Zero-trust networking doesn't have to mean enterprise contracts and complex appliances. With Authentik and Netbird running on a couple of Gozunga Cloud instances, you can build a production-grade zero-trust setup that authenticates every user and device before granting network access — all on infrastructure you own.

1. Overview
2. Create Your Gozunga Account - First, Sign Up to get started.
3. Understanding Floating IPs - Critical for this setup — read this before launching instances.
4. Launch Your Two Instances - One for Authentik, one for Netbird.
5. Secure Your Instances - Configure security groups for each server.
6. Install Authentik - Deploy your identity provider via Docker Compose.
7. Install Netbird - Deploy your self-hosted VPN management plane.
8. Connect Authentik and Netbird via OIDC - The integration that ties it all together.
9. Next Steps and More Information

1. Overview

Zero-trust networking operates on the principle that no user or device is trusted by default — even those inside your network. Every access request is authenticated, authorized, and continuously validated.

This guide sets up a minimal but real zero-trust stack using two open-source tools:

• Authentik — a self-hosted Identity Provider (IdP) supporting OAuth2, OIDC, SAML, and LDAP. Think of it as your own private Okta or Auth0.
• Netbird — a self-hosted WireGuard-based overlay network with a management plane. Think of it as your own private Tailscale or ZeroTier, where Authentik handles the authentication.

The integration works like this: Netbird delegates login to Authentik via OIDC. When a user or device tries to join your Netbird network, they authenticate against Authentik — so your existing user accounts, groups, and policies control network access.

Architecture summary:

• Server 1 — Authentik (IdP): handles user authentication, issues OIDC tokens
• Server 2 — Netbird (Network): manages WireGuard peers, validates tokens against Authentik
• Both servers need Floating IPs (stable public IPs) — more on this in Step 3

2. Create your Gozunga Account

If you haven't yet done so, Create an Account. You can sign up for free and get $100 in credits to get started!

Why choose Gozunga Cloud for your zero-trust setup?

• High-performance infrastructure with 99.99% uptime SLA
• 24/7 expert support to help you every step of the way
• Flexible scaling - start small and grow as needed

3. Understanding Floating IPs

Before launching your instances, you need to understand Floating IPs — this is a critical concept for this setup.

In Gozunga Cloud, instances are assigned an IP address from a pool when they're created. If you destroy and recreate an instance, or the underlying host changes, that IP can change. A Floating IP is a static public IP address that you own and can associate with any instance. When you reassign it to a new instance, traffic follows automatically.

Why this matters for Authentik and Netbird:

• Authentik's OIDC configuration contains hardcoded URLs (the issuer URL, redirect URIs, etc.) These must be stable, or your integration breaks
• Netbird clients store the management server address. A changing IP breaks connectivity for all your peers
• SSL certificates (Let's Encrypt) are issued for a specific domain that points to your server's IP

For each of your two servers, you'll need to:

1. Allocate a Floating IP in the Gozunga Cloud portal
2. Associate it with the server instance
3. Point your domain DNS records to the Floating IP (not the instance IP)

To allocate a Floating IP:

• In the Cloud Management Portal, navigate to Networking → Floating IPs
• Click Allocate Floating IP and note the address
• After your instance is created, click Associate to link the Floating IP to the instance

💡 Pro Tip: Set up your DNS records (e.g. authentik.yourdomain.com and netbird.yourdomain.com) pointing to the Floating IPs before you start configuring the services. SSL certificate issuance requires DNS to be resolving correctly.

4. Launch Your Two Instances

You'll need two separate VPS instances for this setup.

Authentik Server

• Login to Gozunga's Cloud Management Portal and create a Project
• Click Create a Cloud Server
• Select Ubuntu 24.04 and instance size st.small1 (2GB RAM minimum; st.medium1 recommended for better performance)
• Choose your network settings and SSH key
• Name it authentik and click Create Server
• Allocate a Floating IP and associate it with this instance

Netbird Server

• Create a second Cloud Server in the same or a different Project
• Select Ubuntu 24.04 and instance size st.small1 (1GB RAM is sufficient for the Netbird management plane)
• Name it netbird and click Create Server
• Allocate a second Floating IP and associate it with this instance

SSH into each server once they're online to confirm connectivity before proceeding.

5. Secure Your Instances

Each server has different traffic requirements. Configure security groups for each independently.

• Choose Networking → Security Groups in the portal
• Create two security groups: Authentik SG and Netbird SG

Authentik Security Group Rules

HTTP - TCP/80 (public)

HTTPS - TCP/443 (public)

Authentik Initial Setup - TCP/9000 (your IP only)

Authentik HTTPS Setup - TCP/9443 (your IP only)

(Optional) SSH - TCP/22 (your IP only)

Apply Authentik SG to the Authentik server instance.

Netbird Security Group Rules

HTTP - TCP/80 (public, for Let's Encrypt)

HTTPS - TCP/443 (public)

STUN - UDP/3478 (public)

WireGuard - UDP/49152-65535 (public)

Netbird Management - TCP/33073 (public)

Netbird Signal - TCP/10000 (public)

(Optional) SSH - TCP/22 (your IP only)

Apply Netbird SG to the Netbird server instance.

6. Install Authentik

SSH into your Authentik server and set up Authentik using Docker Compose.

