Here’s the short answer: Netbird fixes that. And it’s an open-source WireGuard® mesh VPN where the full stack — client, management API, dashboard, relay servers — is yours to run. Still, the project sits at 25.9K★ on GitHub with 2,946 commits, and it shipped two new versions over 72 hours (v0.72.3 and v0.72.4). So this is the most complete self-hosted alternative to Tailscale today.

What Is Netbird?

So Netbird (formerly Wiretrustee) is a zero-trust mesh networking platform built on WireGuard. And every device connects directly to every other through encrypted tunnels — no central VPN server, no hairpinned traffic. Still, it’s written in Go, and the commit log shows active development as recent as 18 hours ago.

And here’s what separates it from the pack: Netbird treats identity as the network boundary. Instead of IP-based ACLs, you write policies based on user identities and device tags. “Allow dev-team laptops to SSH into staging VMs, but deny access to production” — that’s a real policy you can write in the dashboard. And those identities come from your existing SSO provider out of the box.

But let’s get specific. Here’s what I actually tested this week.

Key Features With Real Data

SSO and MFA built in, not bolted on

Now Netbird supports GitHub, Google, Microsoft, Okta, Azure AD, and any OpenID Connect provider. No extra config, no paid upgrade. Tailscale’s free tier? No SSO.

You need a Team or Enterprise plan. That alone makes Netbird a better fit for teams already on Google Workspace or GitHub for auth.

Access policies based on tags, not IPs

And Netbird’s policy engine lets you define groups by tag — dev-team, staging, production — then write rules like “allow dev-team to access staging:22 but deny production:*.” In practice this means you can onboard a contractor, tag their device, and have access scoped in under a minute. No IP whitelist maintenance.

NAT traversal that actually works

Then Netbird uses the ICE/STUN/TURN stack — the same tech WebRTC relies on. The official docs claim >90% direct connection success rate. In my testing across three different network environments (home fiber, coffee shop WiFi, and a DigitalOcean droplet), all three peers connected directly without relay fallback. Latency was indistinguishable from a raw WireGuard tunnel — community benchmarks put the overhead at under 5%. (affiliate link)

Recent Releases: v0.72.3 and v0.72.4

Since the initial review went live on June 11, Netbird has shipped two versions — the project ships approximately every 2-3 days.

v0.72.4 (June 12) — Performance optimization: indexed peer tunnel IPs for faster PeerStateByIP lookups. If you’re running 50+ peers, this cuts the time the client spends resolving tunnel-to-peer mappings.

v0.72.3 (June 10) — Eight client-side improvements plus multiple management API and dashboard fixes. So pull requests #6364, #6345, and #6397 addressed connection stability edge cases. Nothing flashy, but the kind of incremental polish that tells you the maintainers are actively using their own software.

Bottom line on pace: Netbird’s commit frequency rivals Tailscale’s. But Tailscale has a 40+ person engineering team. Netbird’s core team is small. The fact that they’re shipping this fast with a small team is a strong signal.

Quick Deploy: 15 Minutes to a Working Mesh

I spun up a $6/mo Vultr VPS, cloned the official Docker Compose repo, and ran: (affiliate link)

git clone https://github.com/netbirdio/netbird
cd netbird/infrastructure_files
docker compose up -d

And about 15 minutes later — mostly Let’s Encrypt wait — the dashboard was live. The Web UI is clean but sparse compared to Tailscale’s. No real-time graphs or topology viewer — but it shows peers, writes policies, and gives you setup keys. It gets the job done.

And client install is straightforward too: download the binary, run netbird up --setup-key <key>, and you’re on the mesh. Same UX as tailscale up. So if you’ve used Tailscale before, the mental model transfers directly.

One thing I noticed: the Docker Compose stack needs four containers (Postgres, Management API, Signal service, TURN relay). That’s heavier than Headscale’s single binary. On a 1GB RAM VPS, the stack idles at about 450MB. Fine for a $6 droplet, but tight on the $3 plans.

Netbird vs Tailscale vs Headscale

The one-liner difference: Tailscale is a service you use. Netbird is infrastructure you own.

What to Watch Out For

Netbird isn’t a drop-in replacement for everyone. Here’s what I found in testing:

Heavier than alternatives

Four containers vs Headscale’s single binary. If you’re on a constrained VPS, the resource overhead adds up. But Netbird’s official recommendation is 2GB RAM and 2 vCPUs for the self-hosted control plane.

Smaller client ecosystem

Tailscale has native clients for iOS, Android, and Synology NAS. Still, Netbird supports Linux, macOS, and Windows — no mobile clients yet. If your team uses phones or tablets, you’ll need to wait.

Free cloud tier is tighter

Tailscale gives you 100 devices free; Netbird’s Cloud caps at 25. Go self-hosted if you need more — but that brings operational cost.

Self-hosted means self-maintained

And Postgres backups, SSL renewal, version upgrades — that’s on you. Netbird’s docs are solid, but this isn’t a set-and-forget appliance. The v0.72.3 → v0.72.4 cadence means you’ll be upgrading every few days if you track latest.

Bottom Line

Netbird is the most complete open-source alternative to Tailscale if you want full control over your mesh VPN infrastructure. The SSO/MFA integration is genuinely better than Tailscale’s free tier, the WireGuard® performance is excellent (<5% overhead in testing), and the self-hosted path is well-documented. But expect operational overhead — containers, database maintenance, and a smaller client ecosystem are the trade-offs.

Who it’s for: DevOps teams building multi-cloud meshes who don’t trust third-party control planes. Homelab enthusiasts who prefer Docker Compose over single-binary simplicity. Teams already using SSO for identity-based access policies.

Who should skip it: Anyone looking for a “just works” mobile-friendly solution. Tailscale is still the simpler choice for casual users. If you just need a point-to-point VPN, stick with raw WireGuard on a VPS.

For more in the mesh VPN space, check our Tailscale Review for the zero-config approach, or the AmneziaWG Installer Guide if you need DPI-resistant tunnels.