Netbird: The Easy to Use Open-Source Wireguard Based Overlay VPN That You Can Host Yourself

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

back in December of 2023 I did a review of several popular overlay VPN Solutions I think they're really great for solving connectivity issues they have a reduced threat surface or a more narrow way that you build trust and they're really easy to set up compared to a lot of the traditional VPN but nird was one that people had a lot of questions about matter of fact the founders of nird having seen them mentioned in that video reached out to me and I had some good conversations and yes they did send me a shirt they did send me a shirt with a cool logo in the back of it and I wanted to have that disclosed up front this is not sponsored but shirts were sent uh prior to this but this because I told them I was doing a video on it and I said hey can you wear a netb bird shirt in a video and I said well yes so these opinions are my own this has not been editorialized by netb bird at all and as I said not exactly sponsored but I guess I did receive a shirt so now I'm just being honest now as far as how netb bird Works we're going to talk about some of the functional use cases for it how it works and the fact that it's open source it which is one of the reasons I'm talking about it without being paid to talk about it because I think it's a really cool project I want to raise some awareness for because I love big open source project like this because it gives us better visibility better transparency and security for how things are being done uh but don't worry if you don't want to set this up yourself they actually have a paid option as well now this is not a tutorial on how to get started with net bird my friend Christian Lumpa has a video you'll find link down below where he gives you stepbystep tutorials on how to get it set up including of course the self-hosted version which just has a pre requisite of having somewhere to host it and a fully qualified domain name and being able to run some Linux scripts but let's get started and talking about nird and why I think it's a cool [Music] product are you an individual or forward-thinking company looking for expert assistance with network engineering storage or virtualization projects perhaps you're an internal it team seeking help to proactively manage monitor or secure your systems we offer comprehensive Consulting Services tailored to meet your specific project needs whether you require fully managed or co-managed IT services our experienced team is ready to step in and help we specialize in supporting businesses that need it Administration or it team seeking an extra layer of support to enhance their operations to learn more about any of our services head over to our website and fill out the hire us form at lawren systems.com let us start crafting the perfect it solution for you if you want to show some extra love for our Channel check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we discuss on this channel with the ad read out of the way let's get you back to the content that you really came here for connect and secure your it infrastructure in minutes and the first thing I'm going to click on here is pricing because I know people always ask and they have a try for free rate at the top but they actually have a free tier so you can have up to 100 machines if you don't want to deal with setting up hosting and setting up this for the self hosted we'll talk about that more in a moment but they do have a free option they have a teams option they have a business option they also have some interesting Integrations for the business options where you can tie this to things like crowd strike for your security Tool uh they have different Sim providers that they can export data to so I think this is kind of cool for businesses looking for using this now as I noted in the beginning I've been testing this out in my lab I not done this in production use so all my opinions are based on all of my lab testing I have not fully integrated this into any particular customer but I really have a strong confidence in the company and where they're going because well so far it's worked really really well now let's jump over to the self-hosted ones I know it's what a lot of people are wondering is how's it work for self-hosted and their quick start guide is actually really great their documentation overall I'm going to say is good but I think it's neat that you have this nice oneliner kickoff so you get a Linux server set up somewhere with a static IP and a domain pointed towards it you put in the domain as part of the configuration and then you run the oneliner and it will install set up the certificates and get the whole thing running for you you just have to sit and wait and watch the magic happen it's actually really nice they're using Docker for Service delivery on the back end I think that makes this pretty straightforward as far as the the underlyings on here but now let's talk a bit more about actually how netb bird works and understanding how they work doesn't require any reverse engineering they've taken the time to build good documentation for this project that walks you through how the Technologies work how they're integrated to each other how the n system works the components all the way through so all of this is very well documented including how they get around things like if you have to do relaying and what relaying is is when you're building these networks the coordination server figures out where all the servers are and tries to get them to talk to each other but it does have an option that if they can't talk to each other it does have relaying as an option where it will use the relay service in order to get the data from Pier a to Pier B now the way these networks work something I'm going to be very clear with especially with Neer is your Pier a and Pier B are going to be using wire guard as a transport protocol for the data so even though the data will pass to a relay service whether you're