Skip to content

netbird

v0.71.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 20d VPN & Tunnels
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

go mesh mesh-networks nat-traversal netbird vpn
+3 more
wireguard-vpn wiretrustee zero-trust-network-access

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 13d

NetBird v0.71.0 introduces dual‑stack IPv6 overlay addressing, local user MFA, and backend reverse-proxy lifecycle management.

Why it matters: Enable dual‑stack support for future‑proof networking; configure MFA to strengthen authentication; plan proxy lifecycle automation before upgrade.

Summary

AI summary

NetBird adds dual‑stack IPv6 overlay addressing, MFA for local users, and backend proxy lifecycle support.

Changes in this release

Feature Medium

NetBird's overlay is now dual-stack with IPv6 prefix assignment and DNS support.

NetBird's overlay is now dual-stack with IPv6 prefix assignment and DNS support.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Local users can enable multi-factor authentication (MFA).

Local users can enable multi-factor authentication (MFA).

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Backend supports per-account reverse-proxy lifecycle management.

Backend supports per-account reverse-proxy lifecycle management.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

iOS: structured ResolvedIPs collection for domain routes.

iOS: structured ResolvedIPs collection for domain routes.

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Added short flags for status command options.

Added short flags for status command options.

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Updated CONTRIBUTING.md documentation guide.

Updated CONTRIBUTING.md documentation guide.

Source: llm_adapter@2026-05-21

Confidence: low
Performance Medium

Hardened USP filter conntrack and shared TCP relay.

Hardened USP filter conntrack and shared TCP relay.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Removed permissions from geolocations API.

Removed permissions from geolocations API.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Added update reason to buffered calls.

Added update reason to buffered calls.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixed --config flag default to point at profile path.

Fixed --config flag default to point at profile path.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Included MTU and SSH auth config in debug bundle.

Included MTU and SSH auth config in debug bundle.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Added public key to debug bundle config.txt.

Added public key to debug bundle config.txt.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Skipped DNS upstream failover on definitive EDE.

Skipped DNS upstream failover on definitive EDE.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Allocated and preserved IPv6 overlay addresses for embedded proxy peers.

Allocated and preserved IPv6 overlay addresses for embedded proxy peers.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fixed offline statuses for public proxy clusters.

Fixed offline statuses for public proxy clusters.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Low

--config CLI flag now defaults correctly to the profile path.

--config CLI flag now defaults correctly to the profile path.

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Refactor Medium

Bracketed IPv6 in embed listeners and expanded debug bundle.

Bracketed IPv6 in embed listeners and expanded debug bundle.

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Bracketed IPv6 reverse-proxy target hosts when building URL Host field.

Bracketed IPv6 reverse-proxy target hosts when building URL Host field.

Source: llm_adapter@2026-05-21

Confidence: high
Full changelog

Release Notes for v0.71.0

What's New

IPv6 overlay addressing
NetBird's overlay is now dual-stack. Every account gets its own IPv6 prefix (default /64, configurable from /48 to /120), and peers can receive both an IPv4 and an IPv6 overlay address. DNS serves AAAA
and reverse PTR records alongside A records, ACLs apply to both families automatically, network routes accept IPv6 CIDRs (with masquerade), exit nodes that route 0.0.0.0/0 get a matching ::/0 route, and
domain routes resolve both A and AAAA.

Rollout is group-gated: new accounts enable IPv6 for the All group by default; existing accounts opt in under Settings > Network. Assignment is also gated on a per-peer capability, so older clients keep
working on IPv4 until they upgrade. Hosts can opt out individually with netbird up --disable-ipv6

Read more in the IPv6 Overlay Addressing announcement and the IPv6 documentation.
https://github.com/netbirdio/netbird/pull/5631 by @lixmal

MFA for local users
Local users (non-IdP) can now enable multi-factor authentication, closing a gap for deployments that don't federate auth through an external provider.
https://github.com/netbirdio/netbird/pull/5804 by @jnfrati

Bring your own proxy (backend ready)
Backend support for per-account reverse-proxy lifecycle has landed: proxy tokens, per-account cluster allow-lists, conflict detection, and one-proxy-per-account enforcement. Full rollout (dashboard, docs) comes
in a later release.
https://github.com/netbirdio/netbird/pull/5627 by @crn4

Client Improvements

  • Included MTU and SSH auth config in debug bundle by @lixmal.
    https://github.com/netbirdio/netbird/pull/6071
  • Added public key to debug bundle config.txt by @lixmal.
    https://github.com/netbirdio/netbird/pull/6092
  • iOS: structured ResolvedIPs collection for domain routes by @pappz.
    https://github.com/netbirdio/netbird/pull/6090
  • Used unique temp file and clean up on failure when writing ssh config by @lixmal.
    https://github.com/netbirdio/netbird/pull/6064
  • Hardened uspfilter conntrack and shared TCP relay by @lixmal.
    https://github.com/netbirdio/netbird/pull/5936
  • Skipped DNS upstream failover on definitive EDE by @lixmal.
    https://github.com/netbirdio/netbird/pull/6089
  • Fixed --config flag default to point at profile path by @lixmal.
    https://github.com/netbirdio/netbird/pull/6122
  • Bracketed IPv6 in embed listeners, expanded debug bundle by @lixmal.
    https://github.com/netbirdio/netbird/pull/6134
  • Added short flags for status command options by @mlsmaycon.
    https://github.com/netbirdio/netbird/pull/6137

Management Improvements

  • Removed permissions from geolocations API by @pascal-fischer.
    https://github.com/netbirdio/netbird/pull/6091
  • Added update reason to buffered calls by @pascal-fischer.
    https://github.com/netbirdio/netbird/pull/6103
  • Allocated and preserved IPv6 overlay addresses for embedded proxy peers by @lixmal.
    https://github.com/netbirdio/netbird/pull/6132
  • Fixed offline statuses for public proxy clusters by @crn4.
    https://github.com/netbirdio/netbird/pull/6133
  • Bracketed IPv6 reverse-proxy target hosts when building URL Host field by @lixmal.
    https://github.com/netbirdio/netbird/pull/6141

Relay Improvements

  • Preserved non-standard port in WS dialer URL prep by @lixmal.
    https://github.com/netbirdio/netbird/pull/6061

Misc

  • Updated CONTRIBUTING.md by @mlsmaycon.
    https://github.com/netbirdio/netbird/pull/6076
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track netbird

Get notified when new releases ship.

Sign up free

About netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.

All releases →

Related context

Beta — feedback welcome: [email protected]