VPN Networking — NetBird

NetBird is an open-source, privacy-first alternative to Tailscale. Its control plane is hosted in Berlin, Germany, making it the preferred choice for European users and anyone who needs data sovereignty within the EU.

Control plane location: Berlin, Germany
Best for: EU users, open-source preference, GDPR compliance

Why use VPN with Gumm?

Without a VPN, exposing Gumm on a public port means anyone on the internet can attempt to reach your assistant’s API. With NetBird:

• Your Gumm server binds to its private VPN IP — not visible to the public internet
• The CLI connects to Gumm via the VPN IP from any network
• All traffic is end-to-end encrypted by WireGuard
• You can optionally self-host the NetBird management server for full control

Prerequisites

• A free NetBird account — sign up at app.netbird.io
• NetBird installed on every device you want to connect (including the server)

Step 1 — Install NetBird on your machines

Step 2 — Get a Setup Key

In the NetBird dashboard, generate a Setup Key. This key is used to register devices into your network.

Tip: Use a reusable setup key so the same key works for multiple devices and container restarts.

Step 3 — Authenticate your CLI machine

On your laptop or workstation:

sudo netbird up --setup-key <your-setup-key>

The device appears in your NetBird peer list within a few seconds.

Step 4 — Configure Gumm (Docker) to use NetBird

The Gumm Docker image has NetBird built in. Configuration is done through the dashboard.

1. Open your Gumm dashboard
2. Go to Settings → VPN Networking
3. Select NetBird as the network mode
4. Enter:
   • Setup Key — the key you generated in Step 2
   • Hostname — e.g. gumm-server
5. Click Connect

The brain joins your NetBird network and shows its private IP (e.g. 100.x.y.z by default, or a custom CIDR if configured).

Step 5 — Bind Gumm to the VPN IP only

To prevent Gumm from being reachable on the public internet, set VPN_BIND_IP in your .env:

# Replace with your Gumm container's actual NetBird IP
VPN_BIND_IP=100.x.y.z

Restart Gumm:

docker compose up -d

Step 6 — Connect the CLI

# Point the CLI at the VPN IP of your Gumm brain
gumm connect http://100.x.y.z:3000

# Log in
gumm login

# Verify
gumm status

Optional: Access via Reverse Proxy with SSO

NetBird supports exposing services via a built-in reverse proxy with SSO authentication (e.g. gumm.eu1.netbird.services). If your NetBird setup uses this feature, authenticate via SSO:

gumm connect --sso https://gumm.eu1.netbird.services

The CLI will:

1. Open your browser for SSO authentication
2. Ask you to paste the session cookie from your browser’s DevTools
3. Use that token for all subsequent requests through the proxy

Tip: If you see HTTP 401 errors without --sso, the reverse proxy requires authentication.

Optional: HTTPS with Caddy

To enable HTTPS on your NetBird hostname, add Caddy to your deployment:

# In .env
CADDY_DOMAIN=gumm.your-network.netbird.cloud
VPN_BIND_IP=100.x.y.z

docker compose --profile proxy up -d

Optional: Self-hosted NetBird management server

For full data sovereignty, NetBird is fully open-source and can be self-hosted. Follow the official self-hosting guide. Once set up, add your management URL when registering devices:

sudo netbird up \
  --setup-key <your-setup-key> \
  --management-url https://netbird.your-domain.com

Troubleshooting

Check status

# From the CLI
gumm network status

# Or inside the container
docker compose exec gumm netbird status

Tailscale vs NetBird — Quick comparison