# SSH to Authentik server
ssh -i /path/to/.pem ubuntu@[AUTHENTIK_SERVER_IP]

# Install Docker and Docker Compose
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker ubuntu
newgrp docker

# Create a directory for Authentik
mkdir -p ~/authentik && cd ~/authentik

# Generate a secure secret key and password
openssl rand -base64 36   # Use this as AUTHENTIK_SECRET_KEY
openssl rand -base64 24   # Use this as PG_PASS

Create your docker-compose.yml:

# ~/authentik/docker-compose.yml
version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    volumes:
      - redis:/data

  server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    depends_on:
      - postgresql
      - redis

volumes:
  database:
  redis:

# Create your .env file with your generated values
cat > .env << EOF
PG_PASS=your-generated-pg-password
AUTHENTIK_SECRET_KEY=your-generated-secret-key
EOF

# Start Authentik
docker compose up -d

# Check logs to confirm startup (takes ~60 seconds on first run)
docker compose logs -f server

Once running, visit http://[AUTHENTIK_IP]:9000/if/flow/initial-setup/ to create your admin account.

💡 Pro Tip: After initial setup, configure your reverse proxy (Nginx or Caddy) to terminate HTTPS on port 443 and proxy to port 9000/9443. This way you can use your domain (e.g. authentik.yourdomain.com) with a proper Let's Encrypt certificate.

7. Install Netbird

SSH into your Netbird server and follow the self-hosted setup. Netbird provides an official setup script and Docker Compose configuration.

# SSH to Netbird server
ssh -i /path/to/.pem ubuntu@[NETBIRD_SERVER_IP]

# Install Docker and Docker Compose
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker ubuntu
newgrp docker

# Download Netbird's self-hosted setup
wget https://raw.githubusercontent.com/netbirdio/netbird/main/infrastructure_files/getting-started-with-zitadel.sh

# Netbird's setup script configures the management, signal, and relay services
# Review the script, then run it:
bash getting-started-with-zitadel.sh

The Netbird self-hosted guide at docs.netbird.io/self-hosting/self-hosted-guide covers the full setup including their setup.env configuration file where you set your domain, OIDC issuer, and client credentials. Follow that guide for the full Docker Compose configuration, then return here for the Authentik OIDC integration.

Key values you'll need to configure in Netbird's setup.env:

# In Netbird's setup.env — fill these in after completing Step 8
NETBIRD_DOMAIN=netbird.yourdomain.com
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=https://authentik.yourdomain.com/application/o/netbird/.well-known/openid-configuration
NETBIRD_AUTH_CLIENT_ID=your-client-id-from-authentik
NETBIRD_AUTH_CLIENT_SECRET=your-client-secret-from-authentik
NETBIRD_AUTH_AUDIENCE=your-client-id-from-authentik

8. Connect Authentik and Netbird via OIDC

This is the integration step that ties your identity provider to your network.

Step 1: Create an OAuth2 Provider in Authentik

• Log in to Authentik at https://authentik.yourdomain.com
• Navigate to Admin Interface → Applications → Providers
• Click Create → OAuth2/OpenID Provider
• Configure:
  • Name: Netbird
  • Client Type: Confidential
  • Client ID: Copy this value — you'll need it for Netbird
  • Client Secret: Copy this value — you'll need it for Netbird
  • Redirect URIs:

    https://netbird.yourdomain.com/peers
    https://netbird.yourdomain.com/auth
    http://localhost
    

  • Signing Key: Select your default signing certificate
• Click Save

Step 2: Create an Application in Authentik

• Navigate to Applications → Applications
• Click Create
• Configure:
  • Name: Netbird
  • Slug: netbird
  • Provider: Select the provider you just created
• Click Save

Step 3: Retrieve the OIDC Discovery URL

• Navigate to Applications → Providers → click your Netbird provider
• Find the OpenID Configuration URL — it will look like:

  https://authentik.yourdomain.com/application/o/netbird/.well-known/openid-configuration
  

• Copy this URL — this is your NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT

Step 4: Update Netbird Configuration

Update your Netbird setup.env with the values from Authentik:

NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=https://authentik.yourdomain.com/application/o/netbird/.well-known/openid-configuration
NETBIRD_AUTH_CLIENT_ID=<your-client-id>
NETBIRD_AUTH_CLIENT_SECRET=<your-client-secret>
NETBIRD_AUTH_AUDIENCE=<your-client-id>

Restart Netbird to apply the changes:

cd ~/netbird
docker compose down && docker compose up -d

Step 5: Test the Integration

• Open your Netbird dashboard at https://netbird.yourdomain.com
• Click Login — you should be redirected to Authentik's login page
• Log in with your Authentik credentials
• After successful authentication, you'll be redirected back to Netbird and see your dashboard

From here, you can install the Netbird client on any device (netbird up) and authenticate it through Authentik to join your zero-trust overlay network.

💡 Pro Tip: In Authentik, you can use Groups and Policies to control which users are allowed to access Netbird. Only users in an allowed group will be able to authenticate and join the network — your first real zero-trust policy.

9. Next Steps and More Information

After setting up your zero-trust network, you can:

• Add any number of devices to your Netbird overlay network — servers, laptops, phones
• Define network access policies in Netbird to control which peers can talk to each other
• Use Authentik to enforce MFA for network access
• Add more applications to Authentik (Grafana, Gitea, your internal tools) for unified SSO
• Set up Authentik's LDAP outpost to provide directory services to legacy applications

For more information about Authentik features and configuration, visit the official Authentik documentation. For Netbird self-hosting details, visit the official Netbird documentation.

Ready to deploy? Get $100 in free credits and start hosting your applications on Gozunga Cloud today!