NetBird: An EU Zero-Trust VPN as Open-Source Alternative for Private Cloud Access

Classic SSL VPNs are aging. The last two years have shown multiple critical vulnerabilities in the major concentrator products, while at the same time the regulatory pressure from NIS2, DORA and the ongoing Schrems II discussion keeps growing. If you are thinking about remote access into your own private cloud today, you are not just thinking about security anymore. You are also thinking about sovereignty: Where does the vendor sit, who controls the control plane, and what happens with your connection metadata?

This is exactly the gap that NetBird moves into: A Berlin-based open-source project under a BSD-3 license that combines a WireGuard mesh with Zero Trust Network Access and positions itself explicitly as a European alternative to US mesh services. We have spent the last weeks evaluating NetBird as a replacement for traditional VPN access in our own lab environment. This post summarizes what convinced us and where we took a closer look.

As of May 2026, we looked at NetBird Cloud and the current Self-Hosted version.

Why now is the right moment for a VPN alternative

Three developments are converging right now:

Regulation: NIS2 is being rolled out, DORA forces financial-services firms into strict oversight of their critical ICT suppliers, and data protection authorities are paying closer attention to who can access connection metadata, and when.

Vendor sovereignty: The US CLOUD Act is still on everyone's mind, and more and more organizations want to run their security infrastructure under European law.

Technical debt: The classic concentrator approach with a central gateway through which all traffic is funneled no longer fits a world of distributed workloads, edge sites, and hybrid clouds.

"A VPN gateway that every employee needs in order to reach internal systems is less of a defensive wall today, and more of a single point of failure with mandatory attendance."

Mesh VPNs invert this logic: Every client builds direct, encrypted connections to every other authorized client. The only things that stay central are identity, policy, and key distribution. That is exactly the model NetBird is built on.

What NetBird is

NetBird is a WireGuard-based peer-to-peer overlay with a central management plane. No concentrator, no tunnel-in-tunnel construction, but a flat overlay in which every node can reach every other node directly, as long as the policies allow it.

Three properties stand out:

• Zero Trust by default: Access is bound to identity and policy, not to the network perimeter. Every connection is evaluated against the central policy.
• Open Source, BSD-3: All components (management, signal, relay, dashboard, clients) live on GitHub under a permissive license. No open-core trick that quietly cripples self-hosting.
• Made in Berlin: The company was founded in 2021 by Misha Bragin and Maycon Santos, closed a €8.5M Series A in January 2026 (led by Pace Capital), and openly positions itself as the European answer to established US vendors.

That is not marketing garnish. It is a concrete property that increasingly shows up in vendor assessments under NIS2 and DORA.

Architecture in one picture

Even without a diagram, the architecture fits into five bullet points:

• Clients connect directly peer-to-peer via WireGuard whenever a path between them can be established.
• The Management Plane distributes configuration, routes, and policies to all nodes.
• The Signal Service coordinates NAT traversal so that clients behind NATs can find each other.
• Coturn acts as a TURN/STUN relay when a direct path is not possible (common in restrictive networks).
• An IdP integration with SSO and MFA is the identity anchor that the policy decisions hang on.

The actual traffic typically does not pass through the management plane. Even when you use NetBird Cloud, the vendor sees control information, but not payload data.

Self-Hosting: all or nothing

This is where it gets interesting for many companies. NetBird is one of the few products in this segment where self-hosting is not a watered-down side product. All components of the cloud version are available as open source and can be run on your own infrastructure.

What you need:

• A Linux VM at the hoster of your choice (ideally in the EU).
• Docker (or Podman) with Compose, plus the jq tool.
• Your own domain with a public IP.
• Open ports: with a reverse proxy, TCP 80/443 and UDP 3478 for Coturn are enough.

When it comes to IdPs, you have real freedom of choice:

The combination NetBird + Zitadel is particularly attractive from an EU perspective: Both components are developed in Europe, both are open source, and both are fully self-hostable.

The quick start with the bundled Zitadel setup is a single command:

1curl -fsSL https://github.com/netbirdio/netbird/raw/main/infrastructure_files/getting-started-with-zitadel.sh \
2  | bash -s -- --setup-with-zitadel

The script brings up management, signal, relay, dashboard, and an embedded Zitadel as IdP in a Docker Compose environment. For production scenarios, we recommend separating the components and the IdP into independent deployments and placing a reverse proxy (Caddy or Traefik) in front.

Important: We did not find any artificial feature gates in the documentation or the code that would restrict SSO, ACLs, policies, or audit functionality in self-hosted setups. Posture checks and event streaming are technically available as well. If you are comfortable with the operations work, you get functionally the same platform as the cloud offering.

Cloud tiers: What do you pay, and when?

