Hey netbird, I just went through your documentation and it is not quiet clear to be how to host a control plane in a secure way. Is it supposed to be directly exposed? And by the way, I think your documentation website broke down :D And thank you for looking into BSD. I did not consider netbird until now because I saw no trace of an OpnSense integration. So I am very happy to hear that this might be a thing :)
Hi @netbirdio - I've been trying to get this working on Oracle VPS but despite opening the ports noted in the docs not having any luck. Unfortunately Github issues aren't responded to that quick and Slack seems to be more questions than answers?!
I’ve been a Nebula user for years. One feature of Nevulas that I hope comes to Netbird is the ability for two nodes to choose to communicate locally with each other when they’re both on the same LAN.
Compared to Tailscale this is so much better when it comes to the security rules. Tailscales failure,imo, is forcing a user to write JSON rules to limit access whereas Netbird makes it dead simple and well thought out.
Yes I am using tailscale currently. I have a netbird server running but need to configure Azure AD auth, so need to look into that. But completely agree, the security rules make this very user friendly. I'm planning on swapping over but need to see how the relay works, I've got servers all over the world and tailscale has been very good for difficult connections.
I'd say JSONs are not the primary issue for Tailscale. I mean, if you are into Linux firewalling, writing a few JSONs is easy. The issue is how it performs under load and comparing performance for both. I understand it is based on WireGuard, but will it be able to at least meet the raw WireGuard p2p bandwidth?
@@ZorgFS I don’t think security should take a backseat to performance. If I can’t lock down my tailnet effectively then why use it? Tailscale isn’t targeted to people who admin Linux. So it’s ok to have a performant vpn just not a secure one? No. Tailscale nees to improve the rule creation. It’s hot garbage and most likely why the default action is a permit any/any which…..is terrible
Yes, I agree Tailscale security rules are tricky. I want to add some family/friend's PCs and keep them isolated so that I can ssh/rdp/vnc into their machines but want no connection back, and I also want different groups of completely independent servers (say 3 in London, 5 in Ireland, 4 in AU/NZ) that I want access to but they cannot jump region or connect back to anything else. Basically I want full isolation / VPN "into" different islands/groups of machines without them communicating with each other.
Wait, sooo if I install this as well, do I get a sweet T-shirt?! This is great Tom. I've heard them mentioned a few times. I love Tailscale, but the requirement of something like Gmail (I don't really want to fight with the OIDC stuff right now) has held me rolling it all over the place at home. The ACL looks MUCH simpler to quickly glance at and manage.
I've considered self-hosted NetBird as a replacement for Tailscale just to get rid of a third party and subscription, but haven't sat down and labed it yet. Is this something you'd consider for your own use-cases, Tom?
I'm keeping an eye on the project, I like its design very much. The only thing stopping me from considering it is that the scope of Access Control is only at the peer-level, instead of allowing including arbitrary CIDR definitions in Access Control Policies (so that not every service host itself has to be joined to the overlay network as a peer in order to have control over the peers access to it, which is unfeasible or undesirable in many cases)
Can the server that hosts the netbird also be used as an exit node? Thinking of renting one vm from Hetzner and I would like to use it also as an exit node
@@LAWRENCESYSTEMS I guess this means I will have to install on the same machine the client, otherwise I don't see it anywhere on the gui. Unless I understood it wrong?
Is there a completely self-hosted, on-premises and isolated so that it creates a TRUE virtual private network without requiring any dependency (not neve the creation of an account) on any third-party server? i.e. A zero-trust solution.
Looking at the UI and the shiny bits. it looks a lot more user friendly that wireguard. Would this be usable for remote access to a small home lab setup or is it complete overkill?
Would be good if I could setup certs on this through letsencrypt to all the peers hostnames. So many things don't like it when there's no registered cert on the address.
Self hosted or hosted replacement for Zscaler ZPA? Yes, please. ZPA used to be affordable….The question is, can I use this to replace my Silverpeak SDWAN setup with 50+ offices and multiple data centers?
It depends on the company or even your home setup. You can restrict access to employees working in Europe only as you don't expect people to connect from Asia. The same goes for home use cases, you wouldn't expect devices connecting from countries where your family doesn't reside.
All I really want is a means of doing 2fa or a prompted psk on regular wireguard so that it would be suitable for a client vpn. Don't want a whole thing just for that.
So Netbird has to be running on the other end? This seems very limiting as to who you can communicate with. Also as a complete noob; is this appropriate as a substitute for a regular VPN? I'm a home-based user looking into starting to use a VPN.
It's easy enough to containerise, you don't need a TrueNAS plugin for it. What exactly doesn't work on OpenSUSE? The client install? Just install on something else and route to the OpenSUSE machine.
