Site-to-Site Connectivity
Site-to-site connectivity allows you to connect entire networks together, enabling devices to communicate across locations without installing the NetBird client on every device.
For the mental model — see How Routing Peers Work — Networks vs Network Routes.
Understanding Remote Access Scenarios
NetBird supports three distinct remote access scenarios. Understanding which one you need is the first step to a successful setup.
VPN-to-Site
A NetBird peer (device running the NetBird client) accesses devices on a remote network that don't have NetBird installed.
Your Laptop ──────► NetBird Tunnel ──────► Routing Peer ──────► Office Printer
(peer) (peer) (clientless)
Common use cases:
- Access your home NAS from anywhere
- Reach office servers while traveling
- Connect to IoT devices on a remote network
Implementation: Use Networks (recommended) or Network Routes
Site-to-VPN
A device without NetBird initiates connections to NetBird peers. This is the reverse of VPN-to-Site—the clientless device starts the connection.
Office Server ──────► Routing Peer ──────► NetBird Tunnel ──────► Your Laptop
(clientless) (peer) (peer)
Common use cases:
- Office monitoring systems pushing data to remote analysts
- On-premise servers initiating backups to cloud peers
- Legacy systems that must initiate outbound connections
Implementation: See the Site-to-VPN guide for the full setup with Networks.
Site-to-Site
Devices on separate networks communicate with each other, with neither running NetBird directly. Each network has a routing peer that handles traffic.
Home NAS ──► Routing Peer ──► NetBird Tunnel ──► Routing Peer ──► Office Server
(clientless) (peer) (peer) (clientless)
Common use cases:
- Connect branch office networks to headquarters
- Link home networks of family members
- Bridge on-premise data centers with cloud VPCs
Implementation: Requires Network Routes (Networks does not currently support this)
Exit Nodes
Exit nodes route all internet-bound traffic (0.0.0.0/0) through a designated peer, changing your apparent public IP address. Unlike the scenarios above, exit nodes handle internet egress rather than private network access.
Your Laptop ──────► NetBird Tunnel ──────► Exit Node ──────► Internet
(peer) (peer)
Common use cases:
- Access region-restricted content while traveling
- Route traffic through a trusted network for compliance
- Mask your location for privacy
Implementation: Requires Network Routes
Which Scenario Do I Need?
| I want to... | Scenario | Feature to Use |
|---|---|---|
| Access home devices from my laptop | VPN-to-Site | Networks |
| Access office resources while traveling | VPN-to-Site | Networks |
| Let an office server connect to my laptop | Site-to-VPN | Networks |
| Connect two home networks together | Site-to-Site | Network Routes only |
| Link branch offices | Site-to-Site | Network Routes only |
| Bridge cloud VPC with on-premise network | Site-to-Site | Network Routes only |
| Route all internet traffic through a specific peer | Exit Node | Network Routes only |
How It Works
All scenarios use a routing peer—a device running NetBird that forwards traffic for its local network:
- Deploy a routing peer at each site (any device running NetBird with access to the local network)
- Configure routing to advertise each site's subnet through NetBird
- Set access policies to control which peers can reach which networks
- Configure clientless devices to route traffic through the routing peer (for Site-to-VPN and Site-to-Site)
VPN-to-Site Guides (Networks)
Access Home Devices
Access your NAS, home automation, and media servers from anywhere
Cloud to On-Premise
Connect cloud workloads to on-premise databases and services
Site-to-Site Guides (Network Routes)
Site-to-Site
Connect two networks (home, office, or cloud) through routing peers at each end
Advanced Configuration
Masquerade options, ACL Groups, and troubleshooting
Key Concepts
| Term | Description |
|---|---|
| Routing peer | A device running NetBird that forwards traffic for its local network |
| Clientless device | A device that doesn't run NetBird (printers, IoT, legacy systems) |
| Masquerade | NAT that hides source IPs behind the routing peer's IP (simplifies routing configuration on clientless devices) |
Networks vs Network Routes
NetBird offers two features for routing traffic to private networks: Networks (newer, simpler) and Network Routes (original, more flexible). Both are fully supported and will continue to be maintained.
Use Networks for VPN-to-Site scenarios where you want a guided setup experience and per-resource access policies.
Use Network Routes when you need Site-to-Site connectivity, or require advanced options like disabling masquerade.
Scenario Support
| Scenario | Networks | Network Routes |
|---|---|---|
| VPN-to-Site | Yes | Yes |
| Site-to-VPN | Yes | Yes |
| Site-to-Site | No | Yes |
Detailed Comparison
| Capability | Networks | Network Routes |
|---|---|---|
| Setup complexity | Simpler, guided UI | More manual configuration |
| Distribution groups | Automatic (from policy sources) | Explicit configuration required |
| Extra routing peer policy | No (implied by resource policies) | Yes (must connect routing peers to distribution groups) |
| Per-route configuration | No (routing peers serve all resources) | Yes (each route needs peer, groups, range) |
| Edit resources after creation | Yes | No |
| Wildcard domains | Yes | No |
| Masquerade control | Always on | Configurable |
| Exit node support | No | Yes |
Future Direction
The goal is to migrate all routing functionality into Networks for a unified experience. Network Routes will not be deprecated without advance notice, and any migration path will be documented. For now, use whichever feature fits your scenario.