NetBird - FOSS noconf Mesh VPN using Wireguard, alternative to ZeroTier, Tailscale, OmniEdge, Netmaker etc

marcusquinn

• https://netbird.io/
• https://github.com/netbirdio/netbird (README.md is worth a read)
• https://github.com/netbirdio/dashboard
• https://netbird.io/docs/getting-started/self-hosting (Docker Compose)
• https://netbird.io/docs
• https://twitter.com/netbird
• https://alternativeto.net/software/netbird/about/
• https://alternativeto.net/software/netbird/
• https://forum.cloudron.io/topic/7560/omniedge-decentralised-noconf-mesh-vpn-using-wireguard-alternative-to-zerotier-tailscale-etc
• https://forum.cloudron.io/topic/7563/tailscale-decentralised-noconf-mesh-vpn-using-wireguard-alternative-to-zerotier-etc
• https://forum.cloudron.io/topic/7567/firezone-foss-noconf-mesh-vpn-using-wireguard-alternative-to-zerotier-tailscale-omniedge-netmaker-etc
• https://forum.cloudron.io/topic/7565/netmaker-foss-noconf-mesh-vpn-using-wireguard-alternative-to-zerotier-tailscale-omniedge-etc

Zero configuration VPNfor fast-moving teams

Quickly connect your computers, servers, cloud instances, and IoT devices into a secure private network. No configuration required.

Works with Keycloak, which @nj already packages for Cloudron.

• Public Roadmap
• NetBird on OpenWRT

privsec

@marcusquinn WHOA! This looks the best of all of them so far!

marcusquinn

@privsec Yeah, they all look so good, and actually, you can have them all running at the same time I think.

Added the link above, but a good place to get a better idea of how anything will be to live with is how good the Docs are: https://netbird.io/docs

privsec

@marcusquinn Wow, I like their docs and everything. I think Ill give this a go

braginini

NetBird author is here.

Thanks, @marcusquinn, for posting about NetBird!

Thank you, @privsec, for the kind feedback.

I see that there is quite an interest. Feel free to ask me any questions

robi

@braginini Would you be open to helping package this for Cloudron?

DanTheMan

This post is deleted!

marcusquinn

Works with Keycloak too: https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

marcusquinn

Revisited all of these alternatives.

Netbird is the clear winner for me. Has my recommendation!

marcusquinn

1st draft packaging this, if anyone that know's more wants to test:

• https://github.com/marcusquinn/cloudron-netbird-app

marcusquinn

Update on the Cloudron NetBird package
The packaging scaffold at https://github.com/marcusquinn/cloudron-netbird-app is fairly complete -- it uses the combined netbird-server binary behind an internal nginx that consolidates all the path-based routing (gRPC, WebSocket, REST API, dashboard) onto a single HTTP port for Cloudron's reverse proxy.
What works (in theory -- needs real-world testing):

• Management API, Signal, Relay, STUN, and Dashboard all in one container
• Cloudron SSO via the OIDC addon
• Cloudron's built-in TURN server for NAT traversal relay
• PostgreSQL via Cloudron addon
• Backup/restore of all persistent state
  The one feature that can't work on Cloudron: NetBird's Reverse Proxy (v0.65+)
  This is NetBird's newer feature that exposes internal services on mesh peers to the public internet with automatic TLS. It requires Traefik with TLS passthrough -- the NetBird proxy container needs to terminate TLS itself. Cloudron's nginx terminates TLS before traffic reaches the app, so there's no way to pass through the raw TLS connection that NetBird's proxy needs.
  I looked at whether alpine/socat (TCP socket forwarder) could bridge this gap, but it can't -- the problem is Layer 7 (HTTP path routing, gRPC protocol handling, TLS termination order), not Layer 4 (TCP forwarding). socat only does port-to-port TCP forwarding and has no understanding of HTTP paths, gRPC, or WebSocket upgrade headers.
  This doesn't affect the core VPN functionality at all -- peer-to-peer WireGuard tunnels, NAT traversal, access control, DNS, network routes, and the management dashboard all work fine without it. The reverse proxy is an optional add-on for publicly exposing internal services.

What's needed next:

1. Testing on a real Cloudron instance (I haven't done this yet -- the packaging is based on docs and the combined container architecture)
2. Verifying the internal nginx correctly handles the gRPC h2c proxying that Signal and Management need
3. End-to-end OIDC flow testing with Cloudron SSO
4. TURN relay testing for peers behind strict NAT
   If anyone wants to help test, the repo has a full testing checklist in the README. Would be great to get this into the Cloudron App Store.

feedback welcome!

timconsidine

Great work @marcusquinn

Will try to test it out, been wanting NetBird, currently running it on a separate VPS

I ran into similar issues about routing of traffic when I was packaging Agate+. But I don’t recall the solution (and may not be a solution) - will try to check it out.

marcusquinn

Related: https://forum.cloudron.io/topic/15109/tls-passthrough-option-for-apps-requiring-end-to-end-tls

timconsidine

Testing on a real Cloudron instance (I haven't done this yet -- the packaging is based on docs and the combined container architecture)

I don't know how this is possible - I always need to do multiple builds to get a working package.

I started building from @marcusquinn repo.
I needed to make some changes. Currently app builds and installs but have hit a circular dependency ("Catch-22") regarding authentication.

The Goal: Configure NetBird to use Cloudron's OIDC service as its Identity Provider.

The Problem:

1. Configuration requires Login: To add Cloudron OIDC as an IdP, I need to log in to the NetBird dashboard (or use the API, which requires a token).
2. Initial Login requires Embedded Dex: Since Cloudron OIDC isn't configured yet, I must use the embedded Dex IdP for the first login.
3. Embedded Dex Fails: The embedded IdP is configured strictly according to the "combined server" docs (v0.36+). The dashboard loads, redirects to the embedded auth flow, but fails at the final step:
   • POST /oauth2/token returns 401 Unauthorized .
   • Browser console shows: storage[oidc.login.default] is empty and Token request failed .
   • Logs show no specific server-side error, just the 401.

The Catch-22: I cannot log in (via embedded Dex) to configure the external IdP (Cloudron OIDC). I cannot configure the external IdP via files/env vars to bypass the broken embedded login.

I will try a hack to get past this.

timconsidine

Starting again, fresh start.
Will update.

timconsidine

Parking this for now - can't get past auth errors, even stripping out any OIDC and just using the embedded Dex user management.
Will resume at some point because Netbird is very cool, works well for me via separately-hosted docker compose, and would be good to have on Cloudron.
But other priorities push Netbird down the list.

marcusquinn

@timconsidine thanks for testing. Refactored so OICD is an optional extra, plus other changes to the whole approach. README should explain.

timconsidine

@marcusquinn I tried similar approach - simplify to just Netbird and embedded Dex. But that wasn't enough.
Will try again shortly with fresh brain.