Happy to see your Netbird review came out today. I had a couple questions:
How would you compare the relative security/performance capability between Netbird and Nebula, Tailscale and others you have mentioned before? Tailscale is also on the Wireguard protocol, right? So would you expect similar speeds?
How secure is the coordination server if self-hosted. I know in the case of Nebula because it is certificate based, the Lighthouses can be compromised without any harm coming to the overlay. Here it seems all of the user data, routing, configs are all being stored on a public facing server with a FQDN to boot. That seems like a bit of a vulnerability! Or am I missing something?
Performance should be similar to Tailscale. Also similar to Tailscale is that the public server would be the attack point that would allow the attacker to add nodes to your network. Tailscale has their “Tail Lock” feature to mitigate this and there is a currently not such a feature in Netbird but there is a request for one here:
Good instinct. Also think about where you run this. Isolate services - especially public facing ones.
If you run this on your router (when the pfsense package drops) you expanded this risk to your whole network. This goes for a lot of the packages avail in pfsense.
I will look into the Tail Lock feature, but while I would agree the UI on NetBird is really slick, I don’t think Nebula (https://www.defined.net/) gets enough love.
It’s secure enough for Slack to trust and is all certificate based (which is the basis of trust for OpenVPN). It still allows the UDP punching via a “Control Server” but you can hack it, take it down, do whatever you want and you still can’t access the network.
Perhaps someone in the Open Source community should consider creating an Open Source UI for Nebula the way Defined Networking has for their pay version. Not sure I am the right person to start that effort (from a developer strength standpoint) but would be happy to contribute if others are interested in exploring.