diff --git a/hosts/idols-ai/preservation.nix b/hosts/idols-ai/preservation.nix
index 1b2681d9..48aca7e4 100644
--- a/hosts/idols-ai/preservation.nix
+++ b/hosts/idols-ai/preservation.nix
@@ -72,6 +72,7 @@ in
 
       # network
       "/var/lib/tailscale"
+      "/var/lib/netbird-homelab" # netbird's homelab client
       "/var/lib/bluetooth"
       "/var/lib/NetworkManager"
       "/var/lib/iwd"
diff --git a/hosts/idols-aquamarine/tailscale.nix b/hosts/idols-aquamarine/tailscale.nix
deleted file mode 100644
index e6ec6666..00000000
--- a/hosts/idols-aquamarine/tailscale.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  # enable tailscale on aquamarine
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "server";
-    extraSetFlags = [
-      # access home network via tailscale
-      "--advertise-routes=192.168.5.0/24"
-    ];
-  };
-}
diff --git a/hosts/idols-aquamarine/vpn.nix b/hosts/idols-aquamarine/vpn.nix
new file mode 100644
index 00000000..e7aafff5
--- /dev/null
+++ b/hosts/idols-aquamarine/vpn.nix
@@ -0,0 +1,28 @@
+{
+  # tailscale do not support running multiple clients on the same host,
+  # so we use netbird for homelab instead.
+  #
+  # services.tailscale = {
+  #   enable = true;
+  #   port = 41641;
+  #   interfaceName = "tailscale0";
+  #   # allow the Tailscale UDP port through the firewall
+  #   openFirewall = true;
+  #
+  #   useRoutingFeatures = "server";
+  #   extraSetFlags = [
+  #     # access home network via tailscale
+  #     "--advertise-routes=192.168.5.0/24"
+  #     "--accept-routes=false"
+  #   ];
+  # };
+
+  services.netbird.useRoutingFeatures = "server";
+  services.netbird.clients.homelab = {
+    port = 51820;
+    name = "homelab";
+    interface = "netbird-homelab";
+    hardened = true;
+    autoStart = true;
+  };
+}
diff --git a/modules/darwin/apps.nix b/modules/darwin/apps.nix
index 36c74027..914c3237 100644
--- a/modules/darwin/apps.nix
+++ b/modules/darwin/apps.nix
@@ -171,6 +171,7 @@ in
       "joplin" # note taking app
 
       "tailscale-app" # tailscale macos app (with gui)
+      "netbirdio/tap/netbird-ui" # netbird gui app
 
       # AI
       "lm-studio"
diff --git a/modules/nixos/base/networking/tailscale.nix b/modules/nixos/base/networking/tailscale.nix
deleted file mode 100644
index bdec87ea..00000000
--- a/modules/nixos/base/networking/tailscale.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{
-  lib,
-  pkgs,
-  ...
-}:
-# =============================================================
-#
-# Tailscale - your own private network(VPN) that uses WireGuard
-#
-# It's open source and free for personal use,
-# and it's really easy to setup and use.
-# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
-# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
-# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale.
-#
-# How to use:
-#  1. Create a Tailscale account at https://login.tailscale.com
-#  2. Login via `tailscale login`
-#  3. join into your Tailscale network via `tailscale up --accept-routes`
-#  4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
-#
-# Status Data:
-#   `journalctl -u tailscaled` shows tailscaled's logs
-#   logs indicate that tailscale store its data in /var/lib/tailscale
-#   which is already persistent across reboots(via preservation)
-#
-# References:
-# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/tailscale.nix
-#
-# =============================================================
-{
-  # make the tailscale command usable to users
-  environment.systemPackages = [ pkgs.tailscale ];
-
-  # enable the tailscale service
-  services.tailscale = {
-    enable = lib.mkDefault false;
-    port = 41641;
-    interfaceName = "tailscale0";
-    # allow the Tailscale UDP port through the firewall
-    openFirewall = true;
-  };
-}
diff --git a/modules/nixos/desktop/networking/default.nix b/modules/nixos/desktop/networking/default.nix
index cf0692c9..049dda93 100644
--- a/modules/nixos/desktop/networking/default.nix
+++ b/modules/nixos/desktop/networking/default.nix
@@ -1,7 +1,4 @@
 { mylib, ... }:
 {
   imports = mylib.scanPaths ./.;
-
-  # enable tailscae for all desktop hosts
-  services.tailscale.enable = true;
 }
diff --git a/modules/nixos/desktop/networking/netbird.nix b/modules/nixos/desktop/networking/netbird.nix
new file mode 100644
index 00000000..057f62e9
--- /dev/null
+++ b/modules/nixos/desktop/networking/netbird.nix
@@ -0,0 +1,38 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+# =============================================================
+#
+# NetBird - your own private network(VPN) that uses WireGuard, Coturn, etc.
+#
+# It's similar to tailscale, but netbird's more opensouse and less mature.
+#
+# NetBird natively supports running multiple clients on the same host — something
+#   Tailscale can’t do easily.
+# Its NixOS module ships a dedicated CLI wrapper for every client, so managing them is effortless.
+#
+# How to use:
+#  1. Create a NetBird account at https://app.netbird.io/
+#  3. Login & join into your homelab network via `netbird-homelab up`
+#
+# Status Data:
+#   `journalctl -u netbird-homelab` shows netbird's logs
+#   netbird client store its data in /var/lib/netbird-homelab
+#   which is already persistent across reboots(via preservation)
+#
+# References:
+#  https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/netbird.nix
+#
+# =============================================================
+{
+  services.netbird.useRoutingFeatures = "client";
+  services.netbird.clients.homelab = {
+    port = 51820;
+    name = "homelab";
+    interface = "netbird-homelab";
+    hardened = true;
+    autoStart = true;
+  };
+}
diff --git a/modules/nixos/desktop/networking/tailscale.nix b/modules/nixos/desktop/networking/tailscale.nix
index 5315eda3..ae6099e0 100644
--- a/modules/nixos/desktop/networking/tailscale.nix
+++ b/modules/nixos/desktop/networking/tailscale.nix
@@ -1,7 +1,44 @@
 {
-  # enable tailscale on aquamarine
+  lib,
+  pkgs,
+  ...
+}:
+# =============================================================
+#
+# Tailscale - your own private network(VPN) that uses WireGuard
+#
+# It's open source and free for personal use,
+# and it's really easy to setup and use.
+# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS.
+# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker.
+#
+# How to use:
+#  1. Create a Tailscale account at https://login.tailscale.com
+#  2. Login via `tailscale login`
+#  3. join into your Tailscale network via `tailscale up --accept-routes`
+#  4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
+#
+# Status Data:
+#   `journalctl -u tailscaled` shows tailscaled's logs
+#   logs indicate that tailscale store its data in /var/lib/tailscale
+#   which is already persistent across reboots(via preservation)
+#
+# References:
+# https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/tailscale.nix
+#
+# =============================================================
+{
+  # make the tailscale command usable to users
+  environment.systemPackages = [ pkgs.tailscale ];
+
+  # enable the tailscale service
   services.tailscale = {
     enable = true;
+    port = 41641;
+    interfaceName = "tailscale0";
+    # allow the Tailscale UDP port through the firewall
+    openFirewall = true;
+
     useRoutingFeatures = "client";
     extraSetFlags = [
       "--accept-routes"