Alternatively to what @elminster8149 said, just build a VM on TN with Docker installed. This video even goes over some of the use cases for the scenario you are in. While it's nice that IXSystems includes many integrations, it's not the end all be all. It is a hypervisor as well.
I would really like to use NetBird, but no exit node support (yet, I know it's in the pipeline) and no BSD client (I'm biased, but OpenBSD in this case) makes me hold off. EDIT: Exit nodes exist it seems now?
IPSEC & OpenVPN is much harder to manage than an overlay network is at scale with many locations and when you have some networks behind things like CGNAT. th-cam.com/video/6M8LIl4UzwI/w-d-xo.htmlsi=xqyYBJfNpn4tiwwQ
A lot of demo's on youtube tend to focus on using exit nodes to stitch networks together. For this use case, you are right, it is a bit like reinventing the wheel. Using point to point connections and routers is very effective. My use case is basically a pile of roaming mobile devices (on networks I have no control over) I want to connect to my self hosted services and each other. I'm using tailscale/headscale and it makes all this extremely quick and easy. You just install the client on a device, register the node to a user and that's it. They are on the overlay network and can see everyone else. Connections are usually direct and very fast. Because of the mesh topology it's extremely resilient with the coordination server being the only single point of total failure. The separation is phenomenal, my home network is riddled with devices like light bulbs, smart sockets, TV's and printers, I don't even trust my own network anymore. Users on the overlay network have no visibility or access to any of that (and are protected from it). It takes the internet from being the hub and spoke NAT model and safely makes it peer to peer with truly minimal effort. I thought I just wanted an overlay mesh to share my NAS with my family and friends but it's addictive and I am using it all over the place now. (Machines on the same switch exclusively using tunnels) You should "give it a go" you might like it 👍
Because of ease of use, performance and security. Those are the big three arguments for wireguard. However manually managing wireguard connections does not scale very well. Therefore having netbird makes sense to me.
Putting MFA on a paid plan is a non-starter. Requiring people to pay for the most basic security features is a bit insane, especially when something like SSO, which is often on a paid tier, is free.
To my understanding: You can still host it yourself and use whatever IDP you like, including MFA. For the hosted service, I am actually fine with this. This is maily because integrating IDPs and MFA are not one time costs. Single Sign On, however, usually is a one time cost to implement.
"The Free plan automatically integrates with popular personal identity providers (IdP) like Google, Microsoft, and GitHub. It supports multi-factor authentication (MFA) when enabled in your IdP."
SSO & MFA is in the free tier if you use Google, Azure, Okta, Github as it comes with the IdP itself even for businesses. We belive that this is a must-have security feature and that is why we offer it for free. If you sign up with a username and password, then it requires some manual work on our end to configure MFA. Therefore, we put it under the paid plan. We might automate this process in the future, though.
Thank you for your support and recognition, Tom. Vídeos like this one keep us up and motivated. The whole NetBird team appreciates your work.
Hey netbird, I just went through your documentation and it is not quiet clear to be how to host a control plane in a secure way. Is it supposed to be directly exposed? And by the way, I think your documentation website broke down :D And thank you for looking into BSD. I did not consider netbird until now because I saw no trace of an OpnSense integration. So I am very happy to hear that this might be a thing :)
That t-shirt is awesome!
I want it!! 😋
@@andreas7944 I second that. Looking into BSD integration for OpnSense and pfSense is a major "sense"forward.
Hi @netbirdio - I've been trying to get this working on Oracle VPS but despite opening the ports noted in the docs not having any luck. Unfortunately Github issues aren't responded to that quick and Slack seems to be more questions than answers?!
Looks promising. Can't wait for BSD support to be implemented, so I can run it on OPNsense. Thanks for the video!
I’ve been a Nebula user for years. One feature of Nevulas that I hope comes to Netbird is the ability for two nodes to choose to communicate locally with each other when they’re both on the same LAN.
Compared to Tailscale this is so much better when it comes to the security rules. Tailscales failure,imo, is forcing a user to write JSON rules to limit access whereas Netbird makes it dead simple and well thought out.
Yes I am using tailscale currently. I have a netbird server running but need to configure Azure AD auth, so need to look into that. But completely agree, the security rules make this very user friendly. I'm planning on swapping over but need to see how the relay works, I've got servers all over the world and tailscale has been very good for difficult connections.
I'd say JSONs are not the primary issue for Tailscale. I mean, if you are into Linux firewalling, writing a few JSONs is easy. The issue is how it performs under load and comparing performance for both. I understand it is based on WireGuard, but will it be able to at least meet the raw WireGuard p2p bandwidth?
@@ZorgFS I don’t think security should take a backseat to performance. If I can’t lock down my tailnet effectively then why use it? Tailscale isn’t targeted to people who admin Linux. So it’s ok to have a performant vpn just not a secure one? No.
