openZro is a permissively-licensed fork of NetBird
at v0.52.2 — the last release before the upstream relicensed to AGPLv3. We forked
to keep a BSD-3-Clause lineage available for teams that need that license posture
(financial industry, internal compliance, embedded redistribution) and to layer
features that come up in compliance-heavy deployments. Attribution to NetBird is
preserved verbatim across LICENSE, AUTHORS, and DERIVED-FROM.md — this is a
fork built on top of their work, not a replacement of it.
There is no managed cloud — every binary lives on GitHub Releases, every dashboard is the operator's own. See Why self-host only for the rationale behind that posture.
- High availability for management / signal / relay — distributed cluster layer with Redis or NATS backends, leader election, per-resource locks.
- Real peer approval — the upstream stub at
management/integrations/integrations/validator.gowas a no-op; openZro persists Pending / Approved / Rejected state and respectsIntegratedValidatorGroups. - Device admission gate with audited, time-boxed, reason-required per-peer bypass — driven by Brazilian central bank (BACEN) compliance requirements but generally applicable.
- MDM / EDR posture for Microsoft Intune, SentinelOne, Huntress, and CrowdStrike Falcon — clean Provider interface (~150 lines per vendor).
- Flow exports to S3, Google Cloud Storage, Datadog Logs Intake, Elastic, and generic HTTP — credentials encrypted at rest.
- Activity Streamer with custom payload templates (so SIEM teams don't need a Vector / Fluent Bit middleman).
- SCIM 2.0 server (Okta + Microsoft Entra tested).
- Lightweight signed package repository at
pkg.openzro.io— APT, YUM, DNF, zypper.
# Debian / Ubuntu
curl -fsSL https://pkg.openzro.io/openzro-archive-keyring.gpg \
| sudo tee /usr/share/keyrings/openzro-archive-keyring.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/openzro-archive-keyring.gpg] \
https://pkg.openzro.io/apt stable main" \
| sudo tee /etc/apt/sources.list.d/openzro.list > /dev/null
sudo apt-get update && sudo apt-get install -y openzroFor RHEL / Fedora / openSUSE / Windows / macOS / Docker / self-host, see the install guide.
| Repo | Contents |
|---|---|
openzro/openzro |
The core: client, management, signal, relay, dashboard. BSD-3-Clause. |
openzro/docs |
Source for docs.openzro.io. |
openzro/.github |
This profile + shared org assets. |
🟣 Alpha — current release is
v0.1.0-alpha.3.
The architecture is production-grade (it's NetBird's, with our additions);
the integration shape is settled; what's still moving is the breadth of
EDR / MDM vendor coverage and the polish of the install paths. We don't
recommend it for production traffic yet — but pilots and homelabs are
welcome and we want to hear what breaks.
See docs/ROADMAP.md
for what's planned next.
- 🐛 Issues: openzro/openzro and openzro/docs
- 🔧 PRs welcome — please pick the smallest reasonable change first and open an issue ahead of larger refactors so we can scope together.
- 💬 Discussions: see openzro/openzro/discussions
BSD-3-Clause, forever. The whole tree stays permissive — this is non-negotiable.
See LICENSE and
AUTHORS.
Built on the foundation provided by the NetBird team — thank you.