NetBird on RunOS: Connect Your Clusters, Your Laptop, and Everything in Between

If you're running infrastructure across multiple locations, you've dealt with this problem: how do you connect everything securely?

Maybe you've got a cluster at Hetzner, another one on-prem, and you need to access services on both from your laptop. Or maybe your team needs to reach internal tools without exposing them to the internet.

Until now, RunOS gave you WireGuard for this. It works. But it's basic. You get a tunnel between your machine and your cluster, and that's about it. If you wanted to connect multiple clusters, or build a proper mesh network, you were on your own.

That changes with NetBird.

What is NetBird?

NetBird is an open-source mesh networking platform built on top of WireGuard. Think of it as WireGuard with brains. It handles peer discovery, connection management, access controls, and all the stuff you'd have to configure manually with raw WireGuard.

Where basic WireGuard gives you point-to-point tunnels that you configure by hand, NetBird gives you an entire mesh network that manages itself. Peers find each other automatically, connections are encrypted end-to-end, and you get proper identity-based access controls.

It's the difference between wiring up your own phone line and just joining a network.

What you can do with NetBird on RunOS

We've added NetBird as a first-class service in RunOS. You can deploy both the server and the client, which opens up some really useful setups.

Run your own NetBird server

Deploy a NetBird server directly on your RunOS cluster. This gives you full control over your mesh network. No third-party service required. Your server, your rules, your data.

Once your server is running, you can connect clients to it from anywhere: your laptop, your office network, other servers. Everything talks to your NetBird server to coordinate connections, but the actual traffic flows directly between peers using WireGuard tunnels.

Connect to an existing NetBird server

Already running NetBird somewhere? Just deploy the NetBird client on your RunOS cluster and point it at your existing server. Your cluster joins your existing mesh network, and you can reach it like any other peer.

This is great if your company already uses NetBird, or if you're using NetBird's hosted service. You don't need to change anything about your current setup. Just add your RunOS cluster as another peer.

Connect multiple clusters together

This is where it gets really cool.

Say you have 10 RunOS clusters spread across different providers and locations. Pick one to run the NetBird server. Install the NetBird client on the other nine. Now all 10 clusters can talk to each other securely, as if they were on the same network.

Your PostgreSQL in Frankfurt can replicate to your standby in Helsinki. Your monitoring in one cluster can scrape metrics from all the others. Services that need to communicate across clusters just work, over encrypted WireGuard tunnels, without exposing anything to the public internet.

And you can still connect from your laptop or office network to the NetBird server, which means you have secure access to everything. All your clusters, all your services, one mesh.

Why not just stick with basic WireGuard?

Fair question. WireGuard is great. It's fast, it's simple, and it does exactly what it says on the tin.

But basic WireGuard gives you point-to-point tunnels. You configure each peer manually. You manage keys yourself. You update configs when IPs change. It's fine for connecting your laptop to one cluster. It gets painful fast when you're dealing with multiple clusters, multiple team members, or anything more complex.

NetBird gives you:

• Automatic peer discovery: Peers find each other through the server. No manual IP management
• Mesh networking: Every peer can talk to every other peer, not just hub-and-spoke
• Access controls: Define who can reach what, based on identity, not just IP addresses
• NAT traversal: Connections work through firewalls and NATs without opening ports
• Multi-cluster support: Connect as many clusters as you want to one mesh network
• Team access: Your whole team can connect to the mesh, each with their own identity and permissions

WireGuard is the engine under the hood. NetBird is the full vehicle.

How it works on RunOS

Both the NetBird server and client are available as services in the RunOS console, just like PostgreSQL, Redis, or any other service we offer.

Want to create a new mesh network? Deploy the NetBird server. It spins up on your cluster and you get a management endpoint. Then deploy the client on any other cluster you want to connect, point it at your server, and you're done.

Want to join an existing mesh? Just deploy the client and configure it to connect to your existing NetBird server. One service, one config, your cluster is on the mesh.

No manual WireGuard configs. No key juggling. No firewall rules to figure out. RunOS handles the deployment and lifecycle, and NetBird handles the networking.

Secure networking shouldn't be complicated

You've got clusters to run. Apps to ship. A team that needs access.

Connecting all of that securely shouldn't require a networking degree. Deploy a server, connect your clients, and everything just works. Encrypted, authenticated, and fully under your control.

That's NetBird on RunOS. Your clusters, your laptops, your network.

One mesh. Every cluster. Fully encrypted.