Site-to-Site Connectivity
Site-to-site connectivity allows you to connect entire networks together, enabling devices to communicate across locations without installing the NetBird client on every device.
Understanding Remote Access Scenarios
NetBird supports three distinct remote access scenarios. Understanding which one you need is the first step to a successful setup.
VPN-to-Site
A NetBird peer (device running the NetBird client) accesses devices on a remote network that don't have NetBird installed.
Your Laptop ──────► NetBird Tunnel ──────► Routing Peer ──────► Office Printer
(peer) (peer) (clientless)
Common use cases:
- Access your home NAS from anywhere
- Reach office servers while traveling
- Connect to IoT devices on a remote network
Implementation: Use Networks (recommended) or Network Routes
Site-to-VPN
A device without NetBird initiates connections to NetBird peers. This is the reverse of VPN-to-Site—the clientless device starts the connection.
Office Server ──────► Routing Peer ──────► NetBird Tunnel ──────► Your Laptop
(clientless) (peer) (peer)
Common use cases:
- Office monitoring systems pushing data to remote analysts
- On-premise servers initiating backups to cloud peers
- Legacy systems that must initiate outbound connections
Implementation: Requires Network Routes (Networks does not currently support this)
Site-to-Site
Devices on separate networks communicate with each other, with neither running NetBird directly. Each network has a routing peer that handles traffic.
Home NAS ──► Routing Peer ──► NetBird Tunnel ──► Routing Peer ──► Office Server
(clientless) (peer) (peer) (clientless)
Common use cases:
- Connect branch office networks to headquarters
- Link home networks of family members
- Bridge on-premise data centers with cloud VPCs
Implementation: Requires Network Routes (Networks does not currently support this)
Exit Nodes
Exit nodes route all internet-bound traffic (0.0.0.0/0) through a designated peer, changing your apparent public IP address. Unlike the scenarios above, exit nodes handle internet egress rather than private network access.
Your Laptop ──────► NetBird Tunnel ──────► Exit Node ──────► Internet
(peer) (peer)
Common use cases:
- Access region-restricted content while traveling
- Route traffic through a trusted network for compliance
- Mask your location for privacy
Implementation: Requires Network Routes
Which Scenario Do I Need?
| I want to... | Scenario | Feature to Use |
|---|---|---|
| Access home devices from my laptop | VPN-to-Site | Networks or Network Routes |
| Access office resources while traveling | VPN-to-Site | Networks or Network Routes |
| Let an office server connect to my laptop | Site-to-VPN | Network Routes only |
| Connect two home networks together | Site-to-Site | Network Routes only |
| Link branch offices | Site-to-Site | Network Routes only |
| Bridge cloud VPC with on-premise network | Site-to-Site | Network Routes only |
| Route all internet traffic through a specific peer | Exit Node | Network Routes only |
How It Works
All scenarios use a routing peer—a device running NetBird that forwards traffic for its local network:
- Deploy a routing peer at each site (any device running NetBird with access to the local network)
- Configure routing to advertise each site's subnet through NetBird
- Set access policies to control which peers can reach which networks
- Configure clientless devices to route traffic through the routing peer (for Site-to-VPN and Site-to-Site)
VPN-to-Site Guides (Networks)
Access Home Devices
Access your NAS, home automation, and media servers from anywhere
Remote Worker Access
Enable employees to access office resources while working remotely
Cloud to On-Premise
Connect cloud workloads to on-premise databases and services
Site-to-Site Guides (Network Routes)
Connect Home Networks
Link multiple home networks so devices can communicate across locations
Connect Office Networks
Connect branch offices to headquarters and enable cross-site communication
Connect Cloud Environments
Bridge cloud VPCs across providers or connect cloud to on-premise
Advanced Configuration
Masquerade options, ACL Groups, and troubleshooting
Key Concepts
| Term | Description |
|---|---|
| Routing peer | A device running NetBird that forwards traffic for its local network |
| Clientless device | A device that doesn't run NetBird (printers, IoT, legacy systems) |
| Masquerade | NAT that hides source IPs behind the routing peer's IP (simplifies routing configuration on clientless devices) |
Networks vs Network Routes
NetBird offers two features for routing traffic to private networks: Networks (newer, simpler) and Network Routes (original, more flexible). Both are fully supported and will continue to be maintained.
Use Networks for VPN-to-Site scenarios where you want a guided setup experience and per-resource access policies.
Use Network Routes when you need Site-to-VPN or Site-to-Site connectivity, or require advanced options like disabling masquerade.
Scenario Support
| Scenario | Networks | Network Routes |
|---|---|---|
| VPN-to-Site | Yes | Yes |
| Site-to-VPN | No | Yes |
| Site-to-Site | No | Yes |
Detailed Comparison
| Capability | Networks | Network Routes |
|---|---|---|
| Setup complexity | Simpler, guided UI | More manual configuration |
| Distribution groups | Automatic (from policy sources) | Explicit configuration required |
| Extra routing peer policy | No (implied by resource policies) | Yes (must connect routing peers to distribution groups) |
| Per-route configuration | No (routing peers serve all resources) | Yes (each route needs peer, groups, range) |
| Edit resources after creation | Yes | No |
| Wildcard domains | Yes | No |
| Masquerade control | Always on | Configurable |
| Exit node support | No | Yes |
Future Direction
The goal is to migrate all routing functionality into Networks for a unified experience. Network Routes will not be deprecated without advance notice, and any migration path will be documented. For now, use whichever feature fits your scenario.