Netbird

Netbird is an open-source, peer-to-peer VPN powered by Wireguard. The network's access controls and coordination are handled by a management server, which can either be the Netbird company's instance or a self-hosted instance.

To set up a Netbird client (peer), add the following to your NixOS module:

{
  services.netbird.clients.wt0 = {

    # Automatically login to your Netbird network with a setup key
    login = {
      enable = true;

      # Path to a file containing the setup key for your peer
      # NOTE: if your setup key is reusable, make sure it is not copied to the Nix store.
      setupKeyFile = "/path/to/your/setup-key";
    };

    # Set this to true if you want the GUI client
    ui.enable = false;

    # This opens ports required for direct connection without a relay
    openFirewall = true;

    # This opens necessary firewall ports in the Netbird client's network interface
    openInternalFirewall = true;
  };
}

The above configuration will create a command called netbird-wt0 available on PATH.

You can confirm the peer's connection using the command: netbird-wt0 status

To set up a routing peer, follow the #Basic Client Setup, then add the following line to your NixOS module:

services.netbird.useRoutingFeatures = "both";

This enables IP forwarding, which is required for routing peers.

To get Netbird's client-side DNS resolution to work, you must use systemd-resolved for your system's DNS by adding:

services.resolved.enable = true;

For issues setting up a client, consult the official Netbird "Troubleshooting client issues" documentation.