This article provides a guide to deploy Netbird on Debian VPS.
What is Netbird?
Netbird is an open-source, WireGuard-based overlay network platform that simplifies secure, peer-to-peer connectivity between devices. It enables Zero Trust Network Access (ZTNA) without complex firewall rules or VPN gateways, automatically connecting computers, servers, and cloud resources. It can be self-hosted or used via their cloud service.
Deploy Netbird on Debian VPS
This is a complete step-by-step guide demonstrating how to deploy Netbird on Debian VPS.
Prerequisites
- A Debian VPS with a public IP address (minimum: 1 vCPU, 2 GB RAM, 20 GB disk)
- A domain name with DNS access (e.g.,
vpn.example.com) - Docker and Docker Compose installed
- Ports open:
80,443(HTTP/HTTPS),3478(TURN/UDP),49152β65535(TURN relay/UDP),10000(Signal/gRPC)
Architecture Overview
Internet
β
βΌ
[ Reverse Proxy / Caddy or Nginx ]
β
ββββΊ NetBird Management (HTTPS :443 β :8080)
ββββΊ NetBird Dashboard (HTTPS :443 β :8081 or static build)
ββββΊ NetBird Signal (gRPC :10000)
ββββΊ Authentik (HTTPS :443 β :9000)
[ Coturn TURN Server ] β UDP :3478 + relay range
Hereβs a current step-by-step guide to deploy Netbird on Debian VPS using Netbirdβs official quickstart method. Netbirdβs current self-hosted quickstart expects a Linux VM with at least 1 vCPU, 2 GB RAM, a public domain pointed at the VPS, and inbound access on TCP 80, TCP 443, and UDP 3478. It also requires Docker with the Compose plugin, plus curl and jq.
Compare Debian VPS Plans
How to Deploy Netbird on Debian VPS
To deploy Netbird on Debian VPS, follow the steps below:
-
Prepare the VPS
Use a fresh Debian 12 or Debian 13 VPS. Dockerβs official docs currently support Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye) for Docker Engine installs.
Update the system first:
sudo apt update && sudo apt -y upgrade sudo reboot
Reconnect after the reboot.
-
Point a domain to the VPS
Create an A record for something like:
netbird.example.com -> your_vps_public_ip
Netbirdβs self-hosted quickstart requires a public domain name that resolves to the VMβs public IP.
You can verify DNS from the server:
dig +short netbird.example.com
That should return your VPS public IP.
-
Open the required firewall ports
Allow:
80/tcp443/tcp3478/udp
Those are the required public ports in Netbirdβs quickstart.
If you use UFW:
sudo apt install -y ufw sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 3478/udp sudo ufw enable sudo ufw status
If your provider also has a cloud firewall or security group, open the same ports there too.
-
Install Docker Engine and Compose plugin
Netbird requires Docker with the Compose plugin or Docker Compose v2+. Dockerβs official Debian install method is to use Dockerβs apt repository.
Run:
sudo apt-get update sudo apt-get install -y ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Verify Docker:
sudo systemctl enable --now docker sudo docker run hello-world docker compose version
Dockerβs docs note that container-exposed ports can bypass some firewall expectations, so keep your firewalling deliberate.
-
Install Netbird prerequisites
Netbirdβs quickstart calls for
curlandjq.Install them:
sudo apt install -y curl jq
-
Create a working directory
Netbirdβs generated deployment files are stored in the directory where you run the setup script. Netbirdβs configuration reference lists files such as
docker-compose.yml,config.yaml, anddashboard.envin that working directory.Create a dedicated folder:
mkdir -p ~/netbird cd ~/netbird
-
Run Netbirdβs official self-hosted setup script
Netbirdβs current self-hosted quickstart is based on the official
getting-started.shscript.Run:
curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
During the interactive setup, youβll typically provide:
- your Netbird domain, such as
netbird.example.com - whether to use the built-in reverse proxy option
- email/domain details used for certificate and deployment setup, depending on the prompts
At the end, the script generates the deployment files in your current directory and starts the stack with Docker Compose. Netbirdβs docs confirm these files are auto-generated by the script.
