Site-to-Site Connectivity

Site-to-site connectivity allows you to connect entire networks together, enabling devices to communicate across locations without installing the NetBird client on every device.

Understanding Remote Access Scenarios

NetBird supports three distinct remote access scenarios. Understanding which one you need is the first step to a successful setup.

VPN-to-Site

A NetBird peer (device running the NetBird client) accesses devices on a remote network that don't have NetBird installed.

Your Laptop ──────► NetBird Tunnel ──────► Routing Peer ──────► Office Printer
  (peer)                                    (peer)              (clientless)

Common use cases:

  • Access your home NAS from anywhere
  • Reach office servers while traveling
  • Connect to IoT devices on a remote network

Implementation: Use Networks

Site-to-VPN

A device without NetBird initiates connections to NetBird peers. This is the reverse of VPN-to-Site—the clientless device starts the connection.

Office Server ──────► Routing Peer ──────► NetBird Tunnel ──────► Your Laptop
 (clientless)           (peer)                                      (peer)

Common use cases:

  • Office monitoring systems pushing data to remote analysts
  • On-premise servers initiating backups to cloud peers
  • Legacy systems that must initiate outbound connections

Implementation: See the Site-to-VPN guide for the full setup with Networks.

Site-to-Site

Devices on separate networks communicate with each other, with neither running NetBird directly. Each network has a routing peer that handles traffic.

Home NAS ──► Routing Peer ──► NetBird Tunnel ──► Routing Peer ──► Office Server
(clientless)    (peer)                              (peer)         (clientless)

Common use cases:

  • Connect branch office networks to headquarters
  • Link home networks of family members
  • Bridge on-premise data centers with cloud VPCs

Implementation: Use Networks

Exit Nodes

Exit nodes route all internet-bound traffic (0.0.0.0/0) through a designated peer, changing your apparent public IP address. Unlike the scenarios above, exit nodes handle internet egress rather than private network access.

Your Laptop ──────► NetBird Tunnel ──────► Exit Node ──────► Internet
  (peer)                                     (peer)

Common use cases:

  • Access region-restricted content while traveling
  • Route traffic through a trusted network for compliance
  • Mask your location for privacy

Implementation: Requires Routes

Which Scenario Do I Need?

I want to...ScenarioFeature to Use
Access home devices from my laptopVPN-to-SiteNetworks
Access office resources while travelingVPN-to-SiteNetworks
Let an office server connect to my laptopSite-to-VPNNetworks
Connect two home networks togetherSite-to-SiteNetworks
Link branch officesSite-to-SiteNetworks
Bridge cloud VPC with on-premise networkSite-to-SiteNetworks
Route all internet traffic through a specific peerExit NodeRoutes only

How It Works

All scenarios use a routing peer—a device running NetBird that forwards traffic for its local network:

  1. Deploy a routing peer at each site (any device running NetBird with access to the local network)
  2. Configure routing to advertise each site's subnet through NetBird
  3. Set access policies to control which peers can reach which networks
  4. Configure clientless devices to route traffic through the routing peer (for Site-to-VPN and Site-to-Site)

VPN-to-Site Guides (Networks)

Access Home Devices

Access your NAS, home automation, and media servers from anywhere

Cloud to On-Premise

Connect cloud workloads to on-premise databases and services

Site-to-Site Guides (Networks)

Site-to-Site

Connect two networks (home, office, or cloud) through routing peers at each end

Masquerade & Persistent Routes

Masquerade options and making routes survive reboots on clientless devices

Key Concepts

TermDescription
Routing peerA device running NetBird that forwards traffic for its local network
Clientless deviceA device that doesn't run NetBird (printers, IoT, legacy systems)
MasqueradeNAT that hides source IPs behind the routing peer's IP (simplifies routing configuration on clientless devices)

Networks vs Routes

NetBird offers two ways to route traffic to private networks: Networks (newer, recommended) and Routes (original, now deprecated). Existing Routes configurations keep working, but every use case except exit nodes has moved to Networks — use Networks for new setups.

Use Networks for all routing scenarios — VPN-to-Site, Site-to-VPN, and Site-to-Site — with a guided setup and per-resource access policies.

Use Routes only for exit nodes, or to preserve source IPs by disabling masquerade.

Scenario Support

ScenarioNetworksRoutes
VPN-to-SiteYesYes
Site-to-VPNYesYes
Site-to-SiteYesYes

Detailed Comparison

CapabilityNetworksRoutes
Setup complexitySimpler, guided UIMore manual configuration
Distribution groupsAutomatic (from policy sources)Explicit configuration required
Extra routing peer policyNo (implied by resource policies)Yes (must connect routing peers to distribution groups)
Per-route configurationNo (routing peers serve all resources)Yes (each route needs peer, groups, range)
Edit resources after creationYesNo
Wildcard domainsYesNo
Masquerade controlAlways onConfigurable
Exit node supportNoYes

Future Direction

The goal is to migrate all routing functionality into Networks for a unified experience. Routes are now deprecated — every use case except exit nodes has moved to Networks, and existing Routes configurations continue to work. Use Networks for all new configurations.