hosting it or they're hosting it the data transport is encrypted with Ward therefore going to be invisible in terms of being able to sniff those packets or be able to see what's data is going through even the discussion that each Pier has between Pier a and Pier B with the relay service is also encrypted so the control plane's encrypted the actual transport between the peers is encrypted so yes all of this is uh well done in terms of encryption and they're using wire guard as I said which means they didn't try to invent a new protocol and they not being obscure about any of the tools that they're using in between now let's talk about use cases we have a device with net Bird installed at location a and a device with neeter install at location B it's a pretty simple setup we've done no modifications to the firewall it doesn't matter what fire while you're using the system as long as it can get out to the internet and this one can get out to the internet and the coordination server can see both of these then it's able to and this yellow dotted line that's moving represents the wire guard transport being able to talk from location a to location B it does this with some really clever engineering that does not require modification of the firewall either these locations so the firewalls are just passive devices and you don't have to have any control or settings on them but you do have to have agents loaded on each of these devices for this to work but you're probably thinking well this is pretty much any VPN can do this like openvpn or wire guard bar by itself yeah with two agents set up pretty simple if we get to a more complex environment and this is where that bird really shines now for Simplicity of Graphics here I only showed three locations but this can go and get bigger exponentially and the complexity of managing a normal VPN becomes extremely complex at that scale but what we have here is is neard 1 2 and three these are all devices with the agent loaded but we have also a phone in the mix which will have the agent running on here they're all talking to the coordination server which will coordinate how all these can talk to each other and it doesn't matter if the IP address has changed it'll automatically constantly query and reestablish those connections but what about the devices that happen to live at location C that we can't load an agent on well net Bird 3 has a published route that means I can say hey this group all has access to this publish route that means whatever devices maybe they're other iot devices or different things that need to have access via IP with netb Bird 3 netb Bird 3 acts as an exit for this entire subnet therefore granting access to all the devices on that subnet and that's just part of the publish routes but maybe you also want to encapsulate the traffic from netd one and send it out of the location for neter 2 and that's where exit nodes come in matter of fact you can also probably say neard 3 Let's exit node through there as well this is another feature by which you can say pack up all the traffic and ship it out one particular node is all built into the net bird server whether the coordination servers hosted by you or hosted by them all these features still exist now let's talk about the netd interface itself this is the self-hosted version and it looks a little different than when I first set it up as I noted they've really made a lot of improvements we can see that my phone here is online we can see that it sees the region and if we actually click on it here it'll show the netd IP address the public IP address this is my phone carrier because it's on 5G right now the name of the device and the region it sees it in which is actually accurate United States Detroit and if we go over to the other peers we notice that this one here neet Bird 2 here is the public IP address which you'll notice as a privacy VPN that puts this one in zerx switchin I've been putting it through some different double natat and challenging situations and it still connects just fine and this is also when you're on each node where you can do things like add the different groups for the nodes the all and I have Tom and we could also add add this one like to a test group or we can free form and type in another one we have the ability to enable SSH on the server to access the machine via secure shell that's actually built right in I think that's a rather clever feature we have the ability to make this as an exit node and we can choose what peers we want to share this exit node with so it can become an exit point for the other nodes and we can add special routes or we can add an existing Network that we've already defined so we can say new route and type one in Define it it even has the ability here to choose a routing peers when you're setting it up or as I noted you can do these existing routes and something I want to point out when you're doing any of these you'll notice that there's the ability to link right to the documentation so if you're curious about a setting they have it linked right here they've really thought this out really well going down here to the setup Keys really easy to create a new key or revoke existing Keys give the keys a name assign the keys to a group decide if you want this key to be reusable Maybe by six devices when you're setting it up and you want it to expire in 4 days if they haven't used this key within 4 days well you want it to just go away and we can just hit create the key it's going to give me that key and we can copy it to the clip card or hit close now we can't see the key anymore and I'm just going and revoke it now in case anyone wants to try to join my network I want to prove them and now they won't be able to be approved since I've disabled that key I was playing around with a few different things here and it's easy enough to just go in and revoke those keys if you notice on the peers you can set the expiration for the peers as well so if if you want these to expire you can I actually left this one purposely at an older version