Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
Go to file
Misha Bragin f984b8a091
Proactively expire peers' login per account (#698)
Goals:

Enable peer login expiration when adding new peer
Expire peer's login when the time comes
The account manager triggers peer expiration routine in future if the
following conditions are true:

peer expiration is enabled for the account
there is at least one peer that has expiration enabled and is connected
The time of the next expiration check is based on the nearest peer expiration.
Account manager finds a peer with the oldest last login (auth) timestamp and
calculates the time when it has to run the routine as a sum of the configured
peer login expiration duration and the peer's last login time.

When triggered, the expiration routine checks whether there are expired peers.
The management server closes the update channel of these peers and updates
network map of other peers to exclude expired peers so that the expired peers
are not able to connect anywhere.

The account manager can reschedule or cancel peer expiration in the following cases:

when admin changes account setting (peer expiration enable/disable)
when admin updates the expiration duration of the account
when admin updates peer expiration (enable/disable)
when peer connects (Sync)
P.S. The network map calculation was updated to exclude peers that have login expired.
2023-02-27 16:44:26 +01:00
.github Use new sign pipeline v0.0.5 (#679) 2023-02-13 12:13:28 +01:00
client Fix nil pointer exception in config parser (#702) 2023-02-23 09:48:43 +01:00
dns Add more activity events (#663) 2023-01-25 16:29:59 +01:00
docs/media Update README.md (#524) 2022-10-22 16:19:16 +02:00
encryption Make Signal Service listen on a standard 443/80 port instead of 10000 (#396) 2022-07-25 19:55:38 +02:00
formatter Add human-readbale log output (#681) 2023-02-27 12:20:07 +01:00
iface Mobile prerefactor (#680) 2023-02-13 18:34:56 +01:00
infrastructure_files Feature: add custom id claim (#667) 2023-02-03 21:47:20 +01:00
management Proactively expire peers' login per account (#698) 2023-02-27 16:44:26 +01:00
release_files Add homebrew bin path on Apple Silicon (#365) 2022-06-20 11:34:24 +02:00
route Use Peer.ID instead of Peer.Key as peer identifier (#664) 2023-02-03 10:33:28 +01:00
signal Update go version (#603) 2022-12-04 13:22:21 +01:00
util Add human-readbale log output (#681) 2023-02-27 12:20:07 +01:00
.gitignore External NAT IP mapping support (#487) 2022-11-23 08:42:12 +01:00
.goreleaser_ui_darwin.yaml Fix checksum conflict and version injection (#409) 2022-08-01 12:20:30 +02:00
.goreleaser_ui.yaml Split goreleaser for UI and parallelized workflow (#405) 2022-07-30 14:44:01 +02:00
.goreleaser.yaml Enable CGO in goreleaser for management (#657) 2023-01-19 15:03:10 +01:00
AUTHORS chore: update license and AUTHORS 2022-01-19 16:22:40 +01:00
CODE_OF_CONDUCT.md Add contribution guide (#595) 2022-12-02 13:31:31 +01:00
CONTRIBUTING.md Add contribution guide (#595) 2022-12-02 13:31:31 +01:00
CONTRIBUTOR_LICENSE_AGREEMENT.md Add contribution guide (#595) 2022-12-02 13:31:31 +01:00
go.mod Update pion/ICE and its dependencies (#703) 2023-02-24 19:30:23 +01:00
go.sum Update pion/ICE and its dependencies (#703) 2023-02-24 19:30:23 +01:00
LICENSE chore: update license and AUTHORS 2022-01-19 16:22:40 +01:00
README.md Add network activity monitoring as complete in Readme (#675) 2023-02-08 08:38:10 +01:00
SECURITY.md Add security policy file (#600) 2022-12-02 13:54:22 +01:00

🐣 New Release! DNS support. Learn more


Start using NetBird at app.netbird.io
See Documentation
Join our Slack channel


NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.

It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

NetBird uses NAT traversal techniques to automatically create an overlay peer-to-peer network connecting machines regardless of location (home, office, data center, container, cloud, or edge environments), unifying virtual private network management experience.

Key features:

  • x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
    
  • x] Automatic WireGuard peer (machine) discovery and configuration.
    
  • x] Encrypted peer-to-peer connections without a central VPN gateway.
    
  • x] Connection relay fallback in case a peer-to-peer connection is not possible.
    
  • x] Desktop client applications for Linux, MacOS, and Windows (systray).
    
  • x] Multiuser support - sharing network between multiple users.
    
  • x] SSO and MFA support. 
    
  • x] Multicloud and hybrid-cloud support.
    
  • x] Kernel WireGuard usage when possible.
    
  • x] Access Controls - groups & rules.
    
  • x] Remote SSH access without managing SSH keys.
    
  • x] Network Routes.  
    
  • x] Private DNS.
    
  • x] Network Activity Monitoring.
    
    

Coming soon:

  •  ] Mobile clients.
    
    

Secure peer-to-peer VPN with SSO and MFA in minutes

https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov

Note: The main branch may be in an unstable or even broken state during development. For stable versions, see releases.

Start using NetBird

A bit on NetBird internals

  • Every machine in the network runs NetBird Agent (or Client) that manages WireGuard.
  • Every agent connects to Management Service that holds network state, manages peer IPs, and distributes network updates to agents (peers).
  • NetBird agent uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between machines.
  • Connection candidates are discovered with a help of STUN servers.
  • Agents negotiate a connection through Signal Service passing p2p encrypted messages with candidates.
  • Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called TURN, and a secure WireGuard tunnel is established via the TURN server.

Coturn is the one that has been successfully used for STUN and TURN in NetBird setups.

See a complete architecture overview for details.

Roadmap

Community projects

Support acknowledgement

In November 2022, NetBird joined the StartUpSecure program sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with CISPA Helmholtz Center for Information Security NetBird brings the security best practices and simplicity to private networking.

CISPA_Logo_BLACK_EN_RZ_RGB (1)

Testimonials

We use open-source technologies like WireGuard®, Pion ICE (WebRTC), and Coturn. We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).

WireGuard and the WireGuard logo are registered trademarks of Jason A. Donenfeld.