Netbird

Netbird is now the default tunnel software we use to create a community cluster.

• https://docs.netbird.io/
• GitHub - netbirdio/netbird: Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.

Tinc

In some cases (low volume) tinc can be a good alternative to Netbird.

Tinc is stable and feature rich but its development has not been very active and it can be slow:

• https://www.researchgate.net/publication/337082242_Scalability_evaluation_of_VPN_technologies_for_secure_container_networking
• ChaCha20: add optimized versions for amd64 (SSSE3 & AVX2) by hg · Pull Request #392 · gsliepen/tinc · GitHub

We are still using Tinc and Tinyfecvpn for older clusters but new clusters should use Netbird.

Other Alternatives

Besides NetBird many tunnel software also based on Wireguard:

• Many Wireguard Managers

These tunnels should be AVOIDED - since they do NOT have open sourced license for their mobile phone clients:

1. Nebula from Slack
2. NetMaker
3. Headscale

NetBird Ports

Below a sample of NetBird endpoints and ports they listen to:

Management service

• Endpoint: tunnelapi.aunsw.88.io
• Port: TCP/443

Signal service

• Endpoint: tunnelsignal.aunsw.88.io
• Port: TCP/443

Relay service

• Endpoint: tunnelrelay.aunsw.88.io
• Port: TCP/443
• IP address is dynamic check using netbird status -d output
• Based on NetBird's own websocket based relay software (designed to replace the coturn server below)

STUN service

• Endpoint: stun.aunsw.88.io
• Port range: UDP/80,443,3478,5555
• IP address is dynamic check using nslookup stun.88.io
• If STUN is blocked by firewall netbird status will show keepalive ping failed errors

TURN service

• Endpoint: turn.aunsw.88.io
• Port range: UDP/80,443 and TCP/443-65535
• IP address is dynamic check using nslookup turn.88.io
• If TURN is blocked by firewall netbird status will show keepalive ping failed errors
• Based on coturn software (being replaced by the new websocket relay above).