NetBird: The Self-Hosted Mesh VPN I Wanted Tailscale to Be
I have been carrying a quiet grudge about Tailscale for two years. The product is excellent. The clients are polished. The “log in with Google and you have a mesh in 60 seconds” experience is genuinely magical. But the control plane — the part that decides which of your machines can talk to which other machines, and where the keys for that decision live — is closed source and hosted exclusively by Tailscale. You can run Headscale to reimplement it open-source, but you’re still bringing along Tailscale’s proprietary clients on most platforms.
For most people that’s fine. For a DevOps engineer who has been burned exactly once by a vendor disappearing under their data, it isn’t. Which is why I run NetBird, and have been recommending it to anyone who’ll listen for the better part of a year.
What NetBird actually is
NetBird is a WireGuard-based overlay network — same fundamental shape as Tailscale. You install an agent on each device, the agent registers with a coordination server, the server hands out WireGuard keys and configures peer relationships, and your machines end up able to reach each other over an encrypted tunnel as if they were on the same LAN.
The architecture in one diagram-shaped paragraph: every device runs the NetBird agent, which talks WireGuard in kernel space (no userspace overhead — they measure ~10 Gbps on commodity hardware). Connections are negotiated peer-to-peer via WebRTC ICE, using STUN to discover NAT-pierceable paths and falling back to TURN when symmetric NAT makes that impossible. A central management server holds policy and identity; a signal server brokers the initial WireGuard handshake; a relay does the TURN duty. All five components — agent, management, signal, relay, dashboard — live on GitHub under a BSD-3 license. No “open core” trick, no crippled self-hosted version.
Why I keep recommending it
Four things, in roughly the order they matter to me:
1. It’s open source end-to-end. Not just the clients, not just the control plane — every component, every platform. The iOS app, the Android app, the dashboard, the relay binary, the agent. I can read the code that’s brokering my keys. I can fork it if NetBird the company disappears tomorrow. With Tailscale + Headscale you can get most of the way there, but the polish on iOS/macOS still comes from a proprietary client.
2. The self-hosting story actually works. I’ll detail it below,
but the headline is: one script, Traefik with automatic TLS, an
embedded Dex server for built-in local user management, and you’re
running a production-grade mesh VPN control plane in about ten
minutes. No helm charts to debug. No ten-step OIDC dance to make
SSO work.
3. Real zero-trust policies, not just ACLs. You define groups for source (users, teams, service accounts) and groups for resource (servers, apps, networks). Rules are deny-by-default and evaluated in real time. Posture checks run on the client and can gate access on OS version, geolocation (free MaxMind DB), device identity. “Only DevOps team, only from machines running posture v2+, only between 09:00 and 19:00 BRT, only to production tag.” That’s a one-rule policy in the dashboard.
4. It’s based in the EU. For client work that has to keep data out of US jurisdiction, this matters more in 2026 than it did three years ago. Self-host the management server in your own region and you’re done arguing with legal.
NetBird vs Tailscale vs Headscale, no-marketing edition
| Property | Tailscale | Headscale | NetBird |
|---|---|---|---|
| Control plane | Closed, SaaS-hosted by Tailscale | Open (Tailscale CP reimplementation) | Open, self-host or NetBird-hosted |
| Clients | Proprietary on most platforms | Tailscale’s (proprietary) clients | Fully open source, all platforms |
| License | Mixed (clients open, server closed) | BSD-3 (server only) | BSD-3 end-to-end |
| WireGuard mode | Userspace (Wireguard-go) on most OSes | Userspace (uses Tailscale clients) | Kernel-space on Linux |
| SSO out of the box | Google/GitHub/Microsoft (their hosted) | Manual | Google, Entra ID, Okta, Authentik, Keycloak, JumpCloud (any OIDC) |
| Reverse-proxy / funnel | Tailscale Funnel (hosted) | DIY | Built-in since v0.65 (Feb 2026) |
| Posture checks | Enterprise tier only | Not built-in | Included, self-hosted |
| Post-quantum crypto | No | No | Rosenpass |
| Easiest to start | Tailscale | NetBird | NetBird |
| Cost at 50 devices | $5/user/mo or your time on Headscale | Time only (self-host) | $0 self-hosted, $3/user/mo SaaS |
The honest summary:
- If you want a mesh VPN to just work in 60 seconds and you don’t care who hosts your control plane, Tailscale is still the fastest path.
- If you specifically want to keep the Tailscale clients but self-host the coordination server, Headscale is the answer.
- If you want fully open source end-to-end and a self-host story that doesn’t take a weekend, NetBird wins.
Self-hosting it, concretely
This is the part that keeps me loyal. The quickstart is genuinely one script:
curl -fsSL https://github.com/netbirdio/netbird/raw/main/infrastructure_files/getting-started-with-zitadel.sh | bash
That stands up:
- Management (
managementGo service, port 33073/443) - Signal (
signalGo service, port 10000) - Relay (TURN, port 33080)
- Dashboard (Next.js, behind Traefik)
- Zitadel (an embedded IdP if you don’t want to plug in your own) or, more recently, a built-in local user store via embedded Dex
- Traefik with automatic Let’s Encrypt TLS
What I run in production: that same stack, but with the embedded IdP replaced by Authentik (which I was already running for the rest of the homelab — same SSO pool covers Jellyfin, Gitea, the Hugo admin endpoints I don’t want exposed). The integration is a ten-minute job, well documented, and once it’s wired up users get a “Sign in with Authentik” button on the NetBird dashboard.
The whole thing runs comfortably on a small VPS. I have mine on a €4 Hetzner CX22 that survives the recent price hikes and still has CPU headroom for the relay. The same kind of box you’d hesitate to put a Kubernetes cluster on handles a 30-device mesh comfortably.
What’s new in 2026
NetBird has been on a quiet tear:
- v0.65 (Feb 2026) — built-in reverse proxy. The functional parallel to Tailscale Funnel: expose an internal service to the public internet without poking holes in your firewall or fighting with Cloudflare Tunnel. Routes through the NetBird relay, terminates TLS, hits your service over WireGuard. Eliminates a whole category of “I just need to share one staging URL with a client” workarounds.
- Rosenpass integration — post-quantum key exchange layered on top of WireGuard. If you’re paranoid about future quantum decryption of today’s captured traffic, NetBird is the first mainstream mesh VPN to ship this option.
- Posture checks in the self-hosted edition. Geolocation, OS-version, process-presence checks — all in the OSS build, not paywalled. Tailscale gates equivalent features behind their Business tier.
- Networks (formerly Routes) rework. Cleaner UI for advertising a whole subnet through one peer — the “expose my home LAN to my laptop” use case is no longer a wall of YAML.
Where it falls short
I owe you the honest version:
- The clients are not yet as polished as Tailscale’s. macOS in particular still has occasional menu-bar quirks. iOS is much better than it was a year ago but Tailscale’s app is still nicer to look at.
- The “magic DNS” story is less complete. NetBird does have internal DNS, but Tailscale’s MagicDNS integration with their hosted control plane is, to be fair, the smoothest experience in the category.
- First-time setup is more involved than Tailscale’s. Yes, even with the one-liner script. You need to point a DNS record at your server, hold the IdP integration straight in your head, decide about Authentik-vs-embedded. Tailscale skips all of that by hosting it for you.
- Smaller community. GitHub stars-and-issues velocity is good and growing, but Tailscale still has the larger ecosystem of “blog post that solves your exact problem.”
For a senior engineer these trade-offs are fine. For a hobbyist who just wants their phone to reach their NAS, Tailscale will be less work.
Who should switch
- You self-host real services (homelab, side project, client infrastructure) and the closed control plane already bugs you.
- You operate in jurisdictions that care about data sovereignty. EU, Brazil’s LGPD-strict clients, anywhere “where does the metadata live” is a real question.
- You want zero-trust posture checks without paying enterprise pricing.
- You want one less SaaS dependency on your operational chart.
And who shouldn’t:
- You need it to work for non-technical family members on five iPads. Tailscale wins on polish here, full stop.
- You don’t want to maintain anything. A self-hosted control plane is one more thing to keep patched. NetBird also has a paid SaaS if you want their team to handle that — and it’s meaningfully cheaper than Tailscale at small headcounts.
Where I land
NetBird is the mesh VPN on every machine I own that isn’t airgapped on purpose. Workstation, laptop, three VPSes, a Raspberry Pi running Home Assistant, my mother’s iPad (yes, even there — the polish gap is real but liveable). Self-hosted control plane on a Hetzner CX22, SSO via my homelab’s Authentik, posture checks for the production group, Rosenpass turned on because why not.
It’s the rare piece of infrastructure where the right answer for me isn’t a compromise — it’s the most-open option and the most feature-complete one I tested. That doesn’t happen often. When it does, I write a blog post about it.