Skip to content

SYSTEM Cited by 1 source

Netbird

Netbird is an open-source Zero Trust Access platform built on top of WireGuard. It provides an identity- gated, peer-to-peer mesh network with per-peer access policies, supplanting traditional client-server VPN topologies.

Why the wiki has this page

Netbird is the substrate Yelp chose in late 2023 to replace its Ivanti Pulse Secure VPN. The canonical wiki instance is sources/2025-04-15-yelp-journey-to-zero-trust-access, where Yelp discloses the five selection pillars that made Netbird their choice: Okta/OIDC support, simple UI, open source, high throughput / low latency, and fault tolerance.

Named architectural primitives

From the Yelp post, one explicit data-plane primitive is disclosed — the rest is deferred to a promised implementation follow-up:

  • Router peers"All members of the mesh are peers but router peers serve the special role of being able to accept and egress traffic from other peers. Clients intrinsically have a one to many relationship with router peers they are permitted to use." The one-to-many mapping is what delivers fault tolerance: a client is permitted to use several router peers concurrently, so an individual router peer's failure or maintenance drains traffic to siblings. Measured failover in Yelp's testing: "a router peer that was actively handling traffic for a given peer could suddenly halt operation, and the client would experience a sub 2 second connectivity interruption while their traffic was rerouted to another host." (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)

Identity integration

Netbird supports OpenID Connect (OIDC) as an authentication protocol. Yelp's integration flows through Okta as the OIDC provider — the canonical OIDC+device-posture access gate shape: the client hands off to the browser, the user authenticates to Okta (which applies policies around managed-device posture + MFA), and Okta returns a token that authenticates the Netbird peer. Contrast with the prior Pulse-via-SAML flow Yelp explicitly critiqued: "cumbersome browser-to-VPN client handoff for session authentication". (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)

Client UX

Netbird ships with a client whose UI is open-source and modifiable. Yelp called out this as a first-class selection pillar ("simplicity is key when supporting less-technical users") and made several downstream modifications: hiding advanced options, adding self-repair + helpdesk shortcuts, customizing icons, emitting per-stage connection feedback. "All these modifications would not have been possible without a code base that was approachable, well thought out and open source." (Source: sources/2025-04-15-yelp-journey-to-zero-trust-access)

Open source posture

Netbird is Apache-licensed and developed on GitHub. Yelp articulates two levers the open-source shape enabled:

  1. Response agency"if critical security issues ever arose, we would not be beholden to the maintainers alone — we ourselves could provide fixes if need be." The canonical patterns/open-source-for-security-response-agency framing.
  2. Upstream contribution"multiple changes have been pushed upstream to Netbird's main branch from Yelpers working to solve issues we encountered, debugged, and ultimately solved." An instance of patterns/upstream-contribution-parallel-to-in-house-integration.

Performance disclosure (from Yelp)

  • Throughput: "upwards of 1 gigabit per second" on Netbird (10-gigabit backbone; client bottleneck is home ISP), vs Pulse's "low tens of megabits per second."
  • Latency overhead: "single digit milliseconds of overhead added by wrapping packets in the Wire Guard protocol" — i.e. close to wire latency.

Seen in

Last updated · 476 distilled / 1,218 read