Tailscale nees to improve the rule creation. It’s hot garbage and most likely why the default action is a permit any/any which…..is terrible
@@PowerUsr1 Yes, that is actually accurate. I agree as well
Yes, I agree Tailscale security rules are tricky. I want to add some family/friend's PCs and keep them isolated so that I can ssh/rdp/vnc into their machines but want no connection back, and I also want different groups of completely independent servers (say 3 in London, 5 in Ireland, 4 in AU/NZ) that I want access to but they cannot jump region or connect back to anything else. Basically I want full isolation / VPN "into" different islands/groups of machines without them communicating with each other.
Wait, sooo if I install this as well, do I get a sweet T-shirt?!
This is great Tom. I've heard them mentioned a few times. I love Tailscale, but the requirement of something like Gmail (I don't really want to fight with the OIDC stuff right now) has held me rolling it all over the place at home.
The ACL looks MUCH simpler to quickly glance at and manage.
I'm using Social login with Office365
first pants and now t-shirts? The IT community is getting fancy! :)
Thanks! I was just deciding between headscale and netbird and netbird looks really nice so I will probably go with that.
Does Netbird support tunneling of general purpose multicast traffic? That was one of my main limitations with Tailscale and benefit of Zerotier.
I've considered self-hosted NetBird as a replacement for Tailscale just to get rid of a third party and subscription, but haven't sat down and labed it yet. Is this something you'd consider for your own use-cases, Tom?
I just did this last week and migrated from Headscale to Netbird with traefik and authentik. Netbird's team is pretty responsive on Slack too.
Seems like he's using it on his phone already.
So, Tom -- do we feel this is suitable for personal use at this point?
Yes
FINALLY! Looking forward to this one.
Netbird is awesome! Thanks for sharing.
I'm keeping an eye on the project, I like its design very much. The only thing stopping me from considering it is that the scope of Access Control is only at the peer-level, instead of allowing including arbitrary CIDR definitions in Access Control Policies (so that not every service host itself has to be joined to the overlay network as a peer in order to have control over the peers access to it, which is unfeasible or undesirable in many cases)
Would be great if you could setup multiple network subnets like you can in Zerotier.
Alright, that was actually crazy easy to setup. Converted from manually managed Wireguard, what a chore it's been...
I saw that when my main WAN goes down the connection is not restored on the failover, I have to manually restart all agents to get it working again.
Can the server that hosts the netbird also be used as an exit node? Thinking of renting one vm from Hetzner and I would like to use it also as an exit node
I have not tried, but it should work as long as you make it one of the nodes.
@@LAWRENCESYSTEMS I guess this means I will have to install on the same machine the client, otherwise I don't see it anywhere on the gui. Unless I understood it wrong?
Is there a completely self-hosted, on-premises and isolated so that it creates a TRUE virtual private network without requiring any dependency (not neve the creation of an account) on any third-party server? i.e. A zero-trust solution.
My man sold out for a tee shirt…. lol. Jk xoxoxo always honest and from the heart that’s what we loves about ya.
Yeah, testing netbird in my home network since almost the beginning… it’s still very beta thing, but improving rapidly. I have great faith in it :)
Looking at the UI and the shiny bits. it looks a lot more user friendly that wireguard.
Would this be usable for remote access to a small home lab setup or is it complete overkill?
Isn't the point of a home lab to have a place that can be overkill?
@@LAWRENCESYSTEMS I guess 🤣
Thank you for that great video. I am very thankful for these wonderful open source projects 🥰
As amazing as always, Tom, thanks!
Great video Tom as always! - Could we get the Draw_IO diagram added to your Github please?
They are there on my Github, the one I used in the video was Overlay_Networks.drawio
Sorry my bad - I totally missed the tabs on the bottom of that sheet 🙈🙈
No Synology client, though. I wonder how difficult would it be to deploy it in an OCI container and allow it to access subnet resources? 🧐
Would be good if I could setup certs on this through letsencrypt to all the peers hostnames. So many things don't like it when there's no registered cert on the address.
I tried Netbird a while ago but unfortunately the Windows client was super buggy. For me, Tailscale is still the go-to but competition is good.
Hello Daniel, can you share a bit more about the bugs you've faced? Recently we fixed the issue with opening the settings window on RDP connections.
@@mlsmaycon Yes from memory this was the main issue I was having.
Self hosted or hosted replacement for Zscaler ZPA? Yes, please. ZPA used to be affordable….The question is, can I use this to replace my Silverpeak SDWAN setup with 50+ offices and multiple data centers?
I'm tailscaled, but this looks great!
Does anyone had success with installing Netbird directly on TrueNAS Scale?
Geo IP filtering is ok but never understood why ISP locking isn't a thing.
