Why Wireguard with NetBird?

WireGuard is a modern and extremely fast VPN tunnel utilizing state-of-the-art cryptography and NetBird uses Wireguard to establish a secure tunnel between machines.

Built with simplicity in mind, Wireguard ensures that traffic between two machines is encrypted and flowing, however, it requires a few things to be done beforehand.

First, in order to connect, the machines have to be configured. On each machine, you need to generate private and public keys and prepare a WireGuard configuration file. The configuration also includes a private IP address that should be unique per machine.

Secondly, to accept the incoming traffic, the machines have to trust each other. The generated public keys have to be pre-shared on the machines. This works similarly to SSH with its authorised_keys file.

Lastly, the connectivity between the machines has to be ensured. To make machines reach one another, you are required to set a WireGuard endpoint property which indicates the IP address and port of the remote machine to connect to. On many occasions, machines are hidden behind firewalls and NAT devices, meaning that you may need to configure a port forwarding or open holes in your firewall to ensure the machines are reachable.

The undertakings mentioned above might not be complicated if you have just a few machines, but the complexity grows as the number of machines increases.

NetBird simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines. It is worth mentioning that the private key never leaves the machine. So only the machine that owns the key can decrypt traffic addressed to it. The same applies also to the relayed traffic mentioned below.

Furthermore, NetBird ensures connectivity by leveraging advanced NAT traversal techniques and removing the necessity of port forwarding, opening holes in the firewall, and having a public static IP address. In cases when a direct peer-to-peer connection isn't possible, all traffic is relayed securely between peers. NetBird also monitors the connection health and restarts broken connections.

There are a few more things that we are working on to make secure private networks simple. A few examples are ACLs, MFA and activity monitoring.

Check out the WireGuard Quick Start guide to learn more about configuring "plain" WireGuard without NetBird.