If you do not want to run self-hosting yourself, NetBird is also available as a managed cloud. The tiers (as of May 2026):

Two details that come up regularly in practical discussions:

• Billing per active user: Only users who connected at least once during the month are counted. That is fair on paper, but it can lead to surprising swings on teams with heavy fluctuation (consultants, seasonal workers).
• A 15% annual discount is available on yearly billing, and there is a dedicated MSP/partner program on request.

For a classic SMB with 30 full-time employees that wants access into its own private cloud, the Team tier lands at roughly $150/month. That is significantly below what a comparable concentrator solution typically costs in licenses and hardware alone.

Clients and day-to-day comfort

The supported platforms cover the typical enterprise mix: Linux, Windows, macOS, iOS, Android, plus Docker containers and routers. Desktop systems get a GUI, while servers and containers are driven through the CLI.

What we noticed positively during the evaluation:

• Setting up a 3-user test tenant: under ten minutes, from registration to the first connection.
• Internal DNS resolution: Hostnames can be managed centrally and resolved across the overlay, comparable to MagicDNS on Tailscale.
• Client auto-updates can be enabled, removing a big chunk of the classic VPN client rollout pain.

Where it is still catching up to Tailscale: The mobile clients feel a little less polished in one or two places, and the feature set of the browser admin UI is still growing.

EU sovereignty: Substance or buzzword?

This is the question we put to every vendor with a "Made in EU" sticker. With NetBird, the answers are concrete:

• Headquartered in Berlin, under German corporate law, with a German legal relationship in case of contract disputes.
• BSD-3 license means full code auditability. You can inspect, adapt, and operate every line.
• GDPR, ISO 27001, and DORA certifications are in place (see trust.netbird.io).
• On-premises deployment is available, and not as some "enterprise add-on" with a special license, but as an ordinary self-hosted installation.

Combined with the free choice of IdP (especially Zitadel, which is also from the German-speaking region), you can build a remote access stack that sits entirely under European control, without losing any functionality. For organizations that are reviewing their supply chain as part of a NIS2 rollout, that is a relevant argument.

Where NetBird shines today, and where it does not

Strengths

• A genuine BSD-3 open-source platform, fully self-hostable, without artificial gates.
• EU-based vendor with a clear compliance posture (GDPR, ISO 27001, DORA).
• Solid IdP choices, from Zitadel and Keycloak to Entra ID and Okta.
• Posture checks and SIEM event streaming are available starting at the cloud Business tier, not locked away in an expensive enterprise tier.
• Clear, simple pricing model with a generous free tier for testing.

Limitations

• The ecosystem is younger and smaller than Tailscale's. Community plugins, third-party tools, and tutorials are growing, but they are not at the same level yet.
• Mobile clients are functional, but lag behind Tailscale in polish and comfort.
• Active-user billing can swing unexpectedly for very dynamic teams.
• HA and high-load self-hosted setups are doable, but they require some legwork. The official documentation handles the onboarding well, but advanced operational scenarios are still partly community knowledge.

When NetBird is the right choice

Four scenarios where NetBird clearly moves to the front of the field:

1) "We need to deliver NIS2- or DORA-compliant infrastructure."

NetBird delivers a rare full package here: An EU vendor, BSD-3 source availability, the relevant certifications, and the option to run on-premises. In vendor assessments that is valuable, because you can answer almost every question with "yes, verifiable."

2) "We want to connect to our private cloud in a sovereign way."

If the goal is secure, identity-based access to your own workloads at Hetzner, IONOS, OVH, an on-premises environment, or a mix of all of these, NetBird is an excellent fit. You can run the entire system on your own EU infrastructure.

3) "We want to replace a classic SSL VPN."

The typical concentrator VPN stack (hardware appliance plus client) generates license, maintenance, and operations costs that often exceed what NetBird charges in the Team or Business tier. At the same time, you gain a modern mesh model with Zero Trust baked in.

4) "We want to get started for free."

Up to five users and 100 machines, the cloud tier is simply $0. For a hobbyist setup or a first proof of concept, this is risk-free. If you want to go further, you self-host the platform with Docker Compose and pay only for the VM.

Conclusion

NetBird is our top recommendation in May 2026 when EU sovereignty and full self-hosting freedom are both on the wish list. The product is mature enough for production, the license is permissive, the vendor is based in Berlin, and the pricing model is friendly compared to the market.

Over the next days, two more introductions in this series are coming up: Tailscale as the US market leader with the most polished user experience, and Headscale as the community-driven open-source alternative to the Tailscale control plane. The direct comparison of all three solutions along the axes of self-hosting, private cloud access, license cost, client comfort, and EU-first then follows in a closing fourth post.

If you are currently looking to replace a classic VPN, setting up a NIS2 or DORA program, or building sovereign access into your private cloud, we at Infralovers are happy to support you. We are also glad to advise you around our Sovereign Cloud offering. We bring experience from architecture, migration, and operations, combined with our training portfolio on NIS2 Compliance and Cloud Native Essentials.