- your Netbird domain, such as
-
Check that the containers are running
From the same directory:
docker compose ps
Then inspect logs if needed:
docker compose logs -f
The Netbird quickstart deployment uses generated Compose and config files in that folder, so always run
docker composecommands from there unless you specify-f. -
Open the Netbird dashboard
Visit:
https://netbird.example.com
Visit the netbird dashboard in your browser. You should get the Netbird web dashboard over HTTPS once the stack is up and certificates are issued. The quickstart is meant to expose the deployment on your chosen public domain.
-
Install the Netbird client on a Debian server or workstation
Once your self-hosted control plane is online, install the Netbird client on any Debian/Ubuntu node you want to join.
Netbirdβs Linux install docs provide both the one-line installer and the APT repository method.
Fast method
curl -fsSL https://pkgs.netbird.io/install.sh | sh
Debian APT method
sudo apt-get update sudo apt-get install -y ca-certificates curl gnupg curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' | sudo tee /etc/apt/sources.list.d/netbird.list sudo apt-get update sudo apt-get install -y netbird
Those package-repository steps are from Netbirdβs official Linux installation page.
-
Register the client with your self-hosted Netbird
From the Netbird dashboard, create a setup key for a machine or a reusable enrollment flow, then run something like this on the client:
sudo netbird up \ --management-url https://netbird.example.com \ --setup-key YOUR_SETUP_KEY
For interactive/user-based enrollment, the dashboard may instead guide you through login-based setup depending on how you configure identity. Netbirdβs general getting-started flow uses
netbird up --setup-key ...to enroll a Linux machine.After joining, verify:
netbird status
-
Validate peer connectivity
Once two or more machines are enrolled, confirm they received Netbird addresses and can communicate according to your policies.
Useful commands:
netbird status ip a ping
Then use the dashboard to define groups, routes, and access policies as needed.
-
Know where the important files live
Netbirdβs configuration reference says the standard self-hosted deployment created by
getting-started.shincludes at least:docker-compose.ymlconfig.yamldashboard.env
and sometimes reverse-proxy-specific files, depending on your selected setup.
So your main working folder will look roughly like:
~/netbird/ βββ docker-compose.yml βββ config.yaml βββ dashboard.env βββ ...
-
Back up the deployment
Netbirdβs backup docs recommend copying the generated configuration files and then copying the server database from the container after stopping the server container.
Example:
cd ~/netbird mkdir -p backup cp docker-compose.yml dashboard.env config.yaml backup/ docker compose stop netbird-server docker compose cp -a netbird-server:/var/lib/netbird/ backup/ docker compose start netbird-server
-
Upgrade later
Netbirdβs official upgrade steps are:
cd ~/netbird docker compose pull netbird-server dashboard docker compose up -d --force-recreate netbird-server dashboard
If your setup includes the reverse proxy container, pull and recreate that too. Netbirdβs upgrade guide also recommends reviewing release notes and taking a backup first. Current GitHub releases show active 2026 releases such as v0.66.4.
-
Troubleshooting checklist
If the install does not come up cleanly, check these first:
DNS not pointing correctly
Make sure your domain resolves to the VPS:
dig +short netbird.example.com
Required ports blocked
Confirm inbound access on:
80/tcp, 443/tcp, 3478/udp
Those are hard requirements for the quickstart deployment.
Docker not running
Check:
sudo systemctl status docker docker compose version
Containers failing
Inspect:
cd ~/netbird docker compose ps docker compose logs --tail=100
Wrong working directory
Because the generated config is stored in the directory where you ran the script, running
docker composefrom somewhere else can make it look like the stack is missing.
Minimal command summary
sudo apt update && sudo apt -y upgrade sudo reboot
sudo apt-get update sudo apt-get install -y ca-certificates curl gnupg jq
sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo systemctl enable --now docker
mkdir -p ~/netbird cd ~/netbird curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
cd ~/netbird docker compose ps docker compose logs -f
Conclusion
You now know how to deploy Netbird on Debian VPS.
