NetBird supports multi-factor authentication (MFA) for local users managed by the embedded identity provider. When enabled, all local users are required to set up and verify a time-based one-time password (TOTP) using an authenticator app before they can log in.

Self-Hosted Documentation

• Enable MFA for local users: https://docs.netbird.io/selfhosted/identity-providers/enable-local-mfa
• Local User Management: https://docs.netbird.io/selfhosted/identity-providers/local
• Self-hosted Quick-start: https://docs.netbird.io/selfhosted/selfhosted-quickstart

Is there a way to pick 100 countries and geo block them rather than entering 100 block rules for each service within my reverse proxy…. That would be entering 4,000 block rules for all my services which is about 16,000 mouse clicks. Is there not an easier way?

Has anybody found a solution for self hosting Netbird and accessing your domain on your home network when geoblocking is enabled?
I have it setup to “Allow” any North American countries but since my home network 192.168.150.0/24 IP range doesn’t fall within North American IPs, I can’t access any services while on my home network via their domain names (this is proven within the activity log).

I’ve tried adding 192.168.150.0/24 to the allow list but i think the reverse proxy uses “AND” logic cause it does not work.

If anybody has solutions, I’d be STOKED because this issue is annoying as hell. You’d think Netbird would want to fix this issue but I saw they commented and closed the github issue meaning they don’t intend to solve this problem,

Thanks in advance!!

Today i reinstalled netbird server to have traefik and it worked fine except for one thing.

My Mac connected successfully although I couldn't connect my Linux server (where everything is hosted including netbird server) or my android. When running the up --management-server command it gives me a link and the code, I can go to the link but after pressing enter it gives me a unregistered redirect uri error. On android I can login but then it gives same error and doesn't connect me.

Trust me, if I could go with anyone else, I would. Unfortunately the 'business' package isn't an option either. We're currently using around 2T of data on a month to month basis. Before anything we'd use with jellyfin.

That out if the way, I am looking to use netbird to get access to my jellyfin server (and eventually other things) away from my home network. Is there a way to do this without a public static IP?

You can't save any settings and the already saved get reset upod update.

https://preview.redd.it/bhylgrstpp1h1.png?width=581&format=png&auto=webp&s=788a826edf637654bb0c365e55050876504edd36

Hey Guys,
Some weird stuff happened today on my Windows 11 PC - Defender has flagged Netbird as Wacatac Trojan. Never had issues with it previously - why it got flagged now?
I'm on 0.71.2 version.

edit - apparently it's a known issue - my bad
Netbird Installer/Uninstaller detected as malware · Issue #6024 · netbirdio/netbird

So we have Netbird set up, cloud hosted. We have a Linux machine as a routing peer, and I enabled routing on it. I feel like the routing is working correctly because my outbound public IP is from the remote location, the main office.

I have done an Internet speed test, and it seems reasonable for my Internet bandwidth, close to 100Mb up and down.

However, when I try to access the file server, copying files back and forth is incredibly slow. Like it took 5 minutes to copy a 10Mb file.

I cannot figure this out.

Hello guys,

I noticed my NetBird Dashboard is showing my Client as active after running "netbird down" I tried it one a few machines and its showing active for any. Tried restarting both Client and Server/Dashboard which doesn't seem to help. Anyone has the same issue or a fix? I kinda need to know if my client is connected or not for troubleshooting if something isn't working.

Thanks

I’ve used TailScale over cellular and it’s worked,
But… can I use netbird over cellular to ssh to my devices?

I have been trying to get netbird to issue certificates for quite a while and no matter what I do I can’t get it, I’ve tried adding API and Secret keys for porkbun. I’ve made sure it’s accessible on VPs firewall and my opsense. Any ideas?

https://preview.redd.it/mvu7iti3kj1h1.png?width=1222&format=png&auto=webp&s=0649fc3b6e01cb108bf09700dcee0fbedb7fd942

i turned on force automatic updates long enough, but none of them updates in the backgroung

Curious if you are ever considering having a free enterprise license for self hosted or companies under a certain income kind of like pangolin does or other services that do.

Edit: To clarify, I mean giving the commercial features to homelab users like Idp provisioning audit and traffic streaming etc. I know for me I like to play around with certain things before bringing it to my job.

Note: Currently on self-hosting only - This will be live in cloud in around 7-8am Berlin time on the 15th. Once live on cloud we will release more content around this launch. If any self-hosters notice any issues please let us know here or on GitHub Discussions.

