NetBird

What Is NetBird?

A distributed engineering team has twelve developers across four countries. Three work from home networks, two connect from co-working spaces, and seven access production infrastructure from office locations with different IP ranges. The legacy OpenVPN setup requires a certificate for each new device, a static server IP that becomes a single point of failure, open inbound ports that the security team objects to, and a week of onboarding friction every time a new contractor joins. The VPN gateway, running on a single VM in Frankfurt, saturates at 200Mbps when three developers run git clone simultaneously.

This is the problem NetBird was designed to solve. Founded in Berlin in 2022 by Misha Bragin and Maycon Santos — engineers with backgrounds in network security and open-source infrastructure — NetBird builds WireGuard-based encrypted mesh networks that connect devices directly to each other without a central gateway, open ports, or complex firewall rules. The management control plane (which handles peer discovery, access policy enforcement, and user authentication) is fully open-source under a BSD licence and can be self-hosted. A managed cloud service with a free tier for up to 5 users makes the zero-to-running time under 15 minutes for small teams.

NetBird raised €1.1M in May 2023, followed by €4M in December 2024 from Nauta Capital and InReach Ventures, and has been compared frequently to Tailscale — the closest commercial equivalent — but with a decisive difference: every component of NetBird's control plane can run on the customer's own infrastructure.

Key Features

WireGuard Mesh Without the Configuration Pain

WireGuard is the protocol. It uses modern cryptography (Noise Protocol Framework, Curve25519, ChaCha20-Poly1305), delivers throughput significantly faster than OpenVPN or IPsec implementations, and has a codebase small enough to audit by a competent security engineer in a day. The problem with raw WireGuard is that connecting more than two or three peers requires manual configuration of public keys, endpoint IP addresses, and AllowedIPs for each peer pair — an operational burden that scales badly beyond ten nodes.

NetBird removes that burden. Peers register with the NetBird management server, exchange public keys automatically, and establish direct peer-to-peer tunnels through NAT and firewalls using STUN/TURN traversal. The result is a fully meshed network where each peer communicates directly with every other peer it has policy access to. No traffic passes through a central server unless NAT traversal genuinely fails — in which case the TURN relay handles the connection transparently.

For the Berlin-to-London engineer connecting to the Bangalore staging server, the WireGuard tunnel is direct, encrypted, and operating at close to native network speed.

Zero-Trust Access Model

NetBird is not a hub-and-spoke VPN. It implements access policies that determine which peers can reach which resources, based on user identity, group membership, device posture, and network routes — not based on "is the user connected to the VPN".

SSO integration supports Okta, Azure Active Directory, JumpCloud, and Google Workspace. When a user authenticates, their group memberships from the identity provider sync automatically to NetBird, and access policy rules apply to those groups. A developer group gets access to staging and development infrastructure; a finance group gets access to only the ERP server. The policies are enforced at the network layer, not the application layer.

MFA enforcement is inherited from the connected identity provider. Device approvals require an administrator to explicitly approve each new device before it can join the network. Combined, these controls satisfy the core requirements of a zero-trust network access (ZTNA) architecture without requiring a commercial ZTNA product from a US vendor.

Device Posture Checks (Business Plan)

The Business plan adds device posture checks: rules that block network access from devices failing specific criteria. An engineer whose laptop has not received an OS security update within 30 days can be blocked from production infrastructure until they patch. A device without disk encryption enabled fails the posture check. An unregistered device that does not appear in the MDM inventory is denied access.

These checks run at connection time. A device that passes posture checks at 9am and then has its firewall disabled at 11am will fail the next connection check and lose network access. For security teams implementing the principle of least privilege at the device level, posture checks add a layer of control that traditional VPNs cannot provide.

Full Self-Hosting

Since February 2026, NetBird version 0.65 ships a unified server binary that combines the management server, signal server, and TURN relay into a single Docker container. Previous versions required running three separate containers. The quickstart guide takes an existing Docker host to a running NetBird control plane in under 20 minutes.

Self-hosting is not a stripped-down version. All features available in the cloud plan — peer management, access policies, SSO integration, DNS management, network routes — are available in the self-hosted version. There are no user caps, no feature gates, and no licence fees. The only difference is that the control plane metadata (peer registrations, policy rules, connection logs) stays entirely on the customer's server rather than passing through NetBird's cloud infrastructure.

For organisations with on-premise mandates, air-gapped environments, or data sovereignty requirements that extend to infrastructure metadata, self-hosting provides a complete answer.

Activity Logging and Event Streaming

The Business plan adds event streaming to external SIEM tools. Connection events — who connected, from which device, to which network resource, at what time — can be forwarded to Splunk, Datadog, or any webhook endpoint for security monitoring and audit trails. For teams subject to SOC 2, ISO 27001, or NIS2 compliance requirements, this provides the access log evidence that auditors typically request.

Pricing

NetBird's pricing is clear and published without a sales conversation.

The Free cloud plan supports 5 users and 100 machines indefinitely. For a small startup team connecting four engineers and their staging servers, the free plan covers the full use case. No credit card required.

