netbird icon indicating copy to clipboard operation
netbird copied to clipboard
verified publisher icon netbirdio

Specify the UDP port range used by Netbird clients

Open d960124 opened this issue 2 years ago • 12 comments

When the Netbird client connects to the server, how to fix the UDP port used by the P2P protocol of the backend WireGuard? Because the network environment has firewall restrictions, only designated ports can be opened. The problem now is that the UDP protocol port cannot be fixed. After setting the port currently used, Netbird will change the port to a new one later. How do I need to configure the client. Netbird is self-hosted and configured with a default UDP port range!

d960124 avatar Dec 12 '23 10:12 d960124

If you mean the udp port range of coturn server (of netbird server selfhosted), I also had to did different range. As you can see here you can specify range with these variables in setup.env: TURN_MIN_PORT (that default is 49152) TURN_MAX_PORT (that default is 65535) If you need to change the wireguard port on the client, you need to change "wgport" on the config.json

Fantu avatar Dec 12 '23 10:12 Fantu

The default value is set here, but the client does not comply with this rule. There is a port value lower than this range. I don’t know where the problem is.

d960124 avatar Dec 12 '23 11:12 d960124

listening-port=3478 tls-listening-port=5349 min-port=49152 max-port=50000 fingerprint lt-cred-mech

d960124 avatar Dec 12 '23 11:12 d960124

These seem values of coturn config, I don't understand what you mean for "the client does not comply with this rule". About coturn if take the correct turnserver.conf on docker start should listen on correct ports and range and to avoid issue. There can be issue if you change docker-compose.yml and don't take the correct config (will start with default values instead) or if don't have "network_mode: host", can have issues. Client when contact coturn should create relay connections with a port in the range setted.

Fantu avatar Dec 12 '23 11:12 Fantu

Hi everyone, the port for the WG interface can be specified in the client config. On Unix-like, this is /etc/netbird/config.json. Which is "WgPort": 51820 by default. Please let me know if this is what you are looking for.

surik avatar Dec 12 '23 11:12 surik

The configuration in /etc/netbird/config.json is 51280. However, netbird actually uses many different UDP ports and they will change. As a result, firewall rules cannot be configured because it is not sure which ports the netbird client needs to use. So, my question is, how do I specify the port range to use on the Linux client? After specifying the range, I can configure the system firewall and the security group configuration of the cloud host.

image

/etc/netbird/config.json image

d960124 avatar Dec 12 '23 13:12 d960124

If you mean the udp port range of coturn server (of netbird server selfhosted), I also had to did different range. As you can see here you can specify range with these variables in setup.env: TURN_MIN_PORT (that default is 49152) TURN_MAX_PORT (that default is 65535) If you need to change the wireguard port on the client, you need to change "wgport" on the config.json

This configuration only affects the server side of Netbird. As for the port used by the client, does it have nothing to do with this configuration?

d960124 avatar Dec 12 '23 13:12 d960124

To add, the netbird client is not installed using docker.

d960124 avatar Dec 12 '23 13:12 d960124

Hello, @d960124, the port list you shared is used for relay connections. They usually don't need any explicit incoming firewall rules, but the agent needs to be able to send traffic using the UDP connection.

These relay connections are used in case some of the peers are behind a more restricted NAT, like mobile networks, and they ensure peer connectivity when there is no possibility of establishing a direct P2P connection.

If you have a limitation regarding allowing outgoing UDP for some peers, you can configure a relay service with TCP and TLS, so that you can enable communication using a single port, but that only works if only a small part of your netbird peers have this restriction since it will force the other side of the connection to use the dynamic ports.

mlsmaycon avatar Dec 12 '23 13:12 mlsmaycon

How do I configure it now? If I open the firewall of this node, other hosts cannot access this node. After closing it, they can access it. Port 51280 has been opened in the firewall!

d960124 avatar Dec 12 '23 14:12 d960124

Hi guys, i have a beginner level question about the PORT 51280 and how it is being used.

Who actually needs access to it if the port can be closed on firewall for clients?

My understanding is this is only essential on the server side. And should all WG PORT be the same for all peers in a

In the image I changed it to 51281 because I have legacy WG working side by side with Netbird. And it feels like there is an issue if both of them use 51280 but I'm curious why it still works even if I change Netbird's WG PORT to 51281 without changing WG PORT on the netbird server to 51281.

image

bangonkali avatar Sep 19 '24 06:09 bangonkali

cross-linking issues related to WireGuard Port selection so they're easier to discover:

  • https://github.com/netbirdio/netbird/issues/2703
  • https://github.com/netbirdio/netbird/issues/1378
  • https://github.com/netbirdio/netbird/issues/546
  • https://github.com/netbirdio/netbird/issues/1679

nazarewk avatar Jun 06 '25 13:06 nazarewk