MCPcopy
hub / github.com/netbirdio/netbird

github.com/netbirdio/netbird @v0.74.1 sqlite

repository ↗ · DeepWiki ↗ · release v0.74.1 ↗
22,544 symbols 104,549 edges 1,872 files 9,240 documented · 41%
README
<img width="234" src="https://github.com/netbirdio/netbird/raw/v0.74.1/docs/media/logo-full.png" alt="NetBird logo"/>






<a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
  <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
</a>
<a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
  <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
</a>
<a href="https://docs.netbird.io/slack-url">
  <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
</a>
<a href="https://forum.netbird.io">
  <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
</a>
<a href="https://gurubase.io/g/netbird">
  <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
</a>

Start using NetBird at netbird.io

See <a href="https://netbird.io/docs/">Documentation</a>



Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>

🚀 We are hiring! Join us at https://netbird.io/careers

🤖 NetBird Agent Network (Beta)

Identity-aware access control for AI agents — keyless access to LLM APIs and private resources over the encrypted NetBird tunnel. See agent-network/ or read the docs at netbird.ai.

NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.

Connect. NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

Secure. NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

Self-host NetBird (video)

Watch the video

Key features

Connectivity Management Security Automation Platforms
Kernel WireGuard Admin Web UI SSO & MFA support Public API Linux
Peer-to-peer connections ✓ Auto peer discovery and configuration Access control: groups & rules Setup keys for bulk provisioning macOS
✓ Connection relay fallback IdP integrations Activity logging Self-hosting quickstart script Windows
Routes to external networks Private DNS Traffic events IdP groups sync with JWT Android
Domain-based DNS routes Custom DNS zones Device posture checks Terraform provider Android TV
Exit nodes Multiuser support ✓ Peer-to-peer encryption Ansible collection iOS
IPv6 dual-stack overlay Multi-account profile switching SSH with central access policies Apple TV
Browser SSH & RDP Quantum-resistance with Rosenpass ✓ FreeBSD
Reverse proxy with auto-TLS Periodic re-authentication pfSense
OPNsense
MikroTik RouterOS
✓ OpenWRT
Synology
TrueNAS
Proxmox
Raspberry Pi
Serverless
Container

Quickstart with NetBird Cloud

Quickstart with self-hosted NetBird

This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the Advanced guide with a custom identity provider for installations with different IdPs.

Infrastructure requirements: - A Linux VM with at least 1 CPU and 2 GB of memory. - The VM should be publicly accessible on TCP ports 80 and 443 and UDP port 3478. - A public domain name pointing to the VM.

Software requirements: - Docker with the Compose plugin (Compose v2 or higher). See the Docker installation guide.

Steps - Download and run the installation script:

export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash

A bit on NetBird internals

  • Every machine in the network runs the NetBird agent, which manages WireGuard.
  • Every agent connects to the Management Service, which holds network state, manages peer IPs, and distributes updates to agents.
  • Agents use ICE (via pion/ice) to discover connection candidates for peer-to-peer connections.
  • Candidates are discovered with the help of STUN servers.
  • Agents negotiate a connection through the Signal Service, exchanging end-to-end encrypted messages with candidates.
  • When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a Relay Service and a secure WireGuard tunnel is established through it.

NetBird high-level architecture diagram

See a complete architecture overview for details.

Community projects

Note: The main branch may be in an unstable or even broken state during development. For stable versions, see releases.

Support acknowledgement

In November 2022, NetBird joined the StartUpSecure program sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the CISPA Helmholtz Center for Information Security, NetBird brings security best practices and simplicity to private networking.

CISPA_Logo_BLACK_EN_RZ_RGB (1)

Acknowledgements

We build on open-source technologies like WireGuard®, Pion ICE, and Rosenpass. We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).

Legal

This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/. Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

WireGuard and the WireGuard logo are registered trademarks of Jason A. Donenfeld.

Extension points exported contracts — how you extend this code

RoutesInfoCollection (Interface)
RoutesInfoCollection made for Java layer to get non default types as collection [10 implementers]
client/ios/NetBirdSDK/peer_notifier.go
State (Interface)
State interface defines the methods that all state types must implement [28 implementers]
client/internal/statemanager/manager.go
Rule (Interface)
Rule abstraction should be implemented by each firewall manager Each firewall type for different OS can use different t [31 …
client/firewall/manager/firewall.go
Notifier (Interface)
Notifier sends desktop notifications. [29 implementers]
client/ui/notifier/notifier.go
Middleware (Interface)
Middleware is the surface exposed by each concrete implementation. The Manager invokes it through the Dispatcher, passin [10 …
proxy/internal/middleware/middleware.go
CapabilityProvider (Interface)
CapabilityProvider queries proxy cluster capabilities from the database. [6 implementers]
management/internals/modules/reverseproxy/service/manager/manager.go
ManagerCredentials (Interface)
ManagerCredentials interface that authenticates using the credential of each type of idp [19 implementers]
management/server/idp/idp.go
PacketFilter (Interface)
PacketFilter interface for firewall abilities [4 implementers]
client/iface/device/device_filter.go

Core symbols most depended-on inside this repo

Errorf
called by 6222
management/server/http/testing/testing_tools/tools.go
Equal
called by 4840
management/server/util/util.go
Error
called by 1779
client/ios/NetBirdSDK/client.go
Run
called by 1627
client/internal/rosenpass/manager.go
String
called by 1621
client/internal/routemanager/client/client.go
Debugf
called by 1137
util/netrelay/relay.go
Lock
called by 1078
proxy/internal/acme/locker.go
Fatalf
called by 926
management/server/http/testing/testing_tools/tools.go

Shape

Method 11,765
Function 8,069
Struct 2,122
Interface 289
TypeAlias 257
FuncType 42

Languages

Go100%
TypeScript1%

Modules by API surface

client/proto/daemon.pb.go949 symbols
shared/management/proto/management.pb.go651 symbols
management/server/store/store_mock.go448 symbols
shared/management/proto/proxy_service.pb.go433 symbols
shared/management/http/api/types.gen.go370 symbols
management/server/store/sql_store.go279 symbols
management/server/store/store.go278 symbols
management/server/account/manager_mock.go242 symbols
client/proto/daemon_grpc.pb.go211 symbols
management/server/store/sql_store_test.go133 symbols
management/server/mock_server/account_mock.go129 symbols
management/server/account/manager.go121 symbols

Dependencies from manifests, versioned

cloud.google.com/go/authv0.20.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cunicu.li/go-rosenpassv0.5.42 · 1×
dario.cat/mergov1.0.1 · 1×
filippo.io/edwards25519v1.1.1 · 1×
fyne.io/fyne/v2v2.7.0 · 1×
fyne.io/systrayv1.12.1-0.2026011621 · 1×
github.com/AppsFlyer/go-sundheitv0.6.0 · 1×
github.com/Azure/go-ansitermv0.0.0-2025010203350 · 1×
github.com/Azure/go-ntlmsspv0.1.0 · 1×
github.com/BurntSushi/tomlv1.5.0 · 1×

Datastores touched

dbnameDatabase · 1 repos

For agents

$ claude mcp add netbird \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact