Netbird: The Reference Architecture for Zero Trust Mesh Networking & VPN Replacement

TL;DR

The classic VPN (“Hub-and-Spoke”) is a relic. It forces all traffic through a central bottleneck, slowing down the connection and acting as a single point of failure. Netbird revolutionizes secure access. Based on the ultra-fast WireGuard® protocol, it creates a peer-to-peer (mesh) network. Devices connect directly with each other, not through a central server. Netbird combines the user-friendliness of modern SaaS tools with the data sovereignty of a self-hosted solution: No more VPN concentrators, no open ports, just pure connectivity.

1. The Architecture Principle: Mesh Instead of Concentrator

Traditional VPNs (OpenVPN, Cisco AnyConnect) work like a funnel: Every employee tunnels to the company HQ to access the internet or cloud services from there. This leads to latency and bandwidth issues (“Tromboning”).

Netbird uses a Mesh Architecture.

• P2P (Peer-to-Peer): When employee A (home office) wants to access server B (data center), Netbird establishes a direct, encrypted tunnel between A and B. The traffic flows the shortest path.
• NAT Traversal: The magic of Netbird lies in its ability to establish connections even when both sides are behind strict firewalls or NAT routers (via STUN/TURN). You no longer need to open ports on the router.

2. Core Feature: Identity-First Security (SSO)

VPN passwords and certificates are hard to manage. When an employee leaves, certificates must be revoked. If forgotten, access remains open.

Netbird integrates directly with your Identity Provider (OIDC).

• Login with Microsoft/Google/Keycloak: The user simply logs into the Netbird client with their company account.
• Automatic Policies: Netbird checks the identity. If the user is in the “Admins” group, they get access to the production servers. If they are an “Intern”, they only see the intranet.
• Instant Offboarding: Disable the user in Active Directory, and they immediately lose access to the network.

3. Network Routes & Site-to-Site

Netbird is not just for laptops. It connects entire infrastructures.

With Network Routes, you can use Netbird as a gateway.

• Subnet-Access: Install the Netbird client on one server in your Kubernetes cluster. Configure it as a “Routing Peer”. Suddenly, authorized developers can access internal service IPs (e.g., 10.43.0.50) or pods directly from their laptop without these services being publicly exposed on the internet.
• Multi-Cloud: Connect your AWS VPC with your on-premise network by simply installing a Netbird agent on both sides. It feels like a single, flat LAN.

4. Operating Models Compared: Tailscale / OpenVPN vs. ayedo Managed Netbird

Here you decide whether to share metadata or retain control.

Scenario A: Tailscale (SaaS Convenience with US Ties)

Tailscale is the market leader for mesh VPNs, but it is purely a SaaS service.

• Control Plane in the USA: While the traffic is encrypted, the “Coordination Servers” (who is where, who can do what) run at Tailscale. You must trust that this metadata is secure.
• Limits: The free version is great for private users, but enterprise features (ACLs, SSO) quickly become expensive.
• Dependency: If Tailscale changes prices or discontinues the service, your network comes to a halt.

Scenario B: Netbird with Managed Kubernetes by ayedo

In the ayedo App Catalog, you host the Netbird Management Plane yourself.

• Total Data Sovereignty: The list of your devices, users, and ACL rules resides in your database in your cluster. No one else sees your network topology.
• No User Limit: Since you operate the software, you don’t pay “per user”. Whether 10 or 10,000 devices – the licensing costs (for the open-source version) are eliminated.
• Performance: The management server only serves for “handshaking”. The actual data traffic flows directly between devices. Your cluster does not become a bottleneck.

Technical Comparison of Operating Models

FAQ: Netbird & Connectivity Strategy

Is WireGuard really better than OpenVPN?

Yes, drastically. WireGuard is integrated into the Linux kernel. It is leaner (4,000 lines of code vs. 400,000 for OpenVPN/IPsec), connects faster (milliseconds instead of seconds), and is more battery-friendly on mobile devices. Netbird makes WireGuard “enterprise-ready” by automating key management.

How does it work through firewalls?

Netbird uses techniques like ICE, STUN, and TURN. The clients attempt to establish a direct connection (“Hole Punching”). If that fails (with very restrictive firewalls), they temporarily use a relay server (TURN), which you can also host in the ayedo cluster. This almost always guarantees connectivity.

Does this replace my Kubernetes Ingress?

For internal tools: Yes. Instead of exposing the Grafana dashboard or the database via Ingress publicly on the internet (and securing it with an OAuth proxy), just leave it in the internal network. Only those in the Netbird VPN can access it. This reduces the attack surface of your cluster to almost zero.

Do I need a client on every device?

Ideally, yes, to leverage the mesh advantages. But thanks to the “Routing Peer” function, it is also sufficient to install the client on a gateway server to grant access to entire subnets without deploying software on every endpoint (Site-to-Site).

Conclusion

Network security used to mean “moats and walls”. In a distributed world, that no longer works. Netbird builds an invisible, encrypted overlay network that spans cloud, on-premise, and home office. It offers the convenience of Tailscale, but without dependency on a US provider. With the ayedo Managed Stack, you get your own zero-trust hub – performant, secure, and fully under your control.