NetBird - FOSS noconf Mesh VPN using Wireguard, alternative to ZeroTier, Tailscale, OmniEdge, Netmaker etc

privsec

@marcusquinn WHOA! This looks the best of all of them so far!

marcusquinn

@privsec Yeah, they all look so good, and actually, you can have them all running at the same time I think.

Added the link above, but a good place to get a better idea of how anything will be to live with is how good the Docs are: https://netbird.io/docs

privsec

@marcusquinn Wow, I like their docs and everything. I think Ill give this a go

braginini

NetBird author is here.

Thanks, @marcusquinn, for posting about NetBird!

Thank you, @privsec, for the kind feedback.

I see that there is quite an interest. Feel free to ask me any questions

robi

@braginini Would you be open to helping package this for Cloudron?

DanTheMan

This post is deleted!

marcusquinn

Works with Keycloak too: https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

marcusquinn

Revisited all of these alternatives.

Netbird is the clear winner for me. Has my recommendation!

marcusquinn

1st draft packaging this, if anyone that know's more wants to test:

• https://github.com/marcusquinn/cloudron-netbird-app

marcusquinn

Update on the Cloudron NetBird package
The packaging scaffold at https://github.com/marcusquinn/cloudron-netbird-app is fairly complete -- it uses the combined netbird-server binary behind an internal nginx that consolidates all the path-based routing (gRPC, WebSocket, REST API, dashboard) onto a single HTTP port for Cloudron's reverse proxy.
What works (in theory -- needs real-world testing):

• Management API, Signal, Relay, STUN, and Dashboard all in one container
• Cloudron SSO via the OIDC addon
• Cloudron's built-in TURN server for NAT traversal relay
• PostgreSQL via Cloudron addon
• Backup/restore of all persistent state
  The one feature that can't work on Cloudron: NetBird's Reverse Proxy (v0.65+)
  This is NetBird's newer feature that exposes internal services on mesh peers to the public internet with automatic TLS. It requires Traefik with TLS passthrough -- the NetBird proxy container needs to terminate TLS itself. Cloudron's nginx terminates TLS before traffic reaches the app, so there's no way to pass through the raw TLS connection that NetBird's proxy needs.
  I looked at whether alpine/socat (TCP socket forwarder) could bridge this gap, but it can't -- the problem is Layer 7 (HTTP path routing, gRPC protocol handling, TLS termination order), not Layer 4 (TCP forwarding). socat only does port-to-port TCP forwarding and has no understanding of HTTP paths, gRPC, or WebSocket upgrade headers.
  This doesn't affect the core VPN functionality at all -- peer-to-peer WireGuard tunnels, NAT traversal, access control, DNS, network routes, and the management dashboard all work fine without it. The reverse proxy is an optional add-on for publicly exposing internal services.

What's needed next:

1. Testing on a real Cloudron instance (I haven't done this yet -- the packaging is based on docs and the combined container architecture)
2. Verifying the internal nginx correctly handles the gRPC h2c proxying that Signal and Management need
3. End-to-end OIDC flow testing with Cloudron SSO
4. TURN relay testing for peers behind strict NAT
   If anyone wants to help test, the repo has a full testing checklist in the README. Would be great to get this into the Cloudron App Store.

feedback welcome!