While a VPN isn't the security solution you may have thought, it mainly applies to the traditional server-client architecture of older VPNs. The new crop of remote access tools, mostly built on WireGuard, creates a software-defined mesh network across the Internet to secure all your communications between devices.
The best-known of these is arguably Tailscale, but there are a few caveats (especially when you try to self-host the control server) that put me on the path to seeking alternatives. After rotating through half a dozen over the last few months, NetBird has won me over, with a robust feature set and the ability to self-host with identity management at its core. Building on a core of trust like that makes it perfect for my home lab, and for keeping on my cheap VPS so I always have an encrypted route home.
The world of overlay networks doesn't stop at Tailscale
NetBird is my favorite option
Software-defined networking is one of the great advances of computing, abstracting the transport and control layers away from each other. This makes it possible to span your network across multiple sites, differing hardware architectures, physical transport layers, and even across the Internet, but still have a coherent, secure deployment as if it were all on-premises. You don't need to go as far as some protocols, but mesh VPNs like Tailscale and NetBird are a great place to start.
I've been using both, but NetBird has won me over with a security-first, transparent ethos that enables self-hosting as easily as using the company's managed servers. It's really an overlay SDN that uses end-to-end encrypted VPN tunnels as the transport layer, and I've been having a lot of fun poking at its features and connecting all the things in my home lab.
It's also worth pointing out that NetBird has a robust MSP portal for managed service providers. It's not something I personally use because I'm my own customer and I don't need to manage other accounts, but it exists, it's powerful, and is a big plus point when compared to Tailscale, which doesn't have anything similar.
Although it doesn't support IPv6 (yet)
One of the things that was holding me back was lack of IPv6 support. I've been trying to move more of my services and devices across, and IPv4-only routing on NetBird was a weighty entry in the negative column.
The last time I looked, months ago, there wasn't even any chatter, but since then, the team has confirmed IPv6 support is on the roadmap for Q4 2025. Whether it makes it before the end of the year or not, knowing that it's on the way makes my decision a lot easier to live with.
NetBird
There are a ton of features to dive into
Create software-defined networks on your terms
NetBird is a secure peer-to-peer overlay network, similar to Tailscale and ZeroTier. It's available on the company's managed servers or for self-hosting, and has clients for Linux, macOS, Windows, Synology, Android, iOS, Docker, pfSense, and OPNsense. But even if your service or device doesn't have a client, you can still set it up for remote network access and securely access your home network. And there's a browser client so that you can use it from any device with a web browser.
On the face of things, NetBird looks like any other WireGuard-based P2P VPN, using advanced NAT traversal techniques to go through firewalls without opening ports or having a static public IP address. It monitors the connection and can restart it if needed (and anyone using a corporate VPN knows the pain here), robust access control lists, multi-factor authentication, and activity monitoring.
Some of the other awesome features include:
- Easy network segmentation
- Routing to private networks
- Custom DNS nameservers
- Create users and groups from your Identity Provider
- Rosenpass post-quantum secure key-exchange protocol
- MDM deployment with Jamf Pro, Kandji, or Intune
- Kubernetes Operator
The best part? You can be running in minutes, even if you have to use the more involved CLI method. Even getting the self-hosted control server running took me about ten minutes, and most of that was setting up the Zitadel IdP container and creating users and groups before getting to the NetBird dashboard.
The new Control Center is lit
Are you a visual learner? It often helps to see the interconnected web of connections between peers, groups, or networks at a glance, and the new Control Center does just that. You get a topological view of your NetBird connections to see who, or what, can connect to and access other resources.
And as an admin user, you can edit access controls from this page, making it an easier way to ensure the correct devices and tools can access the things they need, and nothing else. This goes deep into sources, destinations, protocols, ports, and posture checks, making it a powerful tool for setup and security.
Container control
Another big plus for me is the dedicated Kubernetes Operator. I recently shifted my home lab to K8s, which is a nice challenge, but it's also trickier to connect remotely. However, NetBird can expose my K8s control plane inside my NetBird Network so that I can manage it from anywhere. I can also use it as an ingress controller and have NetBird handle data for my self-hosted services. It's (mostly) automatic once I tell it what to point at. And by setting up a networking sidecar, my K8s data can egress through the NetBird network, to anywhere I need it.
Self-hosting NetBird has you set up identity management first
NetBird is fully open-source, and I've been self-hosting it on my VPS for months. In that time, it's been solid. After using so many other self-hosted options, I appreciate that it has you set up Zitadel or any other OpenID-compatible IdP before you even get to install NetBird and start adding peers, endpoints, and other mainstays of overlay networks.
That makes me feel more secure, as I know the company has me setting up security by design, and not having it as an added afterthought like many self-hosted remote access tools.
Plus, even with the self-hosted version, I only have to log in to my account using the mobile apps to connect to my network, without the added complexity of using the debug menus that Tailscale+Headscale requires.
NetBird is fast becoming my favorite access tool
Anyone who knows me knows that, while I'm fairly proficient at it, I dislike the complicated setup path for most networking hardware and tools. NetBird abstracts away most of my headaches by enabling me to add services, peers, and exit nodes with a few clicks of a well-designed UI, whether I'm self-hosting or using their servers. That lets me get on with testing new tools and programs faster, because the time to deployment is much shorter, and I know I don't have to worry about encryption, ACLs or other security features because NetBird has it handled.