Most "self-hosted VPN" setups stop at a single WireGuard server you connect into. A mesh VPN is different: every device talks directly to every other device, peer-to-peer, with a coordination server only brokering connections. Tailscale popularised this model — but its coordinator is proprietary. NetBird is the answer for people who want the same mesh experience with a stack that is open-source from agent to server, and fully self-hostable on a VPS you control.
This guide explains how NetBird works, what self-hosting it actually involves, the honest cost and maintenance picture, and how it stacks up against Tailscale and Headscale.
What is NetBird?
NetBird is an open-source overlay mesh VPN built on WireGuard for the data plane. Its components:
- Agents on each device, establishing WireGuard tunnels.
- A signal server that brokers peer-to-peer connection setup and NAT traversal.
- A management server holding configuration, peers, groups and ACL policies.
- A dashboard for administration.
- A relay (TURN/coturn) as a fallback when two peers cannot connect directly.
- SSO/IdP integration (OIDC) — NetBird can bundle Zitadel or connect to Authentik, Keycloak, Google and others.
The whole stack is open-source (github.com/netbirdio/netbird), which is the key point: unlike Tailscale, the coordination server itself is software you can run.
How peers actually connect
NetBird prioritises direct peer-to-peer WireGuard connections. The signal server helps two agents discover each other and punch through NAT; once connected, traffic flows directly between them — fast and not touching your server. Only when both peers sit behind restrictive NATs or firewalls does traffic fall back through the TURN relay. That distinction matters for sizing: the relay carries the worst-case minority, not your whole network. For the deeper WireGuard background, see our WireGuard vs OpenVPN comparison.
Self-hosting NetBird on a VPS
The realistic recipe in 2026:
- A small VPS with a public IP. A Contabo VPS S at €4.99/month handles a small-to-medium mesh comfortably.
- A domain name pointed at the VPS, with TLS via Let's Encrypt.
- Docker Compose running the management server, signal server, dashboard and coturn.
- An identity provider for SSO — bundle Zitadel or wire up an external OIDC provider.
# Outline only — follow the official NetBird self-hosting docs for current compose files
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh -o install.sh
# review the script before running it, then:
export NETBIRD_DOMAIN=vpn.example.com
bash install.sh
Always read an install script before running it. For a step-by-step VPS hardening and base setup that applies here too, see our Contabo VPS setup guide and the broader best self-hosted VPN 2026 overview.
The honest cost and maintenance picture
- Direct cost: roughly €60/year on a Contabo VPS S for a small-to-medium mesh — versus per-user SaaS pricing that scales with your team.
- Setup time: a few hours, more than a single WireGuard box because of the IdP and relay.
- Maintenance: container updates, certificate renewal (mostly automated), and watching relay bandwidth. NetBird has more moving parts than a plain WireGuard server or a lean Headscale install — that is the trade for an integrated, fully-owned platform.
- Project maturity: younger and smaller-community than Tailscale; very active, but do your own due diligence on release cadence.
NetBird vs Tailscale vs Headscale
| NetBird (self-host) | Tailscale (SaaS) | Headscale (self-host) | |
|---|---|---|---|
| Data plane | WireGuard | WireGuard | WireGuard |
| Server source | Fully open-source | Proprietary coordinator | Open-source reimplementation |
| Clients | NetBird agents | Official Tailscale | Official Tailscale |
| Built-in SSO/dashboard | ✅ Yes | ✅ (managed) | ⚠️ Minimal |
| You own the control plane | ✅ | ❌ | ✅ |
| Moving parts to run | More | None (managed) | Fewer |
For the two Tailscale-side options in depth, see Tailscale vs Headscale self-host and our Headscale self-host guide.
Verdict
NetBird is the strongest choice when you want a mesh VPN you fully own, end to end, with integrated SSO and ACLs, and you accept running a handful of containers. If you want the absolute lightest self-hosted path and are happy with the official Tailscale clients, Headscale is leaner. If you don't want to self-host at all, Tailscale's SaaS is easiest — but then you don't own the coordinator. For sovereignty-minded teams, NetBird on a Contabo VPS is the most complete open-source answer in 2026.
Editorial comparison based on NetBird's documented open-source architecture (WireGuard data plane, self-hostable management/signal servers, OIDC SSO, TURN relay fallback) and the documented models of Tailscale and Headscale. Costs are indicative VPS pricing, not guarantees. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed
Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region→
