Migrated three Netbird network routes to the Networks model with explicit per-policy access, narrowed the work laptop’s reach to TCP 22 and 443, and finally deleted the default All-to-All rule that had been disabled but lingering since March.
Two days after blaming DNS for the hourly Netbird flap and declaring it fixed, dmesg produced evidence that the real culprit was dnf-makecache.timer running on a 2GB VM with no swap.
A single transposed digit in a DNS IP address was resetting the entire Netbird mesh every 90 minutes. Closing OHP#58.
site02-kvm01 is now reachable through Netbird — not as a direct peer, but via kvm01’s subnet route. Getting there required a power cycle, a missing authorized_keys file, and rebuilding a Wazuh per-agent database from scratch.
How I replaced two independent Headscale tailnets with a single Netbird mesh VPN, eliminating profile switching and simplifying network access across two domains.