It depends on the company or even your home setup. You can restrict access to employees working in Europe only as you don't expect people to connect from Asia. The same goes for home use cases, you wouldn't expect devices connecting from countries where your family doesn't reside.
Because it is easy to bypass and tends to be inaccurate.
Why would you want to use this over standard self hosted WG-Easy install or something? Would this be better at bypassing FWs that block VPN traffic?
This is easier when people are also behind CGNAT
what app do u use for the diagrams? they are great
lawrence.video/diagrams
So, NetBird vs Zerotier vs TailScale ??
Good to have options.
Vs Twingate
@@Glatze603 Twingate is close source and there is no way to self host.
@@LAWRENCESYSTEMS That's totaly right.
How to install it on raspberry pi to access Nas server remotely?
Just need bsd support...
All I really want is a means of doing 2fa or a prompted psk on regular wireguard so that it would be suitable for a client vpn. Don't want a whole thing just for that.
So Netbird has to be running on the other end? This seems very limiting as to who you can communicate with. Also as a complete noob; is this appropriate as a substitute for a regular VPN? I'm a home-based user looking into starting to use a VPN.
This is similar to netmaker and how its different from zerotier? I guess zerotier not using wiregard
can the server behind cg-nat ?
Yes
@@LAWRENCESYSTEMS thanks for the answer , subscribed
Netbird does not work on OpenSUSE. There is not implementation on TrueNAS.
It's easy enough to containerise, you don't need a TrueNAS plugin for it.
What exactly doesn't work on OpenSUSE? The client install? Just install on something else and route to the OpenSUSE machine.
Alternatively to what @elminster8149 said, just build a VM on TN with Docker installed. This video even goes over some of the use cases for the scenario you are in. While it's nice that IXSystems includes many integrations, it's not the end all be all. It is a hypervisor as well.
Awesome video, but if you just use pure wireguard, you don't need any overlays
Commendable stuff, but only wake me up when they get port 443 SSL support!
it already uses port 443 for control plane and relays
I would really like to use NetBird, but no exit node support (yet, I know it's in the pipeline) and no BSD client (I'm biased, but OpenBSD in this case) makes me hold off.
EDIT: Exit nodes exist it seems now?
Yes, we have added exit nodes support recently. Not yet possible to use on mobile devices, but coming soon.
Still using OpenVPN for clients AND IPSEC for site to site. Why are we continually re-imagining things that work?
IPSEC & OpenVPN is much harder to manage than an overlay network is at scale with many locations and when you have some networks behind things like CGNAT. th-cam.com/video/6M8LIl4UzwI/w-d-xo.htmlsi=xqyYBJfNpn4tiwwQ
A lot of demo's on youtube tend to focus on using exit nodes to stitch networks together. For this use case, you are right, it is a bit like reinventing the wheel.
Using point to point connections and routers is very effective.
My use case is basically a pile of roaming mobile devices (on networks I have no control over) I want to connect to my self hosted services and each other. I'm using tailscale/headscale and it makes all this extremely quick and easy. You just install the client on a device, register the node to a user and that's it. They are on the overlay network and can see everyone else. Connections are usually direct and very fast. Because of the mesh topology it's extremely resilient with the coordination server being the only single point of total failure.
The separation is phenomenal, my home network is riddled with devices like light bulbs, smart sockets, TV's and printers, I don't even trust my own network anymore. Users on the overlay network have no visibility or access to any of that (and are protected from it).
It takes the internet from being the hub and spoke NAT model and safely makes it peer to peer with truly minimal effort.
I thought I just wanted an overlay mesh to share my NAS with my family and friends but it's addictive and I am using it all over the place now. (Machines on the same switch exclusively using tunnels)
You should "give it a go" you might like it 👍
I invite you to try it, but think from the end VPN user perspective.
Because of ease of use, performance and security. Those are the big three arguments for wireguard. However manually managing wireguard connections does not scale very well. Therefore having netbird makes sense to me.
Putting MFA on a paid plan is a non-starter. Requiring people to pay for the most basic security features is a bit insane, especially when something like SSO, which is often on a paid tier, is free.
To my understanding: You can still host it yourself and use whatever IDP you like, including MFA. For the hosted service, I am actually fine with this. This is maily because integrating IDPs and MFA are not one time costs. Single Sign On, however, usually is a one time cost to implement.
"The Free plan automatically integrates with popular personal identity providers (IdP) like Google, Microsoft, and GitHub. It supports multi-factor authentication (MFA) when enabled in your IdP."
or you can self-host
SSO & MFA is in the free tier if you use Google, Azure, Okta, Github as it comes with the IdP itself even for businesses. We belive that this is a must-have security feature and that is why we offer it for free. If you sign up with a username and password, then it requires some manual work on our end to configure MFA. Therefore, we put it under the paid plan. We might automate this process in the future, though.
They have instruction for using Authentik as the idp hosted.