Release Notes for v0.65.0

What's New

🔀 Reverse Proxy

NetBird now includes a built-in reverse proxy in the management server, enabling proxied access to backend services through your NetBird network. Allowing you to expose your services to the public with the option to secure them with SSO, PINs, or passwords.

No VPN client required for end users. Just point a custom domain at your NetBird server, configure the proxy in the dashboard, and your internal services are securely accessible from any browser. Think of it as a self-hosted alternative to Cloudflare Tunnels, but without the MITM and fully under your control.

Key features:

• Custom domains - Map your own domains to internal services and let NetBird handle TLS and routing via CNAME verification
• Built-in authentication - Protect exposed services with SSO (via your configured IdP), PIN codes, passwords, or magic links directly from the dashboard
• Multiple targets - Route traffic to one or more backend peers or resources with optional path-based routing
• Access logs - Monitor who's accessing your proxied services with built-in logging
• Proxy settings - Fine-tune behavior with options like host header passthrough and redirect rewriting

Add a Service

Expose any internal service by selecting a subdomain and adding one or more backend targets. Each target points to a peer or resource on your network.

Custom Domains

Bring your own domain by adding a CNAME record pointing to your NetBird proxy cluster. NetBird handles TLS certificate provisioning automatically.

Authentication

Secure your exposed services with multiple authentication methods. Enable one or combine several for layered protection.

Settings

Fine-tune proxy behavior with options like passing the original Host header to your backend or rewriting redirect URLs to use the public domain.

Learn more:

• Reverse Proxy Overview
• Custom Domains
• Authentication

NetBird cloud support is coming soon, with hosted reverse proxy nodes.

🏗️ Self-Hosted Improvements

• Added combined NetBird server binary for simplified self-hosted deployments, reducing the number of containers needed to run NetBird.
  #5232

🔒 Management Improvements

• Enforced access control on accessible peers, ensuring proper authorization checks when querying the accessible peers endpoint.
  #5301
• Added cloud API spec to the public OpenAPI definition with REST client support.
  #5222

🖥️ Client Improvements

• Added early message buffer for the relay client, preventing message loss during connection establishment.
  #5282
• Refactored relay connection container for improved reliability and code maintainability.
  #5271

What's Changed

• [misc] Update sign pipeline version by @mlsmaycon in #5296
• [self-hosted] add netbird server by @braginini in #5232
• [management] Enforce access control on accessible peers by @bcmmbaga in #5301
• [misc] Add cloud api spec to public open api with rest client by @bcmmbaga in #5222
• [client] Add early message buffer for relay client by @pappz in #5282
• [client] Refactor/relay conn container by @pappz in #5271
• [management, reverse proxy] Add reverse proxy feature by @pascal-fischer in #5291

Full Changelog: v0.64.6...v0.65.0