Hey everyone,

Today we’re shipping IPv6 overlay addressing in v0.71, and based on the issue tracker and the volume of folks who’ve asked about it in this sub and in Slack, this is probably the single most requested feature we’ve ever had.

​

So real quick, here’s what’s actually changing.

Dual-stack overlay

Every account now gets its own IPv6 prefix. Peers in IPv6-enabled groups receive both a v4 and a v6 overlay address. The default range is a /64, and you can configure anything from /48 down to /120 if you have a reason to. Two different accounts on the same management server get non-overlapping space, which matches how v4 already worked.

​

Group-gated rollout

New accounts have IPv6 enabled for the All group by default, so a fresh install just works. If you’re on an existing account, you opt in by selecting which groups should have IPv6 in Settings > Network. Only peers in at least one selected group get an address.

This is also gated on client support. The v0.71 client advertises IPv6 to management. Older agents don’t, so they stay v4-only until you upgrade.

Everything else follows along

This is the part I think is actually the coolest. We didn’t bolt v6 onto one corner of the product. Once a peer has an IPv6 address:

• DNS serves AAAA records alongside A records. Resolving a peer name returns both addresses.
• Domain routes resolve both A and AAAA records.

Per-client opt out

If you’ve got hosts that need to stay off v6, single-stack environments, compliance constraints, or just buggy upstream v6 you’d rather sidestep, there’s a --disable-ipv6 flag on the client. The same toggle is in the desktop UI under Settings > Disable IPv6 and in the iOS and Android apps under Advanced Settings.

When set, the client doesn’t request a v6 address, doesn’t advertise v6 support, and won’t accept inbound v6 traffic from remote peers.

One container gotcha worth flagging

If you’re running a routing peer inside a container, NetBird tries to set net.ipv6.conf.all.forwarding=1 at startup. In unprivileged containers or locked-down Kubernetes pods that sysctl is read-only, the write fails silently, and v6 forwarding stays off. Set it at the orchestrator layer:

sysctls:
- net.ipv6.conf.all.forwarding=1

If a routing peer has a v6 address but traffic isn’t reaching the backend, this is the first thing to check.

Local User MFA (Self-Hosted)

First, my apologies this took so long to get out. There were some minor road-block and it lined up with our IPv6 release. Took a lot of time and testing to make sure everything was perfect. Anyways, after updating local users (non-IdP) can now enable multi-factor authentication, closing a gap for deployments that don't federate auth through an external provider. This will be under your authentication settings.

​

Links

• Full docs: https://docs.netbird.io/manage/settings/ipv6
• Release Notes: https://github.com/netbirdio/netbird/discussions/
• Local MFA docs: https://docs.netbird.io/selfhosted/identity-providers/enable-local-mfa
• GitHub: https://github.com/netbirdio/netbird

Genuinely thank you to everyone who pushed for this one. Happy to answer questions in the comments.

There might be a bug in the UI where it’s not showing all the peers my users are able to connect to on the dashboard. But when I do “netbird status”, it will tell me how many peers I’m able to connect to

Is there a way I can give my clients a static Netbird IP address? I need one for DNS Zones. Another great option would be a DNS Record pointing to a host not a specific IP which doesn't seem to be available :/

Hello,

I would like to know when Crowdsec functionality will be available on the Netbird cloud please?

It will connect to crowdsec local instance?

Thanks for your work!

Hi,

I am new to self hosting and I have so far hosted netbird server in a vps, authentik on my vps, netbird clients (in the vps and my home proxmox) and home assistant in my home proxmox. I also followed a guide to add SSO using authentik to both my netbird and the home assistant.

So, when I try to access ha.example.com, I have to go through netbird policy and SSO and then HA SSO. This works very well on the browsers (both on PC and android) but it doesn't work on android app at all.

The app moves me to a browser where I need to login using authentik and then instead of sending me back to the app, it opens an instance of HA on the browser. I tried debugging this using chatgpt, and it suggests that this is because in my current setup, I have 2 layers of auth (Mobile app → NetBird SSO → Home Assistant OIDC → Authentik) and suggests that I disable the SSO on netbird so that we can use just the home assistant OIDC.

However, I am not sure if its the best idea of exposing the home assistant (even the OIDC) to the internet. Ideally, I want to maintain a strict control on who can access my HA instance - family is okay but not friends.

Has anyone done something like this?