netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Multiple peers behind NAT getting relayed

Open deatheibon opened this issue 1 year ago • 13 comments

Describe the problem

I've setup a fresh netbird instance and added some peers which should create a p2p connection between each other. For testing i've setup one peer with a direct attached public ip and 3 peers behind the same NAT(OPNsense). With default Outbound NAT all connections to the public server getting realyed. With setting outbound NAT to static port for UDP atleast one connection to public server is getting p2p state. I figured out that the reason for this behavior is port 51820 which is the same on all peers behind my NAT, if i change ports to 51820,51821,51822 all three peers getting p2p connection cause of no duplicate source port. Shouldnt it work like this with default outbound behavior from OPNsense which is rewriting the source port automatically? I want to connect many peers over diffrent locations with some behind NAT and need the p2p connection for performance rasons. But i cant change all wgport settings to achieve this. Local connection between clients behind nat are p2p and as expected its only if NAT is involved. So maybe an idea would be NAT hole punching or to be compatible with source port rewrite or maybe a way that netbird itself is changing the wgport automatically.

To Reproduce

Steps to reproduce the behavior:

  1. add peer with direct public ip
  2. add atleas 2 peers behind nat
  3. see netbird status -d and see relayed connection to public server

Expected behavior p2p connection to public server

Are you using NetBird Cloud?

No, self-hosted

NetBird version

0.30.0

deatheibon avatar Oct 07 '24 14:10 deatheibon

it same for me , as long there is ony two device in a route i get p2p, if add multiple device to acce the newtork everyting atleast one is relayed , also netbird status -detail shows its a p2p host/s***/p*** but the latecy might be still high , and on the other node it shows realyed .

i can confirm the issue .

Are you using NetBird Cloud?

No, self-hosted

NetBird version

0.30.1

jesvinjoachim avatar Oct 15 '24 09:10 jesvinjoachim

i had a similar issue to this with my clients behind an opnsense firewall. i had to make some adjustments to the outbound nat (static ports and hybrid nat mode) as well as make sure each client used a unique port for wireguard. if multiple clients shared the same port then connections would relay instead of going p2p.

scroguard avatar Dec 02 '24 19:12 scroguard

i still can see this behavior with current version. I can say with native wireguard client, if you not specify any listening port wireguard client will use random source port. maybe an option in netbird webinterface where its possible to choose "use random port on clients" would be possible which then just unsetting the listening port in netbird client config. i would like to implement netbird in our company but the performance gap with relayed connection is huge, atleast for me i can only achieve 10% of availabe bandwith with relayed connection.

EDIT: it seems the netbird client uses random port if you set wgport to -1 so far i see random source ports but still some connections get relayed but it looks much better now. I've set static port nat on opnsense for that to work aswell. So maybe there is only one additional option needed during client enrollment to set the port.

for example:

netbird up --management-url https://netbird.io --admin-url https://netbird.io --wireguard-port -1

Are you using NetBird Cloud?

No, self-hosted

Netbird Version

37.1

deatheibon avatar Feb 24 '25 20:02 deatheibon

I think this doesn't work anymore as netbird now reports parsing -1: invalid syntax

Blackclaws avatar May 05 '25 09:05 Blackclaws

I think this doesn't work anymore as netbird now reports parsing -1: invalid syntax

that's still useful

hjchjchjc4352 avatar May 06 '25 01:05 hjchjchjc4352

I think this doesn't work anymore as netbird now reports parsing -1: invalid syntax

it works on my linux、Windows and androids

hjchjchjc4352 avatar May 06 '25 01:05 hjchjchjc4352

I think this doesn't work anymore as netbird now reports parsing -1: invalid syntax

Could you provide more details? At least a full log line at/before the error.

nazarewk avatar May 06 '25 10:05 nazarewk

@nazarewk

❯ netbird up --management-url https://netbird***:443 --admin-url https://netbird*** --wireguard-port -1
Error: invalid argument "-1" for "--wireguard-port" flag: strconv.ParseUint: parsing "-1": invalid syntax

That's with 0.43.1 on Arch

Blackclaws avatar May 06 '25 10:05 Blackclaws

I'm not sure where this is supposed to come from, it has always been an unsigned int, so negative values are impossible.

https://github.com/netbirdio/netbird/commit/e9c967b27c644a2aed9ca9525b6bfd7386ed3139#diff-0db67eedcdec93665cc9dea08a99e38d7ed16f94db2e98f842af921340815542R42

lixmal avatar May 06 '25 10:05 lixmal

@nazarewk

❯ netbird up --management-url https://netbird***:443 --admin-url https://netbird*** --wireguard-port -1
Error: invalid argument "-1" for "--wireguard-port" flag: strconv.ParseUint: parsing "-1": invalid syntax

That's with 0.43.1 on Arch

I didn’t use the --wireguard-port -1 command; I directly edited /netbird/config.json, setting "WgPort": -1. The Androidd directory is /data/data/io.netbird.client/files/netbitd.cfg.

hjchjchjc4352 avatar May 08 '25 02:05 hjchjchjc4352

I think this doesn't work anymore as netbird now reports parsing -1: invalid syntax

Could you provide more details? At least a full log line at/before the error.

Is it possible to deploy a self-hosted NetBird server using Docker’s host network mode?

hjchjchjc4352 avatar May 09 '25 00:05 hjchjchjc4352

Just noticed that all my peers behind our corp firewall are relayed. I can't tell since which release this is but I'm certain, it worked a few months ago... Setting "WgPort": -1, doesn't help.

I see this strange behavior:

Image

florian-obradovic avatar May 18 '25 07:05 florian-obradovic

cross-linking issues related to WireGuard Port selection so they're easier to discover:

  • https://github.com/netbirdio/netbird/issues/2703
  • https://github.com/netbirdio/netbird/issues/1378
  • https://github.com/netbirdio/netbird/issues/546
  • https://github.com/netbirdio/netbird/issues/1679

nazarewk avatar Jun 06 '25 13:06 nazarewk

FYI: you'll be able to select a random wireguard port after https://github.com/netbirdio/netbird/pull/4085 gets released

nazarewk avatar Jul 02 '25 08:07 nazarewk

Could double NAT be a problem like 5G Modem in a router which often is CG NAT / carrier grade NATed? I also noticed such behavior when connected to iOS personal hotspot.

flotpg avatar Jul 03 '25 06:07 flotpg

Just updated from 0.45.2 > 0.50.1 and I still have the issue, that all peers are relayed except one machine which is running on the public internet:

Image

I'm online using Telekom Germany (CGNAT) + NAT @ local router.

Image

If I connect from different networks it works. Nothing is blocked on my local router.

flotpg avatar Jul 06 '25 19:07 flotpg

Could double NAT be a problem like 5G Modem in a router which often is CG NAT / carrier grade NATed?

the more NATs/firewalls/routers you have on your network path, the more likely it is that one or more of them is preventing P2P/hole punching.

nazarewk avatar Jul 07 '25 12:07 nazarewk

Whats your experience with personal hotspot? I almost always have relayed connection

flotpg avatar Jul 07 '25 15:07 flotpg