As a homelabber, I'm always on the lookout for tools that offer control, privacy, and simplicity. When it comes to building a mesh VPN to securely connect my devices—be it at home, in the cloud, or even on the go—NetBird has quickly become one of my favorite solutions.
This post is a walkthrough of how I self-hosted NetBird (with ZITADEL for identity management) on a cloud VPS using Debian, and how you can too.
Why NetBird for Homelab?
- Built on WireGuard, which is fast, lean, and modern
- Self-hosted = full control of your data and access
- ZITADEL integration = clean authentication flow
- Scales beautifully from 2 devices to 200+
If you're familiar with Tailscale, think of NetBird as the self-hosted, open-source cousin.
Infrastructure Requirements
Before getting started, make sure you have the following in place:
- A Linux VM (Debian/Ubuntu) with at least 1 CPU and 2 GB RAM and must be publicly accessible on the following ports:
- TCP Ports: 80 (HTTP), 443 (HTTPS), 33073, 10000, 33080
- UDP Ports: 3478 (STUN), 49152–65535 (for peer-to-peer communication)
- A public domain name (e.g., netbird.mydomain.com) pointing to the VM’s IP address (via A record)
Step-by-Step Setup
1. Spin Up Your VPS
Deploy a VPS using your provider of choice (I used Vultr, but any will do). Go with Debian 12 or Ubuntu 24.04.
2. Point a Subdomain to Your VPS
Set an A record in your domain panel:
Host: netbird
Type: A
Value: <Your VPS IP>
Eg: netbird.mydomain.com
3. SSH Into the VPS and Prep It
ssh root@your-vps-ip
apt update && apt upgrade -y
Create a new user with sudo access:
adduser mahesh
adduser mahesh sudo
Switch to the new user:
su - mahesh
4. Install Docker
Run my Docker install script:
wget -O install_docker.sh https://gist.githubusercontent.com/maheshpalamuttath/f454a85ca8704d75de5c7fb2eb803f61/raw/dc189737afdeead3e595a35dc66c778c8713fd63/install_docker.sh
chmod +x install_docker.sh
./install_docker.sh
newgrp docker
5. Deploy NetBird with ZITADEL
Make sure your subdomain is working. Then run:
mkdir -p docker/netbird
cd docker/netbird/
export NETBIRD_DOMAIN=netbird.mydomain.com
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
Let the script run—it’ll pull and configure everything via Docker.
After the script completes, you’ll see the dashboard access URL and login credentials. For example:
You can access the NetBird dashboard at: https://netbird.mydomain.com
Login with the following credentials:
Username: admin@mydomain.com
Password: D7OwqNVm5kXPe4ntrsT+6wA65cubJDLm3ONA5dCkw6M@
Note: Save the credentials displayed during your setup, as the password is randomly generated.
6. Open the Ports
Configure your firewall to allow the required ports:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 33073/tcp
sudo ufw allow 10000/tcp
sudo ufw allow 33080/tcp
sudo ufw allow 443/udp
sudo ufw allow 3478/udp
sudo ufw allow 49152:65535/udp
7. Access the Dashboard
Visit: https://netbird.mydomain.com
Log in using the credentials shown after installation.
Each device you add gets a WireGuard identity and joins the mesh automatically.
Real-World Homelab Use Case: Accessing CasaOS via NetBird IP
Once you add a client (device) to your NetBird network, it will be assigned a unique NetBird IP address—something like 100.x.x.x. This acts as its private VPN IP inside the mesh network.
In my setup, I added my homelab server (a local machine at home) as a client. This server runs CasaOS, a neat self-hosted dashboard for managing container apps.
Normally, CasaOS is available on 192.168.29.3:80 within my home network.
But after joining the device to NetBird, I can now access CasaOS remotely by simply visiting:
http://100.92.44.161:80
That’s the NetBird-assigned IP of my homelab server. No need to expose ports to the internet or mess with DDNS and firewalls.
Reference:
