custom identity provider for installations with different IdPs.

Infrastructure requirements:

  • A Linux VM with at least 1 CPU and 2 GB of memory.
  • The VM should be publicly accessible on TCP ports 80 and 443 and UDP port 3478.
  • A public domain name pointing to the VM.

Software requirements:

Steps

  • Download and run the installation script:
export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash

A bit on NetBird internals

  • Every machine in the network runs the NetBird agent, which manages WireGuard.
  • Every agent connects to the Management Service, which holds network state, manages peer IPs, and distributes updates to agents.
  • Agents use ICE (via pion/ice) to discover connection candidates for peer-to-peer connections.
  • Candidates are discovered with the help of STUN servers.
  • Agents negotiate a connection through the Signal Service, exchanging end-to-end encrypted messages with candidates.
  • When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a Relay Service and a secure WireGuard tunnel is established through it.

NetBird high-level architecture diagram

See a complete architecture overview for details.

Community projects

Note: The main branch may be in an unstable or even broken state during development. For stable versions, see releases.

Support acknowledgement

In November 2022, NetBird joined the StartUpSecure program sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the CISPA Helmholtz Center for Information Security, NetBird brings security best practices and simplicity to private networking.

CISPA_Logo_BLACK_EN_RZ_RGB (1)

Acknowledgements

We build on open-source technologies like WireGuardยฎ, Pion ICE, and Rosenpass. We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).

This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/. Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

WireGuard and the WireGuard logo are registered trademarks of Jason A. Donenfeld.

