As remote work continues to rise, the demand for secure and efficient network infrastructures has never been more critical. The emerging paradigm in network security is the "zero trust" model, which operates on the principle that no entity within or outside the network is automatically trustworthy. This approach demands robust, end-to-end encryption and continuous authentication of all devices. Among the technologies leading this shift are ZeroTier and NetBird, both of which offer innovative solutions to modern networking challenges.
Both ZeroTier and NetBird provide software-defined networking (SDN) solutions leveraging peer-to-peer connectivity but differ in their implementation and feature sets. For those seeking alternatives to traditional solutions, ZeroTier and NetBird offer a unique approach to addressing modern networking needs. In this article, we will describe the differences between these technologies across various dimensions like architecture, protocols, performance, and security. If you are already using ZeroTier, this article may also help you decide whether NetBird can serve as a viable alternative to ZeroTier for your specific use case.
Overview of ZeroTier
ZeroTier is a virtual networking service that offers an easy way to connect devices across the internet. It uses a peer-to-peer architecture, enabling devices to connect directly rather than through a central server, which can reduce latency and increase speed. ZeroTier uses a custom-made protocol offering end-to-end encryption and automatic key management. It supports Windows, macOS, Linux, iOS, Android and Docker, making it highly versatile for various use cases from small teams to large enterprises.
Overview of NetBird
NetBird is an open source network security platform that combines a configuration-free peer-to-peer private network and a centralized access control system. It leverages the modern WireGuard protocol to establish secure end-to-end encrypted and high-performance network connections. NetBird emphasizes ease of setup and maintenance, appealing to those with minimal technical expertise as well as seasoned network administrators. It works on Windows, macOS, Linux, iOS, Android, Docker, routers, and serverless environments providing a seamless experience across different operating systems for small and large teams.
Open Source and Self-hosting
Both ZeroTier and NetBird are open source projects, allowing users to inspect the code, contribute to the community, and self-host the software.
ZeroTier's source code is available on GitHub and is distributed under the "Business Source License" (BSL) making it free for personal use but not for commercial purposes. ZeroTier offers a self-hosted controller option, which can be deployed on-premises or in the cloud. The self-hosted controller doesn't have a user interface and is managed through a REST API.
NetBird's source code is available on GitHub under the BSD-3 license, which is a permissive license and allows for commercial use without restrictions. The NetBird's self-hosted version can be deployed on-premises or in the cloud and features a user-friendly web interface and API for managing networks, users, and devices. It differs from the cloud version in that it provides advanced integrations with third-party Identity Providers (IdPs), EDR solutions, and SIEM tools.
Installation and Setup
ZeroTier installation involves downloading the application on each device and joining them to a network managed through a central web portal. The process is straightforward and doesn't require writing configuration files. New machines are added by entering a generated secret key, which should be provided at connection time. At the time of this writing, ZeroTier does not support single sign-on (SSO) for self-hosted controllers and a free plan of the cloud version while the paid plans do support it in desktop applications.
NetBird setup is similarly user-friendly. It requires installing the application and logging in with a social account (e.g., Google, Microsoft, GitHub) or a company account using SSO and MFA integrated with popular identity providers like Okta, Azure AD, and Google Workspace. SSO and MFA are available in the free plan of the cloud version as well as in the self-hosted option.
Similar to ZeroTier, NetBird also offers an option of using a secret key ( setup key ) to connect devices to the network. This method makes both NetBird and ZeroTier useful for deploying devices that don't have a user interface (e.g., servers or containers) and for automated deployments.
Network Administration
ZeroTier offers an option to create multiple networks and define custom network ranges for each network. In contrast, NetBird creates a single network by default and assigns a unique IP address to each device in the network from the CGNAT range .
Both ZeroTier and NetBird allow network administrators to manage devices, users, and network settings through a web interface.
Performance and Scalability
ZeroTier and NetBird offer high-performance peer-to-peer networks that are more efficient than traditional centralized VPNs and can scale to support large deployments.
ZeroTier can support networks with hundreds of nodes without significant degradation in speed or reliability. Its decentralized nature helps maintain performance even as the network grows. Like NetBird, ZeroTier works through NATs and firewalls without requiring open ports and forwarding. When a direct peer-to-peer connection is not possible, traffic is relayed by the ZeroTier's root servers.
NetBird also performs well under scale, thanks to the efficiency of the kernel WireGuard module , which is known for its high-speed connections and low overhead. The performance remains consistent regardless of the network's size, making it suitable for both small teams and large organizations. Similar to ZeroTier, NetBird uses a relay mechanism to establish connections when direct peer-to-peer communication is not possible. The relay servers are managed by NetBird and are distributed globally to ensure low latency and high availability.
Protocol and Security Features
Both solutions offer end-to-end encryption and secure connections, but they differ in the protocols they use and the additional security features they provide.
ZeroTier user a custom-made protocol that encrypts all traffic using AES-256 and manages keys and certificates automatically, providing a high level of security out of the box. It also offers advanced features like network rules configuration to control how devices connect and to segment networks. As mentioned earlier, ZeroTier features SSO in the paid plans of the cloud version that can be used to enhance security of organization's networks.
NetBird provides strong encryption through WireGuard, which uses state-of-the-art cryptography. It also offers additional security features like multi-factor authentication (MFA) and single sign-on (SSO) for cloud and self-hosted versions. Similar to ZeroTier, NetBird allows network administrators to define access control policies with a resource grouping mechanism to segment networks. Furthermore, NetBird enhances access control with device context and posture assessment functionality.
As an additional security measure, NetBird offers network activity logging and streaming to third-party SIEM tools, such as Datadog, or storage systems like Amazon S3 and Firehose. ZeroTier offers remote monitoring and management solution in the paid plans but there is limited publicly available information on the extent of the logging and monitoring capabilities.
To ensure that only trusted and managed devices can connect to the network, NetBird provides manual device approval feature that requires network administrators to approve new devices before they can join the network. To further automate this process, NetBird offers integrations with EDR solutions like CrowdStrike to limit access to managed devices that meet specific security criteria. As of this writing, ZeroTier does not offer similar integrations with EDR solutions.
Conclusion
ZeroTier and NetBird are both innovative solutions that provide secure, efficient, and scalable networking capabilities. They both leverage the advantages of peer-to-peer communication and are great alternatives to traditional centralized VPNs. Depending on a specific use case, they can also serve as alternatives to each other.
NetBird is built on top of WireGuard protocol while ZeroTier uses a custom protocol offering strong end-to-end encryption. They are both are "zero-configuration" networks that work behind firewalls and NATs without requiring open ports and forwarding.
While ZeroTier offers low level network configuration options like custom network ranges and multiple networks, NetBird provides a wide range of security features like MFA, SSO, device context assessment IdP and EDR integrations.
