"NetBird has fundamentally transformed our network management operations, eliminating outages, simplifying operations, and enabling secure, scalable connectivity through code. What used to be a…
"NetBird has fundamentally transformed our network management operations, eliminating outages, simplifying operations, and enabling secure, scalable connectivity through code. What used to be a fragile, error-prone setup is now a robust, policy-driven system that fits the way we structure and secure our infrastructure."
Kjeld PetersCTO
Read the original article
Comments
I recommend it the NetBird team is transparent and easy to reach. I switched from Tailscale a while ago (2y), went fully self-hosted, and upgrades across versions have been smooth, which tells me they care about the self-hosted, not just their cloud offering.
We tried netbird but could not get the client to register to a self hosted server. It ignored the setting or failed.
Good chance it was user error on our part.
Most of their documentation is very unclear about what is a cloud offering feature and what is possible using self-hosting. There are features not available on the community edition and you have to be very careful reading their doc.
Just putting it out there so people do not think it's an easy solution. It will require appropriate planning.
I do think its a more promising solution than headscale if you want to self host as it is a complete package, unlike tailscale where you need to modify registry keys to change the cloud URL and headscale is a simplified, non-multi-tenant signaler.
By braginini 2026-02-0123:24 There is a dedicated page explaining the difference between selfhosted and cloud versions: https://docs.netbird.io/selfhosted/self-hosted-vs-cloud-netb...
You can also use profiles and set management URL in the settings through the UI. You can even switch between self hosted and cloud versions: https://docs.netbird.io/client/profiles
By SebastianKra 2026-02-0120:571 reply We also had a bunch of problems. The DNS resolution didn't work, and support was unable to figure out the reason.
A coworker reported domain access breaking when he went to office 1, but fixed itself when he went to office 2.
For a while, when you logged in with the wrong account, it was near impossible to replace it. This on is fixed now, but the entire thing still feels very much like paying for beta software.
By teruakohatu 2026-02-0123:011 reply I have endless DNS problems with Tailscale. So I am guessing it’s a hard problem.
By jasona123 2026-02-0220:26 It's like the haiku says:
It’s not DNS
There’s no way it’s DNS
It was DNS
Tailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web. This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
Tailscale allows you to disable the expiration time - I do this for my gateways.
My other simplifier is having everything at home get a .home dns name, and telling Tailscale to route all these via tailnet.
can you please tell me how to disable expiration time? I see auth keys have an Expiration which says it "Must be between 1 and 90 days." I do use a custom domain name as well with a Nameservers rule to have all my services reachable as subdomains of my custom domain.
By matthewmacleod 2026-02-0111:361 reply There is some confusion here because while you can disable node key expiration, you can’t disable auth key expiration. But that’s less of a problem than it seems - auth keys are only useful for adding new nodes, so long expiry times are probably not necessary outside of some specific use-cases.
Edit: in fact from your original post it sounds like you’re trying to avoid re-issuing auth keys to embedded devices. You don’t need to do this; auth keys should ideally be single-use and are only required to add the node to the network. Once the device is registered, it does not need them any more - there is a per-device key. You can then choose to disable key expiration for that device.
I want my CI containers created per branch/PR to have their own Tailscale domain, so logging them in is useful via non-expiring key. Only good option I've seen previously is to notify every 90 days when key expires.
By matthewmacleod 2026-02-0113:101 reply The best way to do that is using an OAuth client. These don't expire, and grant scoped access to the Tailscale API. You use this to generate access keys for the devices that need to authenticate to the network.
We use this for debugging access to CI builds, among other things – when a particular build parameter is set, then the CI build will use an OAuth key to request an ephemeral, single-use access key from the Tailscale API, then use that to create a node that engineers can SSH into.
Access keys ideally should be short-lived and single-use where possible. https://tailscale.com/kb/1215/oauth-clients#generating-long-... has details on this flow.
By k_bx 2026-02-0118:51 Thanks, I'll soon get to try this out hopefully!
By aidos 2026-02-0111:23 You can create an oauth client that can generate keys as you need them.
https://tailscale.com/kb/1215/oauth-clients#generating-long-...
By inapis 2026-02-0111:45 Use tag-based node authentication. Login as a user and then switch the device to use a tag. I just recently did that and retained the usual 6 months expiry. I can also disable key expiry completely.
By tecleandor 2026-02-0111:031 reply You can manually disable key expiration for hosts in Tailscale, and I think you can do it with tags too...
https://tailscale.com/kb/1028/key-expiry#disabling-key-expir...
The word "auth keys" meant nothing to you, I guess: https://tailscale.com/kb/1085/auth-keys
By matthewmacleod 2026-02-0111:341 reply What would be your use-case for auth keys with long expiry times? Auth keys are only required for registering new nodes.
By stingraycharles 2026-02-0112:041 reply When managing your infrastructure as code, it’s quite common to deploy new instances for upgrades etc. Having these keys expire after 3 months is a big pain. Eg doing a routine update by rebuilding an AMI.
I don’t understand how they can have such a strategy, and then not having any decent way to programmatically allocate new keys.
By matthewmacleod 2026-02-0113:17 Yeah, that's a common workflow. It's easy to programatically allocate those keys using the OAuth workflow though – there's even a CLI utility to do it (https://tailscale.com/kb/1215/oauth-clients#get-authkey-util...)
This can all be automated using e.g. the Terraform Tailscale provider, which takes the OAuth id/secret and can then issue keys as needed for the infrastructure you are deploying.
By atmosx 2026-02-0111:12 Headscale is a self hosted drop-in control plane replacement that has been pretty stable for us.
By nagaiaida 2026-02-0422:10 you may also be interested in nebula (although you'd give up the nice management ui)
By Lucasoato 2026-02-0113:54 +1 for caddy in Tailnet, working well for us too!
Long-time ZeroTier user here. Recently switched to NetBird (self-hosted on a Hetzner VPS) and it’s been seamless so far. DNS functionality is excellent (something ZeroTier lacked), and the access-control model is very well designed. It’s easy to understand what’s going on and to grant one-off access when needed. Only real and very minor gripe is the Android app: I wish it were on F-Droid and a bit more robust, as it sometimes drops when roaming. Nevertheless, congratulations on a fabulous piece of software! I hope it keeps improving :)
Does Tailscale/ZeroTier/Netbird provide anything beyond a GUI wrapper for Wireguard?
How easy is it to make it manage an already configured Wireguard mesh network?
By moontear 2026-02-029:20 They are not only a wrapper for Wireguard even though people keep saying that.
Each of the tools gives different benefits and yes, you can roll all of that on your own, but let's take Tailscale as an example: You have custom ACLs to secure your network on a client/user/device basis with tagging of devices. You have your own tailscale SSH connection, the possibility to create private-public tunnels (just like Cloudflare tunnels). The hole punching using DERP servers and native IPv6/IPv4 interoperability means it really connects any device on any network type to all other devices. And of course the management pane and GUI you talked about.
This is not supposed to be a marketing ploy for Tailscale, but saying "they are just a wrapper for Wireguard" is plain wrong.
I had to use tailscale to bust through port forwarding on chained routers because, even with ports configured correctly, wireguard wasn't able to get through.
My use case was for remote access into a home-hosted Nextcloud instance, via an ISP supplied fibre router (IPv4, not CGNAT), then my own Gl iNet router, then to my Nextcloud instance.
Despite opening up port forwarding correctly, wireguard just couldn't get through that chain, whereas tailscale got through with no problems.
Downside of using tailscale is that it's messy to use at the same time as a VPN on your client device. Split tunnelling supposedly works, but I couldn't get it going.
By egberts1 2026-02-0310:26 Tailscale's strength is getting through double CGNAT of big ISPs.
Still requires your self-hosted VSP that is NOT behind a CGNAT.
By pranaysy 2026-02-0314:33 As other have pointed out, Tailscale and Netbird are much more than wrappers around Wireguard. ZeroTier does not use Wireguard and they have their own lightweight tunnels, which in their recent multi-threaded implementations are more performant but not as fast as Wireguard in my testing.
I don't think there's a direct way to integrate any of them into existing mesh networks, but I could be wrong.
By mac-attack 2026-02-0120:111 reply I've been using jetbird from fdroid. I have never tried the official app, but I have good experiences with Jet Bird.
By pranaysy 2026-02-0314:35 Thanks! Will try asap
But paid Tailscale is $5 a month right? So you gotta be paying more to self host and deal with all the problems yourself, not have derp servers all over the world, etc. Why?
By mixel 2026-02-027:27 If you run multiple services it gets cheaper. I would not see a reason to pay for 3 different cloud services that I am able to self host.
By moontear 2026-02-029:15 Why do you assume OP paid $5 a month? You get Tailscale for free in many use-cases. Your argument that self-hosting is more expensive is still valid, but I don't get the 5$.
By pranaysy 2026-02-0314:29 tl;dr: because I can.
I already run a VPS for other things, this fits cleanly into that setup, NetBird’s been low-maintenance, and I don’t need global relays. That’s enough for me.
By benoliver999 2026-02-0115:391 reply Also long time zerotier user here, I run a controller for our company. I'm starting to experience infrequent but annoying drops in connection, and DNS is a headache.
How is netbird on iOS?
By greenavocado 2026-02-0118:32 I switched from Zerotier to Tailscale last year and Tailscale is far more performant and stable but Zerotier works better with multicast, specifically multicast video. I even ran a Zerotier moon to help but it was still worse than Tailscale.