Directories ยถ

Path Synopsis
android
anonymize
cmd
cmd/signer command
configs
embed
Package embed provides a way to embed the NetBird client directly into Go programs without requiring a separate NetBird client installation.
 Package embed provides a way to embed the NetBird client directly into Go programs without requiring a separate NetBird client installation.
errors
firewall
firewall/firewalld
Package firewalld integrates with the firewalld daemon so NetBird can place its wg interface into firewalld's "trusted" zone.
 Package firewalld integrates with the firewalld daemon so NetBird can place its wg interface into firewalld's "trusted" zone.
firewall/iptables
firewall/manager
firewall/nftables
firewall/test
firewall/uspfilter
firewall/uspfilter/common
firewall/uspfilter/conntrack
firewall/uspfilter/forwarder
firewall/uspfilter/log
Package log provides a high-performance, non-blocking logger for userspace networking
 Package log provides a high-performance, non-blocking logger for userspace networking
grpc
iface
iface/bind
iface/bufsize
iface/configurer
iface/device
Package iface provides wireguard network interface creation and management
 Package iface provides wireguard network interface creation and management
iface/freebsd
iface/mocks
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.
iface/netstack
iface/udpmux
Package udpmux provides a custom implementation of a UDP multiplexer that allows multiple logical ICE connections to share a single underlying UDP socket.
 Package udpmux provides a custom implementation of a UDP multiplexer that allows multiple logical ICE connections to share a single underlying UDP socket.
iface/wgaddr
iface/wgproxy
iface/wgproxy/bind
iface/wgproxy/ebpf
iface/wgproxy/listener
iface/wgproxy/rawsocket
iface/wgproxy/udp
internal
internal/acl
internal/acl/id
internal/acl/mocks
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.
internal/auth
internal/daemonaddr
internal/debug
internal/dns
Package dns implements the client-side DNS stack: listener/service on the peer's tunnel address, handler chain that routes questions by domain and priority, and upstream resolvers that forward what remains to configured nameservers.
 Package dns implements the client-side DNS stack: listener/service on the peer's tunnel address, handler chain that routes questions by domain and priority, and upstream resolvers that forward what remains to configured nameservers.
internal/dns/config
internal/dns/local
internal/dns/mgmt
internal/dns/resutil
Package resutil provides shared DNS resolution utilities
 Package resutil provides shared DNS resolution utilities
internal/dns/test
internal/dns/types
internal/dnsfwd
internal/ebpf
internal/ebpf/ebpf
internal/ebpf/manager
internal/expose
internal/ingressgw
internal/lazyconn
Package lazyconn provides mechanisms for managing lazy connections, which activate on demand to optimize resource usage and establish connections efficiently.
 Package lazyconn provides mechanisms for managing lazy connections, which activate on demand to optimize resource usage and establish connections efficiently.
internal/lazyconn/activity
internal/lazyconn/inactivity
internal/lazyconn/manager
internal/listener
internal/metrics
internal/metrics/remoteconfig
internal/netflow
internal/netflow/conntrack
internal/netflow/logger
internal/netflow/store
internal/netflow/types
internal/networkmonitor
internal/peer
internal/peer/conntype
internal/peer/dispatcher
internal/peer/guard
internal/peer/ice
internal/peer/id
internal/peer/worker
internal/peerstore
internal/portforward
internal/portforward/pcp
Package pcp implements the Port Control Protocol (RFC 6887).
 Package pcp implements the Port Control Protocol (RFC 6887).
internal/profilemanager
internal/relay
internal/rosenpass
internal/routemanager
internal/routemanager/client
internal/routemanager/common
internal/routemanager/dnsinterceptor
internal/routemanager/dynamic
internal/routemanager/fakeip
internal/routemanager/iface
internal/routemanager/ipfwdstate
internal/routemanager/notifier
internal/routemanager/refcounter
internal/routemanager/server
internal/routemanager/static
internal/routemanager/sysctl
internal/routemanager/systemops
internal/routemanager/util
internal/routemanager/vars
internal/routeselector
internal/sleep
internal/sleep/handler
internal/statemanager
internal/stdnet
Package stdnet is an extension of the pion's stdnet.
 Package stdnet is an extension of the pion's stdnet.
internal/templates
internal/updater
Package updater provides automatic update management for the NetBird client.
 Package updater provides automatic update management for the NetBird client.
internal/updater/downloader
internal/updater/installer
Package installer provides functionality for managing NetBird application updates and installations across Windows, macOS.
 Package installer provides functionality for managing NetBird application updates and installations across Windows, macOS.
internal/updater/reposign
Package reposign implements a cryptographic signing and verification system for NetBird software update artifacts.
 Package reposign implements a cryptographic signing and verification system for NetBird software update artifacts.
internal/winregistry
jobexec
net
net/hooks
proto
server
ssh
ssh/auth
ssh/client
ssh/config