The Team plan at $6/user/month adds unlimited users, SSO and MFA enforcement, IdP user and group sync, access and connection logging, and custom SSO login. This is the appropriate tier for a team that has outgrown the 5-user limit or needs identity provider integration. At $6/user/month for 20 users, the monthly cost is $120 — less than the monthly cost of a single Zscaler Private Access seat at comparable feature depth.

The Business plan at $12/user/month adds device posture checks, MDM and EDR integrations, activity event streaming, and service accounts for CI/CD pipelines. The service accounts feature solves a specific pain point: automated build systems and deployment pipelines need network access to internal infrastructure, but they should not be authenticated as human users. Service accounts give CI/CD systems dedicated credentials with scoped network access.

The Enterprise plan covers self-hosted deployment support, custom SLAs, custom invoicing, and professional services. Pricing is negotiated directly.

Self-hosting is free at any scale. The pricing tiers apply only to the managed cloud service.

A 14-day trial of Business features is available on the cloud plan.

EU Compliance and Privacy

NetBird's cloud managed service runs on infrastructure in Germany. The company is registered as NetBird GmbH in Berlin, fully subject to GDPR. Control plane metadata — peer registrations, access policy configurations, connection logs — is processed in Germany.

Critically, NetBird does not inspect or log traffic content. The WireGuard tunnels are end-to-end encrypted between peers; the control plane does not have access to the data flowing through those tunnels. This is architecturally different from traditional VPN services where all traffic routes through a provider's servers. NetBird's control plane sees connection metadata, not payload content.

The self-hosted deployment sends zero data through NetBird infrastructure. Control plane operations — peer discovery, key exchange, policy enforcement — run on the customer's servers. For organisations where even metadata residency in a vendor's cloud creates compliance complications, self-hosting is the appropriate path.

The open-source codebase (BSD licence) enables third-party security audits. Any organisation that requires vendor code review as part of procurement can inspect every component. The unified server binary introduced in v0.65 simplifies this audit surface by consolidating what was previously three separate codebases.

Who It's Best For

Engineering teams with distributed infrastructure across cloud providers, data centres, and remote developer machines will benefit most. NetBird replaces legacy VPN gateways with a peer-to-peer mesh that does not degrade as team size grows.

Security-conscious SMEs implementing zero-trust principles without an enterprise security budget will find the Team and Business plans deliver meaningful ZTNA controls at $6-12/user/month, compared to dedicated ZTNA vendor pricing that typically starts at $10-25/user/month with annual contract minimums.

Open-source infrastructure teams with on-premise or sovereignty requirements can run the complete NetBird stack internally. The self-hosted version has no feature restrictions and no user limits.

European organisations subject to NIS2 or ISO 27001 can use NetBird's German hosting, access logs, device posture checks, and IdP integration to satisfy specific control requirements around privileged access management and access monitoring.

NetBird is not suitable for consumer VPN use cases: streaming geo-unblocking, public Wi-Fi protection via a single exit node, or consumer privacy browsing. The product is designed for infrastructure access, not consumer internet privacy.

The Verdict

NetBird solves the same problem as Tailscale — make WireGuard mesh networking accessible without manual configuration — but solves it with an open-source control plane that can run entirely on customer infrastructure. For teams that need the Tailscale experience without the Tailscale vendor dependency, NetBird is the correct choice.

The free tier is genuinely useful. The self-hosting path is genuinely straightforward as of v0.65. The pricing at $6-12/user/month undercuts most enterprise alternatives at equivalent feature depth. The Berlin headquarters and German infrastructure hosting provide a clean GDPR data residency story.

The tradeoffs are limited: Windows and iOS clients are less mature than macOS and Linux, and the integration ecosystem is narrower than established enterprise networking vendors. For infrastructure teams comfortable with Docker and DNS, neither limitation is material.

FAQ

How is NetBird different from a traditional VPN like NordVPN? NordVPN routes all traffic through central servers to mask IP addresses and unblock geo-restricted content — it is a consumer privacy product. NetBird creates an encrypted mesh between your own devices and servers; traffic flows directly between peers using WireGuard without a central gateway. NetBird is designed for infrastructure access control, not consumer privacy or streaming.

Is NetBird GDPR compliant? Yes. The cloud managed service runs on infrastructure in Germany. NetBird does not inspect or log traffic content — only connection metadata is processed. The self-hosted version processes zero data through NetBird infrastructure. The BSD-licensed codebase is fully auditable.

Can I self-host NetBird for free? Yes. The complete stack — management server, signal server, and TURN relay — is open-source and free to self-host. Since v0.65 (February 2026), all three components ship as a single unified Docker binary. Self-hosting is unlimited: no user caps, no feature restrictions, no licence fees.

How does NetBird compare to Tailscale? Both use WireGuard as the underlying protocol. Tailscale is closed-source and relies on Tailscale's own control plane — you cannot fully self-host. NetBird is open-source, fully self-hostable, and priced identically at $6/user/month for the cloud Team plan. For organisations with data sovereignty requirements, NetBird's self-hosting option is the decisive difference.

Does NetBird work without open firewall ports or a static IP? Yes. NetBird uses NAT traversal (STUN/TURN) to establish peer-to-peer connections through firewalls and NAT devices. Most connections become direct WireGuard tunnels; the TURN relay handles fallback cases where direct traversal is impossible. No open inbound ports are required on peer devices.