the little up Arrow here just gives you more information about it even right to the change log and how to download it of these Linux installs apt kit update is able to do it I purposely just left this one behind to show you the difference and I did notice that the current version of Android even though my Android app says it's up to date is a little bit behind right now they are aware of actually talked to the founders about that now let's go over the access control system we have a default policy here and it says in this group all as a source and in this group all as a destination we have back and forth all ports all traffic and this policy is enabled we have the name and description and we don't have any posture checks what posture checks are is we can say we want this to validate that the client version has to be at least this in order to connect to that resource or maybe we want to say only to a specific region we want that resource to be allowed to connect so even though it be part of the network mesh this rule has a posture check of these are the operating systems is equal to Kernel this version equal to this version of Windows Mac iOS or Android I really like that they let you get granular with this and they even have Network range and peers other details that may matter for how you want to apply those policies this is just really cool and by default of course they're all off making it really simple to do now as far as creating a new policy Rule and you can see that you can choose the groups that you want the policy apply to choose the traffic ports and by default it's going to have all in there but we can just simply type them in and then we can give it a name or it'll end up looking like allow web ports look at the policy all all ad and 443 this policy is enabled but of course it's being overridden by this policy so if we turn this one off I didn't have to delete it and now we know this policy is no longer in effect and the peers can only talk via this policy so all peers can talk over 80 and 443 to all other peers and you can get grang or maybe we want to add another one for Port 22 for SSH or whatever Services you want to run now down here where it's got posture checks these are just overall posture checks for maybe you want to restrict country and region so when someone leaves or is in a certain region they don't get to access the system at all so this is not applied to the rule this is more of a global way to apply those posture checks then we get on here to network routes you add the routes within the peers themselves but this allows you to go back through and see those routes that you added all in one place this is a nice way to consolidate that information maybe you've got it spread across numerous peers and maybe you want to know which ones have exit nodes on them I've actually put a route and an exit node on both the same one they also have a metric to get priority for maybe how you want to tier the routing and the advertised networks through there so once again it's well thought out and easy enough to follow with documentation links within here exactly how to set up these Network routes you do have the option to add custom name servers Google cloudflare quad9 or your own custom DNS along with specific domain overrides now I'm not going to spend a lot of time talking about the users but I do recommend you read through the documentation to make sure you have a good understanding how that works and how service users can be set up to access things like the API once again that's all covered in documentation now the last thing I want to cover here is the activities I really happy they have this I think this is a critical function you really need is a good clear logging of what happened in the system one just so you can kind of see how a system got to its current state too you could look through here and see changes that were made that maybe someone else made because you have more than one user logging in here being able to go through and figure out how something got in its condition with logs and having a searchable log with the activity I think makes your life a whole lot easier now while I did mention earlier Windows Mac and Linux and Android and iPhone I did not mention BSD that's in the works it's not available here in May of 2024 but I am looking forward to them getting on the BSD platform because well it'd be cool if they could integrate into BSD based firewalls like pfSense that would be really pretty awesome hoping to see that somewhere in the future but as I said I'm doing this video because one it's a big open source project and people had asked me what I thought about it especially after I looked at it and I got to say it's impressed me and going back and forth to the founders just having a good conversation with them uh they are really dedicated to open source so hey I just wanted to raise a little awareness and put it on some some people's radar that hey if you're looking for a fully self-hosted not just the open source clients but a fully self-hosted management control plane for a overlay VPN solution this one's pretty cool and of the ones I've tested this one's really uh really impressed me quite a bit let me know what you think in the comments down below like And subscribe to see more content from this channel head to lawren systems.com check out our newsletter to stay on top of the things we have going on and I'll see you over in the forums forums. laen systems.com great place to have a more engaging conversation about this and other topics you've seen on the channel thanks [Music]

Info

Channel: Lawrence Systems

Views: 42,572

Rating: undefined out of 5

Keywords: LawrenceSystems, netbird, netbird self hosted, netbird vs tailscale, netbird docker, netbird tutorial, netbird exit node, overlan vpn, self hosted VPN service, self hosted, self hosted VPN, open source software, what is overlay network, wireguard vpn, wire guard, open source projects

Id: Kwrff6h0rEw

Channel Id: undefined

Length: 15min 52sec (952 seconds)

Published: Fri May 03 2024