ssh/detection
ssh/proxy
ssh/server
Package server implements port forwarding for the SSH server.
 Package server implements port forwarding for the SSH server.
ssh/server/winpty
ssh/testutil
status
system
system/detect_cloud
system/detect_platform
ui command
ui/desktop
ui/event
ui/notifier
Package notifier sends desktop notifications.
 Package notifier sends desktop notifications.
ui/process
wasm/cmd command
wasm/internal/capture
Package capture bridges the util/capture package to JavaScript via syscall/js.
 Package capture bridges the util/capture package to JavaScript via syscall/js.
wasm/internal/http
wasm/internal/rdp
wasm/internal/ssh
cmd
Package dns implement dns types and standard methods and functions to parse and normalize dns records and configuration
 Package dns implement dns types and standard methods and functions to parse and normalize dns records and configuration
testprotos
flow
client
proto
hook
levels
logcat
syslog
txt
idp
dex
Package dex provides an embedded Dex OIDC identity provider.
 Package dex provides an embedded Dex OIDC identity provider.
dex/web
sdk
Package sdk provides an embeddable SDK for the Dex OIDC identity provider.
 Package sdk provides an embeddable SDK for the Dex OIDC identity provider.
cmd
cmd/token
Package tokencmd provides reusable cobra commands for managing proxy access tokens.
 Package tokencmd provides reusable cobra commands for managing proxy access tokens.
internals/controllers/network_map
Package network_map is a generated GoMock package.
 Package network_map is a generated GoMock package.
internals/controllers/network_map/controller
internals/controllers/network_map/controller/cache
internals/controllers/network_map/update_channel
internals/modules/peers
Package peers is a generated GoMock package.
 Package peers is a generated GoMock package.
internals/modules/peers/ephemeral
internals/modules/peers/ephemeral/manager
internals/modules/reverseproxy/accesslogs
internals/modules/reverseproxy/accesslogs/manager
internals/modules/reverseproxy/domain
internals/modules/reverseproxy/domain/manager
internals/modules/reverseproxy/proxy
Package proxy is a generated GoMock package.
 Package proxy is a generated GoMock package.
internals/modules/reverseproxy/proxy/manager
internals/modules/reverseproxy/proxytoken
internals/modules/reverseproxy/service
Package service is a generated GoMock package.
 Package service is a generated GoMock package.
internals/modules/reverseproxy/service/manager
internals/modules/reverseproxy/sessionkey
internals/modules/zones
internals/modules/zones/manager
internals/modules/zones/records
internals/modules/zones/records/manager
internals/server
internals/server/config
internals/shared/grpc
server
server/account
Package account is a generated GoMock package.
 Package account is a generated GoMock package.
server/activity
server/activity/store
server/auth
server/cache
server/context
server/geolocation
server/groups
server/http
server/http/configs
server/http/handlers/accounts
server/http/handlers/dns
server/http/handlers/events
server/http/handlers/groups
server/http/handlers/idp
server/http/handlers/instance
server/http/handlers/networks
server/http/handlers/peers
server/http/handlers/policies
server/http/handlers/proxy
server/http/handlers/routes
server/http/handlers/setup_keys
server/http/handlers/users
server/http/middleware
server/http/middleware/bypass
server/http/testing/testing_tools
server/http/testing/testing_tools/channel
server/idp
server/idp/migration
Package migration provides utility functions for migrating from the external IdP solution in pre v0.62.0 to the new embedded IdP manager (Dex based), which is the default in v0.62.0 and later.
 Package migration provides utility functions for migrating from the external IdP solution in pre v0.62.0 to the new embedded IdP manager (Dex based), which is the default in v0.62.0 and later.
server/instance
server/integration_reference
server/integrations/extra_settings
server/integrations/integrated_validator
server/integrations/port_forwarding
server/job
server/metrics
Package metrics gather anonymous information about the usage of NetBird management
 Package metrics gather anonymous information about the usage of NetBird management
server/migration
server/mock_server
server/networks
server/networks/resources
server/networks/resources/types
server/networks/routers
server/networks/routers/types
server/networks/types
server/peer
server/permissions
Package permissions is a generated GoMock package.
 Package permissions is a generated GoMock package.
server/permissions/modules
server/permissions/operations
server/permissions/roles
server/posture
server/settings
Package settings is a generated GoMock package.
 Package settings is a generated GoMock package.
server/store
Package store is a generated GoMock package.
 Package store is a generated GoMock package.
server/telemetry
server/testutil
server/types
server/users
server/util
Package proxy runs a NetBird proxy server.
 Package proxy runs a NetBird proxy server.
auth
Package auth contains exported proxy auth values.
 Package auth contains exported proxy auth values.
cmd/proxy command
cmd/proxy/cmd
internal/accesslog
internal/acme
internal/auth
internal/certwatch
