How a distributed team replaced per-seat VPN access with a self-hosted mesh they own
A software team spread across three regions needed secure access to each other and to internal services — without paying per user or routing that access through a third party. We deployed a self-hosted NetBird mesh with multi-region exit nodes and identity-based access control, then documented it and handed it over.
EU · US · SG
Exit-node regions
$0
Per-seat VPN cost
Self-hosted
Control plane
Complete
Handoff
Stack deployed
The problem
A team distributed across time zones needs two things at once: secure connectivity between members wherever they are, and private access to internal services that were never meant to sit on the public internet. Commercial mesh VPNs solve the connectivity part, but they price per user — the same headcount-scaling model that makes SaaS expensive as a team grows — and they route the control layer through a third party the team doesn't own.
For a team that wanted secure access on its own terms, that was the wrong trade. The requirement was clear: a self-hosted setup, access tied to identity, secure by default, and infrastructure the team could keep running after we left.
What we deployed
We deployed NetBird, a self-hosted mesh VPN built on WireGuard, with the control plane running on Hetzner in the EU. Every member and device joins a single private network the team owns end to end — nothing routes through infrastructure they don't control.
The team is spread across Europe, the US, and Singapore, so we placed exit nodes in each region. Members egress close to where they actually are rather than being funneled through one location, and the multi-region layout doubles as redundancy: if one region goes down, the others carry the network. Access is governed by identity, not shared credentials — we integrated single sign-on and defined routing and access policies so that who can reach what is a matter of policy, and removing someone is a single action.
The environment was built to production standards and documented in full — architecture, access policies, and the operational notes the team needs to run it without us.
The outcome
The team now has secure, private access across three regions on infrastructure it owns outright. There is no per-seat VPN licensing — the cost is the servers, not the headcount — and access is governed by identity and policy rather than a shared key.
The full environment was handed over: control plane, regional exit nodes, access policies, and documentation. The team owns it, runs it, and can extend it as it grows.
Solutions used in this engagement
Similar project in mind?
Book a free 30-minute assessment
Book a Free AssessmentNo sales pitch · Direct technical conversation