You may not give much thought to what the ports on your router are actually doing. If you run a few Docker services, the natural flow may be to expose what’s needed, bookmark URLs, and move on.
I got a reality check the day I saw several login attempts that I had not initiated in my server logs. In the name of remote access, I had been publishing my server on the public internet. This prompted the search for a zero-trust network access solution, and I discovered NetBird.
- OS
-
Windows, Linux, macOS
- Price model
-
Free and Paid Tiers
NetBird is an open-source, WireGuard-based networking platform. It creates secure, peer-to-peer overlay networks, without complex firewall configurations.
I kept trying to make port forwarding safer
Every fix only made the setup harder to live with
I took security measures, like using strong passwords and avoiding default ports. I also had services behind HTTPS, and it felt secure. However, I had overlooked the fact that opening a port publishes a service on the internet. Seeing requests that I had not initiated and attempts to hit SSH from random IP addresses were only a matter of time; the public internet was seeing too much.
I wasn’t thinking of abandoning port forwarding, but was hoping to at least harden it. One of the first ideas I considered was reverse proxies. However, even after setting one up and routing my services through it, ports 80 and 443 were still open. This was better, but it had not completely fixed the problem.
The next idea was a VPN. If I could spin up WireGuard, then connect remotely and access all my services as if I were at home, the problem would be solved. That way, I wouldn’t need public dashboards, and there would be no direct exposure. However, the reality was that I would need to manage keys, configure clients across my devices, and it would involve some level of troubleshooting if things were not connecting exactly right. It solved the problem, but it just wasn’t a seamless approach. WireGuard itself requires an open UDP port on your router, which is typically 51820.
Also, the two approaches would only entail layering a fix on top of the same core idea. They would still need me to think of what was exposed, what services I had to reach, and how to reach them. These solutions felt more like I was managing a problem.
NetBird solved the problem by removing the need for ports
Server access without touching my router
NetBird’s solution felt fluid. The first step was to install the client on my server and login. After that, I installed it on my laptop. I did not need to configure my router or forward any ports, and there were no firewall configurations; yet I could see both devices on my dashboard in minutes.
NetBird assigned a private IP to my server, and when I tried connecting to it from a completely different network, it just worked. The process was impressive, but it also felt strange. I always felt that remote access had to involve some level of router configuration.
This new design was solid. Rather than exposing my server and then protecting it, Netbird creates a private network first. So, I am not communicating on the public internet; my laptop and server connect to a network that only they are a part of. NetBird makes this possible by using WireGuard to establish encrypted peer-to-peer connections.
The connection remains secure because I add and authenticate devices before they can join the private network, and no unauthenticated device sees the server. On restrictive networks where a direct connection isn’t possible, NetBird defaults to relaying encrypted traffic through a tunnel, and my server still exposes nothing on my router.
I stopped exposing my server entirely
Nothing about my workflow got worse
I brace myself for compromises when I explore new designs, but I was giving up so little this time. In reality, here’s what changed:
|
Aspect |
Before (port forwarding) |
Now (NetBird) |
|---|---|---|
|
Access method |
Public IP + port |
Private network IP |
|
Exposure |
Internet-facing services |
Only NetBird devices |
|
Router setup |
Required |
None |
|
Maintenance |
Ongoing tweaks |
Mostly none |
Server access is still possible from my laptop, phone, and from outside my home network. The only difference is that I run through a private mesh network. It eliminates three things:
- Checking whether a port is open
- Wondering if I misconfigured something
- Worrying about what might be hitting my server
As long as you’re fine with the tiny inconvenience of installing the NetBird client on every device that needs to connect, this is a far better alternative for connecting to a home server. It only becomes an issue when you have to share access with a less technical person.
Port forwarding isn’t going away
If a service is meant to be public, then port forwarding will still make sense. This may be a game server or a website. However, as far as personal infrastructure goes, or things that only you need to access, you shouldn’t first publish it on the internet and try securing it afterward. This is the approach people typically take. NetBird reverses the order, making it private first and accessible when needed. It’s now one of my favorite tools to install on a home server.
14 Useful Ways to Reuse an Old Router (Don’t Throw It Away!)
Old router cluttering up your drawers? Here’s what to do with an old router and save some money instead of throwing it away!