Package certwatch watches TLS certificate files on disk and provides a hot-reloading GetCertificate callback for tls.Config.
 Package certwatch watches TLS certificate files on disk and provides a hot-reloading GetCertificate callback for tls.Config.
internal/conntrack
internal/crowdsec
Package crowdsec provides a CrowdSec stream bouncer that maintains a local decision cache for IP reputation checks.
 Package crowdsec provides a CrowdSec stream bouncer that maintains a local decision cache for IP reputation checks.
internal/debug
Package debug provides HTTP debug endpoints and CLI client for the proxy server.
 Package debug provides HTTP debug endpoints and CLI client for the proxy server.
internal/flock
Package flock provides best-effort advisory file locking using flock(2).
 Package flock provides best-effort advisory file locking using flock(2).
internal/geolocation
Package geolocation provides IP-to-country lookups using MaxMind GeoLite2 databases.
 Package geolocation provides IP-to-country lookups using MaxMind GeoLite2 databases.
internal/grpc
Package grpc provides gRPC utilities for the proxy client.
 Package grpc provides gRPC utilities for the proxy client.
internal/health
Package health provides health probes for the proxy server.
 Package health provides health probes for the proxy server.
internal/k8s
Package k8s provides a lightweight Kubernetes API client for coordination Leases.
 Package k8s provides a lightweight Kubernetes API client for coordination Leases.
internal/metrics
internal/netutil
internal/proxy
internal/responsewriter
internal/restrict
Package restrict provides connection-level access control based on IP CIDR ranges and geolocation (country codes).
 Package restrict provides connection-level access control based on IP CIDR ranges and geolocation (country codes).
internal/roundtrip
internal/tcp
internal/types
Package types defines common types used across the proxy package.
 Package types defines common types used across the proxy package.
internal/udp
web
Package main
 Package main
cmd
healthcheck
healthcheck/peerid
metrics
protocol
server
server/listener
server/listener/quic
server/listener/ws
server/store
testec2 command
testec2/tun
shared
auth
auth/jwt
context
hash/argon2id
management/client
management/client/common
management/client/rest
management/domain
management/http/api
Package api provides primitives to interact with the openapi HTTP API.
 Package api provides primitives to interact with the openapi HTTP API.
management/http/util
management/operations
management/proto
management/status
metrics
netiputil
Package netiputil provides compact binary encoding for IP prefixes used in the management proto wire format.
 Package netiputil provides compact binary encoding for IP prefixes used in the management proto wire format.
relay
relay/auth
Package auth manages the authentication process with the relay server.
 Package auth manages the authentication process with the relay server.
relay/auth/allow
relay/auth/hmac
relay/auth/hmac/v2
relay/client
Package client contains the implementation of the Relay client.
 Package client contains the implementation of the Relay client.
relay/client/dialer
relay/client/dialer/net
relay/client/dialer/quic
relay/client/dialer/ws
relay/healthcheck
relay/messages
Package messages provides the message types that are used to communicate between the relay and the client.
 Package messages provides the message types that are used to communicate between the relay and the client.
relay/messages/address
Deprecated: This package is deprecated and will be removed in a future release.
 Deprecated: This package is deprecated and will be removed in a future release.
relay/messages/auth
Deprecated: This package is deprecated and will be removed in a future release.
 Deprecated: This package is deprecated and will be removed in a future release.
relay/tls
Package tls provides utilities for configuring and managing Transport Layer Security (TLS) in server and client environments, with a focus on QUIC protocol support and testing configurations.
 Package tls provides utilities for configuring and managing Transport Layer Security (TLS) in server and client environments, with a focus on QUIC protocol support and testing configurations.
signal/client
signal/proto
sshauth
example command
cmd
metrics
peer
server
Package stun provides an embedded STUN server for NAT traversal discovery.
 Package stun provides an embedded STUN server for NAT traversal discovery.
tools
idp-migrate command
Package main provides a standalone CLI tool to migrate user IDs from an external IdP format to the embedded Dex IdP format used by NetBird >= v0.62.0.
 Package main provides a standalone CLI tool to migrate user IDs from an external IdP format to the embedded Dex IdP format used by NetBird >= v0.62.0.
server
types
capture
Package capture provides userspace packet capture in pcap format.
 Package capture provides userspace packet capture in pcap format.
crypt
embeddedroots
netrelay
Package netrelay provides a bidirectional byte-copy helper for TCP-like connections with correct half-close propagation.
 Package netrelay provides a bidirectional byte-copy helper for TCP-like connections with correct half-close propagation.
semaphore-group
wsproxy
wsproxy/client
wsproxy/server

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.