NetBird

NetBird connects your devices into a secure WireGuard-based overlay network combined with a centralized access control system. It links machines over encrypted tunnels and applies granular access policies you manage from a single admin UI, so remote access no longer depends on opening ports, complex firewall rules, or VPN gateways.

Each machine runs a NetBird agent that manages WireGuard and uses ICE and STUN to discover peer-to-peer connection candidates, negotiating them through a signal service with end-to-end encrypted messages. When direct NAT traversal fails, traffic falls back to a relay service. It adds SSO and MFA login, IdP group sync, setup keys, network routes, exit nodes, and private DNS.

Clients run on Linux, macOS, Windows, Android, iOS, and FreeBSD, plus routers and NAS devices. You can use the hosted NetBird Cloud or self-host on a Linux VM with Docker Compose. It is BSD-3-Clause licensed, except the management, signal, and relay services, which use AGPLv3.