Just a quick documentation for myself that might become handy for other people as well.
What is netbird?
Netbird is a mesh VPN network using Wireguard as underlying protocol in combination with a bit of WebRTC and NAT traversal integrated.
Why on the UDM?
While the ideal setup of Netbird would involve all devices of a network running netbird on their own, the idea here is to provide it as central routing point since either not all devices are able to install netbird or in order to reduce potential attack surfaces, since netbird is quite feature-rich these days, including a SSH daemon.
The UDM as general low-level network device is generally speaking not trusted and therefore shouldn’t be as much of a security concern as other devices which might handle sensitive data such as user content or passwords.
How to install?
To install netbird on the Unifi UDM, you have to enable SSH access. Once connected the following script will do the basic setup:
#!/bin/sh mkdir /data/netbird cd /data/netbird curl -L https://github.com/netbirdio/netbird/releases/download/v0.14.6/netbird_0.14.6_linux_arm64.tar.gz | tar xvzf - ./netbird service install systemctl enable --now netbird
This will version 0.14.6, if you read this article, you probably want to check the release page for a newer version.
Afterwards, create a Setup Key in your Netbird Account and run
/data/netbird/netbird --setup-key <setup key> up
Giving the UDM a reboot to validate that everything survives a reboot, is always a good measure.
Bonus: Not trusting “the cloud”
For anyone interested in also dropping the trust for the netbird cloud without self-hosting and while still trusting the binary, there is the option to define a pre-shared key, that will be setup on each host.
To generate it, it’s easiest to utilise the
As an alternative one can also use
openssl rand -base64 32
The key is then used during the setup of every device by adding
--preshared-key <generated key> to the initial
netbird up command from above.
If you want to add it afterwards, edit configuration file (usually located in
/etc/netbird/config.json) and restart your daemons. Be aware that this will result in a netsplit for all hosts who don’t have this pre-shared key configured.
With this script it was trivial to setup the UDM with netbird, after the upgrade to 2.x.
An potentially updated version of the script can be found on SI-GitLab.