Fantastic! Love seeing more work like this go into Wireguard.
I've been using headscale (self-hosted tailscale) for personal use, but having only one machine not running Linux on the network is a bit silly, as Tailscale is userspace, and Wireguard uses very little CPU on Linux.
I recently switched to Tailscale, and it was magic.
It's very easy to recommend it to any non-tech user as well who wants to "connect to home". Well worth paying for in those cases.
But, Tailscale had so much magic, that I didn't want to be solely dependant on it, remembering how Docker is turning out.
Finding Headscale was a great discovery, and nice that the Tailscale clients already maintained can connect to a separate open-source project that lets you run your own server.
I would love and pay for Tailscale if they could solve the battery consumption issue on iOS. The bug report has been open for years now, they created a special TestFlight version with logging enabled for them to track it down, and no news since. If I forget to turn it off, I'm down to 0% battery in 12 hours of standby.
The drain is not because of Wireguard. It's because it's a mesh. Anything peer to peer or mesh has battery consumption issues on mobile, and it's very hard to get around it. Tailscale, ZeroTier, and any other mesh VPNs all have this problem. If Netbird is a mesh it will have this problem too.
The reason is that we've broken the Internet such that all connections require keepalive about every 30 seconds. Otherwise NATs and stateful firewalls "forget" the connection and it dies and must be renegotiated. So if you have, say, 10 actively linked peers on your network you must send 10 packets every 30 seconds to keep links open.
Then you have all the other peers constantly sending keepalives to you. Since clocks are not globally synchronized it means you are constantly transmitting and receiving.
Phones can only seem to have long battery life due to aggressive power saving measures including turning off radios when not in use. Constant P2P traffic prevents the radio from sleeping and consumes background CPU. On devices with large batteries like laptops it's barely noticeable. On desktop and cloud it doesn't matter at all.
Mobile devices are really only suited to be dumb terminals to access the cloud. The problem is mostly in the architecture of the network. It can't easily be fixed in software.
Edit: one conceivable fix would be the introduction of an ultra low power side channel specifically for small and sparse "control" messages, but I don't see mobile carriers working on such a thing. For 99.9% of mobile users the use case is to scroll TikTok.
The other fix would be a protocol to tell NATs and firewalls about active connections, but that would also require cooperation across vendors and so it won't happen. People who think NAT matters for security would freak out too.
No. Usually there's a stateful firewall on at least one side that requires keepalive.
IPv6 does massively help in the area of P2P connection setup since usually there is either no NAT or 1:1 NAT (no port remapping). Connection setup works virtually 100% of the time, but you still need keepalive.
Basically we broke the Internet as an end-to-end network because endpoint devices were not secure and it was easier and faster to stuff middle boxes into the network than secure them. Today the situation is better but there are still enough misconfigured and old systems and grossly insecure IoT devices on modern networks that we can't really take away firewalls.
The Internet is unplanned development. It looks like the wiring in a third world slum, not like an orderly planned system where engineers designed things up front.
You can experiment with "network nudism" as I've heard it called, but first you have to make sure everything on your network is up to date and not running any services that you don't need or aren't secure. This involves nmapping your network, cataloguing everything on it, etc., and is beyond what most people can do. Even most network admins would have a tough time fully cataloguing all devices on a corporate network. It's tough to keep track of.
At least for me, it's even worse. It's not enough to disconnect on the app, as it's still connected as far as iOS is concerned (check Settings -> VPN). I tried many things to fix that - force-closing the app, switching it off multiple times in settings, etc. The only thing that actually makes the VPN to disconnect and the battery drain to stop is to choose a different VPN profile in Settings.
That's progress but I'm not sure how that helps much unless I select "Do Nothing" on Wifi and Mobile, and set to "detect Magic DNS", but that will only do me any good if I use magic DNS which I don't.
The idea behind Tailscale is that you can sign in with any device. I can go and create a configuration file for WG, but then it gets longer and longer.
I was having weird perf issues on openwrt with tailscaled being in the network path.
With netbird + direct mode, netbird is only there during connection [re-]establishment. I get much better throughput/latency with netbird on both embedded openwrt and desktop platforms.
But yeah, this netbird thing is seriously buggy. For any sort of multi-user setups, I always recommend tailscale, it's much more robust.
Thank you for the feedback! Could you please elaborate on the issues that you are facing? We have quite a few multi-user cases both on the managed and self-hosted version with no issues.
It's very promising, but, seriously buggy as of now - DNS keeps randomly dropping/leaking unreliably which was causing us issues and random drops to private resources along with a few other issues.
I think we switched to tailscale (I don't look after that side)... it's still a cool solution and think we will be looking at it again in the future.
The top comment also mentions a few alternatives. Personally, I use raw wireguard for one-off 1:1 links between servers, headscale+tailscale between some of my devices, and I've toyed with yggdrasil to obtain a roaming public IP, as well as LAN-first connectivity.
This looks awesome! I use a paid VPN mesh service called Tailscale to build k8s clusters which can span across cloud and home setups, but was always frustrated that the Tailscale server component is closed source. Netbird seems to do pretty much the same thing, so maybe I can switch over to it once it's stable enough.
There's an alternative to tailscale service called headscale https://github.com/juanfont/headscale (CLI only server compatible with official tailscale clients)
Looks promising, but the Android app is closed source. Hard pass until it's source code is released under a FOSS license and buildable+usable without analytics nor prioprietary libraries.
NetBird is one of these p2p private networking solutions that is truly open-source. Actually, I haven't seen any comparable yet.
We haven't yet published the Android code simply because we have coding standards to meet before we open the code to the public. This is mainly about the code structure and tests. We are working on it.
We are a tiny team of engineers with a vision to make private networking simple and secure, which is challenging. Therefore, we should prioritize some things over others. But we are getting there! With your support :)
I've been using headscale (self-hosted tailscale) for personal use, but having only one machine not running Linux on the network is a bit silly, as Tailscale is userspace, and Wireguard uses very little CPU on Linux.