🩺 Vitals
- 🟢 Last active: 2026-07-16
- 📦 Latest release: v0.74.6 (2026-07-15)
- 🐞 Open issues: 1493
- 🌟 Stars: 27.3k
What do these metrics mean?
- Last active: when code was last pushed, as of our last check. The dot is green when that was recent, grey otherwise. A long gap can mean a tool is finished and stable, not only unmaintained.
- Latest release: the most recent tagged, packaged version the maintainers published. Not every healthy project tags releases.
- Open issues: unresolved reports and requests. A high number is normal for a popular project and is not a warning on its own.
- Stars: how many people bookmarked the project on its forge. A rough popularity signal, not a measure of quality.
🏗️ Profile
- Official: netbird.io
- Source: github.com/netbirdio/netbird
- License: AGPL-3.0 (Server) | BSD-3-Clause (Client)
- Deployment: Docker
- Data Model: SQLite / PostgreSQL
- Jurisdiction: Germany 🇩🇪 / EU 🇪🇺 (NetBird GmbH)
- Compliance (SaaS): ISO 27001 | GDPR | DORA
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: High (4/5) - Multi-service control plane (Management, Signal, Relay, TURN) behind a reverse proxy with TLS
- Maintenance: Medium (3/5) - Control plane plus PostgreSQL upkeep; community edition is active-passive HA only
- Enterprise Ready: Moderate (3/5) - WireGuard mesh, ACLs, and OIDC SSO included; SCIM, active-active HA, SIEM streaming, and MSP multi-tenancy require a commercial licence
1. The Executive Summary
What is it? NetBird is a WireGuard-based overlay network that connects your servers, devices, and people into a single private mesh with identity-based access control. It is the self-hostable, EU-sovereign counterpart to Tailscale: peers establish encrypted peer-to-peer tunnels directly, while a control plane you operate (Management, Signal, and Relay services) handles coordination, access policies, and key exchange. Traffic is end-to-end encrypted between peers; the relay only carries encrypted packets as a fallback when a direct connection cannot be established. Identity is delegated to your own OIDC provider — NetBird integrates with Keycloak, Authentik, and Zitadel in the open-source edition, so authentication never leaves infrastructure you control.
The Strategic Verdict:
- 🔴 For Lean Teams Wanting Zero-Ops Connectivity: Caution. Self-hosting means operating a multi-service control plane and its PostgreSQL backend, and the community edition ships only active-passive high availability. Teams without platform-engineering capacity may find the managed cloud tier — or Tailscale — a lower-friction path, at the cost of sovereignty.
- 🟢 For Regulated Orgs Replacing a US-Hosted Mesh: Strong Buy. NetBird delivers the Tailscale experience with a control plane under your roof and a vendor incorporated in Berlin, outside US CLOUD Act reach. The WireGuard data path is end-to-end encrypted, identity stays with your own IdP, and the segmentation model maps directly onto zero-trust and SOC 2 access-control requirements.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Tailscale (SaaS) | NetBird (Self-Hosted) |
|---|---|---|
| License Fee | Per-user, per-month tiers | $0 (AGPL-3.0 Core) |
| Control Plane | Proprietary, vendor-operated | Self-hosted; you own the coordination server |
| Data Residency | Tailscale Inc. (US) | EU / your own infrastructure |
| SSO / SCIM | Bundled in paid tiers | OIDC SSO included; SCIM is commercial |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: The full control plane deploys via Docker Compose — Management, Signal, Relay, and a Coturn TURN server, fronted by a Traefik reverse proxy handling TLS. Clients are single binaries for Windows, macOS, Linux, and mobile.
- Scalability: Peer-to-peer tunnels mean data-plane traffic does not funnel through the control plane, so throughput scales with your peers rather than a central concentrator. The coordination services themselves scale vertically in the community edition; horizontal active-active high availability for Management and Signal requires a commercial licence.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (Germany 🇩🇪 / EU 🇪🇺): NetBird GmbH is incorporated in Berlin, placing both the vendor and any self-hosted deployment squarely under EU GDPR and outside the reach of the US CLOUD Act. Even NetBird's managed tier stays under EU jurisdiction with ISO 27001, GDPR, and DORA attestations — a structural contrast to Tailscale (US) and Zscaler (US), whose coordination or brokering infrastructure sits under US jurisdiction regardless of where your nodes run.
- The Compliance Shift (You Hold the Keys to the Network): Self-hosting transfers the entire security posture to your team, and the control plane is the highest-value target in the system: whoever controls the Management service can author access policies for every peer. Hardening it — TLS termination, restricting inbound exposure, securing the PostgreSQL store, and backing it up — is non-negotiable. The community edition offers only active-passive HA, so a control-plane outage suspends policy changes and new peer enrolment until failover completes. NetBird GmbH's managed cloud carries ISO 27001, GDPR, and DORA attestations, with SOC 2 Type II in progress — but a self-hosted deployment inherits none of them. The segmentation model supports SOC 2 and ISO 27001 access-control objectives; the audit evidence for your own instance is yours to produce.
- License Risk (The Split-Licence Trap): The client is permissive BSD-3-Clause — embed and redistribute it freely. The server components (Management, Signal, Relay, and the combined bundle) are AGPL-3.0, which triggers the network-copyleft clause: modify the control-plane source and offer it as a service over a network, and you must release those modifications under AGPL-3.0. A Contributor License Agreement grants NetBird GmbH a broad, irrevocable, sublicensable licence over contributions — not a copyright assignment, but the mechanism that lets the vendor ship the AGPL-3.0 server code under a paid commercial licence. It is a governance concentration to weigh, though the AGPL-3.0 core remains a durable sovereignty backstop.
4. Market Landscape
🏢 Proprietary Incumbents
- Tailscale: The dominant WireGuard-mesh service. Effortless to adopt, but the coordination server is proprietary and vendor-operated in the US; per-user pricing compounds at scale and the control plane is never yours to hold.
- Zscaler: The enterprise zero-trust access standard, delivered as a US-operated cloud broker. Comprehensive but proprietary end to end, with all access brokering transiting Zscaler's infrastructure — a data-residency and CLOUD Act consideration for EU-regulated workloads.
🤝 Open Source Ecosystem
- Headscale: An open-source reimplementation of the Tailscale control server, letting Tailscale clients run against a self-hosted coordination plane. Narrower in scope than NetBird's integrated policy and identity layer.
- OpenZiti: An Apache-2.0 identity-based zero-trust overlay with application-embeddable SDKs and dark, portless services. Operates at the application layer rather than NetBird's WireGuard device mesh, and is heavier to run.