NetBird supports multi-factor authentication (MFA) for local users managed by the embedded identity provider. When enabled, all local users are required to set up and verify a time-based one-time password (TOTP) using an authenticator app before they can log in.

Self-Hosted Documentation

• Enable MFA for local users: https://docs.netbird.io/selfhosted/identity-providers/enable-local-mfa
• Local User Management: https://docs.netbird.io/selfhosted/identity-providers/local
• Self-hosted Quick-start: https://docs.netbird.io/selfhosted/selfhosted-quickstart

Note: Currently on self-hosting only - This will be live in cloud in around 7-8am Berlin time on the 15th. Once live on cloud we will release more content around this launch. If any self-hosters notice any issues please let us know here or on GitHub Discussions.

Hey everyone,

Today we’re shipping IPv6 overlay addressing in v0.71, and based on the issue tracker and the volume of folks who’ve asked about it in this sub and in Slack, this is probably the single most requested feature we’ve ever had.

​

So real quick, here’s what’s actually changing.

Dual-stack overlay

Every account now gets its own IPv6 prefix. Peers in IPv6-enabled groups receive both a v4 and a v6 overlay address. The default range is a /64, and you can configure anything from /48 down to /120 if you have a reason to. Two different accounts on the same management server get non-overlapping space, which matches how v4 already worked.

​

Group-gated rollout

New accounts have IPv6 enabled for the All group by default, so a fresh install just works. If you’re on an existing account, you opt in by selecting which groups should have IPv6 in Settings > Network. Only peers in at least one selected group get an address.

This is also gated on client support. The v0.71 client advertises IPv6 to management. Older agents don’t, so they stay v4-only until you upgrade.

Everything else follows along

This is the part I think is actually the coolest. We didn’t bolt v6 onto one corner of the product. Once a peer has an IPv6 address:

• DNS serves AAAA records alongside A records. Resolving a peer name returns both addresses.
• Domain routes resolve both A and AAAA records.

Per-client opt out

If you’ve got hosts that need to stay off v6, single-stack environments, compliance constraints, or just buggy upstream v6 you’d rather sidestep, there’s a --disable-ipv6 flag on the client. The same toggle is in the desktop UI under Settings > Disable IPv6 and in the iOS and Android apps under Advanced Settings.

When set, the client doesn’t request a v6 address, doesn’t advertise v6 support, and won’t accept inbound v6 traffic from remote peers.

One container gotcha worth flagging

If you’re running a routing peer inside a container, NetBird tries to set net.ipv6.conf.all.forwarding=1 at startup. In unprivileged containers or locked-down Kubernetes pods that sysctl is read-only, the write fails silently, and v6 forwarding stays off. Set it at the orchestrator layer:

sysctls:
- net.ipv6.conf.all.forwarding=1

If a routing peer has a v6 address but traffic isn’t reaching the backend, this is the first thing to check.

Local User MFA (Self-Hosted)

First, my apologies this took so long to get out. There were some minor road-block and it lined up with our IPv6 release. Took a lot of time and testing to make sure everything was perfect. Anyways, after updating local users (non-IdP) can now enable multi-factor authentication, closing a gap for deployments that don't federate auth through an external provider. This will be under your authentication settings.

​

Links

• Full docs: https://docs.netbird.io/manage/settings/ipv6
• Release Notes: https://github.com/netbirdio/netbird/discussions/
• Local MFA docs: https://docs.netbird.io/selfhosted/identity-providers/enable-local-mfa
• GitHub: https://github.com/netbirdio/netbird

Genuinely thank you to everyone who pushed for this one. Happy to answer questions in the comments.

Hey folks, quick heads up if you use NetBird and report stuff on GitHub.

We have over 1,400 open issues. A lot are duplicates, stale, or things we can't reproduce. Real bugs are getting buried, and the team was spending more time triaging than actually fixing things. So we restructured.

https://preview.redd.it/5570xa4l7dzg1.png?width=2036&format=png&auto=webp&s=c6d12f92915730904ad08edfba65e475fbc4b2ff

The new flow:

• Bugs and feature requests now start as GitHub Discussions, not Issues
• The team validates them (replicates bugs, gauges feature traction)
• Confirmed stuff gets promoted to an Issue in the right repo
• The Issues tab will become a curated list of "this is real and being worked on"

https://github.com/netbirdio/netbird/discussions

Three discussion categories:

• Issue Triage - bugs and regressions
• Ideas & Feature Requests - features and enhancements (upvotes actually matter here for prioritization)
• Q&A / Support - setup, config, self-hosting questions

Everything goes in the main netbirdio/netbird repo regardless of component. You don't need to figure out if your problem is core vs dashboard vs operator, that's our job during triage.

We're not mass-closing the existing 1,400 issues. Now that the unvalidated reports is slowing down, we can actually work through the backlog properly.

This isn't a new pattern, projects like Ghostty and Renovate run this way and it works.

Full write-up here: https://netbird.io/knowledge-hub/reporting-bugs-and-requesting-features-in-netbird

https://preview.redd.it/ltt5drq15rwg1.png?width=2084&format=png&auto=webp&s=0c95d631b22470fb9f17187ff5267bb5393b2ca2

v0.69 is out, and the big one is CrowdSec IP reputation in the reverse proxy (self-hosted only for now, Cloud is coming).

If you're exposing services through the proxy, you can now have it check every incoming request against a local CrowdSec LAPI and drop connections from flagged IPs before they ever hit your backend.

How it works:

• LAPI container runs alongside your stack and syncs the community blocklist
• Proxy embeds a stream bouncer that pulls decisions into an in-memory cache
• Lookups happen per-connection with no network round trip on the hot path
• Enforce mode fails closed during initial sync, so connections are denied until the cache is populated

Three modes per service:

• Off (default)
• Observe: logs what would've been blocked, lets traffic through. Verdicts show up in the proxy event log with an observe-mode badge
• Enforce: blocks flagged IPs

https://preview.redd.it/85wzb8j75rwg1.png?width=1952&format=png&auto=webp&s=f9e0dc77ecafcce1bed1fc6845f0bab70f6f1cf3

Restriction order is CIDR, then country, then CrowdSec, so your existing allow/deny rules still take precedence.

Deny reasons in access logs are tagged crowdsec_ban, crowdsec_captcha, or crowdsec_throttle depending on the underlying decision type (the proxy treats all three as denials, no captcha or rate limiting at the proxy layer).

Fresh self-hosted installs get the LAPI container out of the box via the quickstart script. If you're already running the reverse proxy, there's a new Step 7 in the migration guide.

Also shipped in v0.69:

• macOS P2P connectivity reworked (scoped default route + IP_BOUND_IF instead of /32 exclusion routes per remote candidate, so tunnel access to a remote peer's local addresses works properly now)
• PCP added to the NAT traversal stack alongside NAT-PMP and UPnP
• --disable-networks flag to pin a client to specific networks
• Direct SSO redirect on proxy services (skips the intermediate page)
• Container DNAT bypass guard in iptables
• iOS posture checks now populate NetworkAddresses
• conntrack netlink listener auto-reconnects on error

Links:

• Release writeup: https://netbird.io/knowledge-hub/crowdsec-ip-reputation
• CrowdSec reference: https://docs.netbird.io/selfhosted/maintenance/crowdsec
• Migration step 7: https://docs.netbird.io/selfhosted/migration/enable-reverse-proxy#step-7-optional-enable-crowd-sec-ip-reputation