Figured it might be a hassle. How does Netbird work? Does it have a co-ordination server like Tailscale or does it work differently?
Honestly, Headscale is a more hacky community-supported thing that interacts with a non-FOSS mobile app anyway. Far less selling than an actual team working on a project full time and enabling you to self-host their thing for free while running a sustainable business.
Iād pick Netbird over the other any time of the day now that I am aware of its existence. 
And yes, you have a central endpoint to manage all of your clients.
I didnāt got the time to play with it myself (as of today) but their docs + videos on YT are very great to explain the broad theory while also allowing to go deep into the tech details. 
I am just not sure about the Dynamic IP part but again, not sure it is a problem to be solved by Wireguard/Tailscale/Netbird anyway (in case of self-hosting).
Maybe an incremental and quick step would be to use their cloud-hosted instance, play around and then pull the trigger on something self-hosted? 
The Tailscale mobile client is FOSS and Tailscale themselves commits to Headscale from time to time.
Iām asking about the mechanics of self hosting Netbird, because I need to know if it requires a pbulic IP or not. I already have a cloud-hosted option working at the moment, so just looking for a self-hosted solution to pivot to.
That being said they look pretty cool, so I might as well give them a shot. After Netbird what other software would be used to make sure it works with Mullvad? Not sure I picked up on that part in the previous posts.
In general
It would help if you tried stating your threat model with regards to network metadata more clearly. A lot of this is about shifting disclosure around rather than fully removing it. What are requirements ad what are more nice-to-haves? Depending on this, solutions like Tailscale or Cloudflare Tunnels might be disqualified. Or if used, in particular ways.
VPN layering
So youāre going to be running at least two layers of VPNs/proxies, one inside the other. If you are familiar with Tor, it can be helpful to compare the privacy properties. For example: If you chain two, then the first will always see your originating IP (ie probably who and where you are), your first destination (the second VPN) and times/throughput/etc. But it has no idea about the stuff youāre actually connecting to. The second one (and its infra providers) becomes more like a tor exit node: It becomes your de-facto ISP and has full insight into all your outgoing traffic. But it has no idea about who you are or where you are from. If your threat model includes the infrastructure providers, this is all moot if they both run in the same DC.
Privacy overlays
If obfuscation is something you care about, Wireguard is not sufficient. There are other solutions like V2Ray you can wrap with. Popular in China, I hear..
Mesh solutions
On the self-hosting side, Iāve done at least testing of Netbird, Pangolin, Headscale/Tailscale, Innernet, Nebula, and a few more (they start blurring together after a while 
). Turns out they actually do very different things. Do you have a bunch of HTTP services you want exposed through a centralized reverse proxy with integrated SSO for all your remote clients in random places? This is basically Pangolin. Thereās no real mesh going on there. It can be very practical if thatās what you want but itās pretty niche. Both Pangolin and Netbird are a bit so-so with the open-source stuff. You might be surprised about the state of certain things if you go the route of building everything from source (a good exercise for anything if you have time and patience for it).
If you want something more flexible and truly free to manage operations of a wireguard-mesh, I think innernet is worth checking out. Itās not complete or perfect but itās lightweight, small enough to reason about and not too many moving parts. And the devs are pretty chill.
1 Like
Necessary:
I suppose fundamentally I have several HTTP services that I would like to access from outside my home network, while simultaneously continuing to obfuscate network traffic to my ISP.
Nice to Have:
Whatever the solution is, Iād prefer as few DNS leaks as possible.
I started using Tailscale when I didnāt have access to a public IP, but I now do so I can use that for any solutions required.
Pangolin looked really appealing, but Iām just not super familiar with it.