Replace netstack (full userspace) mode with userspace WireGuard + real
kernel TUN interface. This gives proper network performance for game
streaming (Moonlight/Sunshine) while still keeping all files in /home.
Uses sudo setcap to grant CAP_NET_ADMIN and CAP_NET_RAW on the binary
instead of running as root. Capabilities are applied at install and
reapplied on each update.
In netstack mode with local forwarding enabled, ICMP packets get
replied to by both the gVisor netstack and the native OS (via the
forwarder), causing duplicate ping responses. Local forwarding is
only needed when remote peers must reach host-local services, so
it should not be on by default.
The CLI defaults to /var/run/netbird.sock which doesn't exist in our
rootless setup. Export NB_DAEMON_ADDR and NB_CONFIG in .bashrc so the
CLI automatically connects to the user-level daemon socket.
Verify SHA-256 checksums from the release checksums.txt before
installing. In do_update, download and verify the new binary to a
staging directory before stopping the running service so a failed
download leaves the existing installation untouched.
Standalone installer for Steam Deck / SteamOS that runs NetBird
entirely from /home using netstack mode — no root, no sysext, no
TUN device required. Survives all OS updates without intervention.
