New Open Source to twingate

General Discussion
1

Just thought you guys might be interested in this

NetBird is an Open-Source Zero Trust Networking platform that allows you to create secure private networks for your organization or home. We designed NetBird to be simple and fast, requiring near-zero configuration effort and leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, etc.

NetBird is an open-source project and can be self-hosted

There is no centralized VPN server with NetBird - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel. It creates a high-performance point-to-point WireGuard® overlay network that connects machines running anywhere in just a few clicks.

https://docs.netbird.io/about-netbird/how-netbird-works

1 Like
2

So like Tailscale, but you can host the signaling server by yourself?

1 Like
3

It’s offering both options, cloud and self-hosted.

However, the self-hosted variant consists of some Docker container, and it requires quite some ports to be open.

4

I wonder if the ports open can be shielded behind a cloudflare tunnel, this way it’s not open yet the “handshake” goes between the clients and managed by the server?

The self hosting part alone is a nice deal…I wonder if a package could be whipped up for an install/setup on DietPi?

https://docs.netbird.io/selfhosted/selfhosted-quickstart#requirements

[

Requirements
](Self-hosting quickstart guide (5 min) - NetBird Docs)

Infrastructure requirements:

  • A Linux VM with at least 1CPU and 2GB of memory.
  • The VM should be publicly accessible on TCP ports 80, 443, 33073 and 10000; and UDP ports: 3478, 49152-65535.
  • Public domain name pointing to the VM.

that is ALOT of ports…guess a dang good firewall setup on the VM would be a good idea

5

Sure, there needs to be one instance with open ports, at least :wink:. Reminds me of the frp proxy, where you similarly need a single server instance only, and all other client/backend nodes connect to this server to become accessible instead of requiring open ports. And opposed to ZeroTier/Tailscale/Remote.It/Cloudflared, you can, but not necessarily need to rely on a 3rd party provider’s infrastructure.

With Cloudflared/Argo tunnel yes. You do not even need to open the port then. However, then I see no point to not use the netbird server instead, or Tailscale, as you just trade one public provider for another. Either you self-host the server component to be completely independent, or, to not have a too complex setup, you use the public providers infrastructure directly. That, unless you trust Cloudflare much more than netbird/Tailscale etc.

Indeed, did anyone find out what the Caddy server listening on ports 80, 443 and 8080 is actually used for? Just as proxy for the Zitadel and singaling components?

More ports however does not mean more need for a firewall. A firewall is for those ports not (intended to be) used, while you anyway need to allow those intended to be used. So a firewall does not make any intentionally installed application more secure, just protects against unintentionally (or by bad actors) started applications :slightly_smiling_face:.