Netbird: The Easy to Use Open-Source Wireguard Based Overlay VPN That You Can Host Yourself [YouTube Release]

Additional Resources:

My previous overlay network video

Netbird Install Video

Connecting With Us

Lawrence Systems Shirts and Swag



Amazon Affiliate Store
:shopping_cart: Lawrence Systems's Amazon Page

UniFi Affiliate Link
:shopping_cart: Ubiquiti Store

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Partners We Love – Lawrence Systems

Gear we use on Kit
:shopping_cart: Kit

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: Tech Supply Direct | Refurbished Tech | Server Supply Store

Digital Ocean Offer Code
:shopping_cart: DigitalOcean | Cloud Infrastructure for Developers

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi Cloud Hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: Buy VPN with Credit Card or PayPal | Private Internet Access

:moneybag: lawrencesystems | creating Tech Tutorials & Reviews | Patreon

00:00 Netbird Open Source VPN
02:44 Netbird Pricing
03:38 Self Hosting Netbird
04:20 How Netbird Works
05:50 Netbird Use Cases
08:14 Netbird User Interface
10:59 Netbird Access control rules
12:59 Network Routing and Exit Nodes
13:32 Custom DNS Server Settings
13:55 Admin Logging

1 Like

Great video! I will check out the others as well. Does Netbird give me the option to remove trust from my controlplain server like Tailscale Lock can do? I don’t think the idea of running servers yourself and making them magically secure is a bad one. It seems to be assumed far too often in the self-hosted community.

Tailscale Lock is an amazing trustless architecture that does what I am looking for. Unfortunately, the self-hosted Headscale instance falls short in many ways. So I would not call it production ready, while homelab is possible.

Does Netbid has some sort of Tailscale Lock feature?

I don’t think they have that yet, but since you can host the control plain with the self hosted you are the one doing the approving.

1 Like

Well, I allow it until my control server is compromised. This way, self-hosting without some sort of Tailscale Lock feature seems less secure to me. On the one hand you control the self-hosted server, on the other hand you have signature approvals (server security vs. cryptography).

Here I found a recent GitHub issue: Implementation of Enhanced Node Authorisation Features for Increased Security Across All User Tiers · Issue #1845 · netbirdio/netbird · GitHub

Interestingly, Netbird already includes Rosenpass (I think Mullvad also uses it) as a post-quantum exchange protocol. So the network is already built to modern post-quantum secure standards. Basically, what happens is that two post-quantum resistant KEMs exchanges the symmetric key, which can be used together with public-key crypto within WireGuard.


Let’s say you have 2 friends and each has a network of various resources in various locations (say home, vps’s in the cloud, etc). So 2 independent netbird networks. Then friend A wants to connect SOME resource(s) to friend B.

  1. Can combining these networks / having multiple networks on the same client / computer / resource even be done?
  2. If it can be done, with each friend controlling their own network, can each friend limit the resources that get shared with each other?

Example use case: I have a netbird network connecting my home network to my vps’s in the cloud. I then want to set up a connection to a friend so we can back up to each other’s TrueNas. But I don’t want to give my friend access to my netbird-connected vps’s in the cloud, or other resources in my home. We also want to continue to each control our own netbird networks. Can this link be done with netbird between me and my friend?

Also, @LTS_Tom great latest video on netbird btw. it helped me understand a lot of the initial set up.

I am not aware of a way to do that in Netbird.