netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Feature: support connecting to multiple networks/management instances simultaneously

Open bj0 opened this issue 3 years ago • 37 comments

I sometimes have a machine on multiple networks at once. In wireguard, this is easy as I can just create a new config with a different interface name, and they can both run without conflict.

Is this use case supported on netbird? I can't find any information about it in the docs or issues.

bj0 avatar Aug 31 '22 23:08 bj0

Hi @bj0, currently, we don't offer straight support for multiple Wireguard connections as you would need to set the daemon listening address, a custom config path, and the new interface name needs to be updated in the configuration file.

Let me know if you need a guide for it to try this out.

we will evaluate the options to make this possible in an easier manner and perhaps work on it in the next few days.

mlsmaycon avatar Sep 01 '22 12:09 mlsmaycon

A guide would be cool, but I can figure out those options pretty easy. My main question is how would you "manage" or "auth" this second network? Would you need a second oauth account (im currently just using a google account)?

bj0 avatar Sep 01 '22 17:09 bj0

Hello @bj0 with the release v0.9.0 you are able to run the following steps to achieve that. Below are the steps:

For a 2 connection example on a single Linux with SystemD, the steps are:

stop and uninstall the daemon

sudo netbird service stop
sudo netbird service uninstall

Create custom login files and login:

Assuming we have two accounts, ACCOUNT-A and ACCOUNT-B:

netbird login --config ./config-wt1.json --log-file console --setup-key ACCOUNT-A-AAA...
netbird login --config ./config-wt2.json --log-file console --setup-key ACCOUNT-B-BBB...

Now, we need to edit each configuration file and change the WgIface, WgPort and update the IFaceBlackList:

# FROM
    "WgIface": "wt0",
    "WgPort": 51820,
    "IFaceBlackList": [
        "wt0",
        ...
        
# TO 
# interface wt1:       
        "WgIface": "wt1",
        "WgPort": 50001,
    "IFaceBlackList": [
        "wt",
        ...
# interface wt2:       
        "WgIface": "wt2",
        "WgPort": 50002,
    "IFaceBlackList": [
        "wt",
        ...

move the files to the default config location /etc/netbird

sudo mv  ./config-wt1.json /etc/netbird/config-wt1.json
sudo mv  ./config-wt2.json /etc/netbird/config-wt2.json

install the wt1 service pointing to the config location:

sudo netbird service install --config /etc/netbird/config-wt1.json

let's edit the systemd file /etc/systemd/system/netbird.service and update the ExecStart and rename it

# FROM
ExecStart=/usr/bin/netbird "service" "run" "--config" "/etc/netbird/config-wt1.json" "--log-level" "info"

# TO
ExecStart=/usr/bin/netbird "service" "run" "--config" "/etc/netbird/config-wt1.json" "--log-level" "info" "--daemon-addr" "unix:///var/run/netbird-wt1.sock" "--log-file" "/var/log/netbird/client-wt1.log"

# rename
sudo mv /etc/systemd/system/netbird.service /etc/systemd/system/netbird-wt1.service

make a copy of the service file for the interface wt2, then update its ExecStart

sudo cp /etc/systemd/system/netbird-wt1.service /etc/systemd/system/netbird-wt2.service 

# FROM
ExecStart=/usr/bin/netbird "service" "run" "--config" "/etc/netbird/config-wt1.json" "--log-level" "info" "--daemon-addr" "unix:///var/run/netbird-wt1.sock" "--log-file" "/var/log/netbird/client-wt1.log"
# TO
ExecStart=/usr/bin/netbird "service" "run" "--config" "/etc/netbird/config-wt2.json" "--log-level" "info" "--daemon-addr" "unix:///var/run/netbird-wt2.sock" "--log-file" "/var/log/netbird/client-wt2.log"

reload systemd

sudo systemctl daemon-reload

start each interface service

sudo systemctl start netbird-wt1
sudo systemctl start netbird-wt2

Note For direct connection to work, you will need peers to be running the latest version

mlsmaycon avatar Sep 05 '22 16:09 mlsmaycon

@mlsmaycon thx for the Tutorial Please consider to implement this kind of multi- tenancy/instances in all of your components natively. This might work for an Advanced Linux User, but its difficult for e.g. Windows GUI Client User

There will be enough use-cases for this in the future (Both, Client and UI/Management Side) and it might be easier to design/implement this directly in the beginning 😀

Thx!

fti7 avatar Sep 07 '22 14:09 fti7

Thanks @mlsmaycon ! That's super helpful, I'll give it a try when I get a second oidp/network going.

I was thinking about this while reading through the access control documentation. Another potential solution might be, instead of a separate network, a "shared" group where you could add peers from a different network (obviously on the same mediation server). That way you wouldn't need to run double everything, but it would rely on the mediation server much more.

bj0 avatar Sep 07 '22 20:09 bj0

@mlsmaycon thx for the Tutorial Please consider to implement this kind of multi- tenancy/instances in all of your components natively. This might work for an Advanced Linux User, but its difficult for e.g. Windows GUI Client User

There will be enough use-cases for this in the future (Both, Client and UI/Management Side) and it might be easier to design/implement this directly in the beginning 😀

Thx!

Thanks, @fti7 and @bj0 we are definitely thinking about improving that experience. We built the ground for it with smaller CGNAT and random networks.

Moving forward, maybe we can use a bit of input from you folks, how would you see a multi-tenancy setup? Would be more based on company/personal domain, accounts, or networks?

mlsmaycon avatar Sep 08 '22 17:09 mlsmaycon

Sure, here is my POV: Multi Tenancy for me means full Isolation.

The scenario what mostly like gonna happen is that in multiple Parties are using Netbird with either your shared Management Server or setting up an own one. They are completely isolated and dont talk to each other. The only thing, what you already mentioned is the Collision of the CGNAT Subnet. But i guess that shouldnt be an big issue if they are getting smaller and the reserved Subnet per "Management Server Tenant" gets randomized. If this still happens, it should be possible to change this reserved Subnet as an Admin on one of the Servers

Scenario 1

Im a Freelancer and use Netbird for my private Network using app.netbird.io and working for 2 Companies which each have their own selfhosted Management Server.

In this Scenario only the Clients need some Modifications. How it should look like (Example Windows GUI Client):

The Clients have a list where i can add/remove multiple "Profiles" A Profile is basically some Config which i get from an Admin via a QR Code/File/Copy&Paste and contains

  • Tenant ID (I would use some UUID; Can help for further Scenarios where you uniquely need to identify tenants )
  • Tenant/Profile Name (Possible to overwrite by the User)
  • Management URL
  • Admin URL
  • Optionally: Setup Key
  • CGNAT Subnet, to directly see if there are Collisions... but that could also be checked after calling the Management Server; It should only allow one Enabled/Active Connection per Subnet... multiple Entries with the same Subnet in general should be allowed (Example: Your company has a Main VPN Mgmt Server and some Disaster Recovery Backup one in a different Datacenter; Both have the same CGNAT Subnet)

Each Profile List entry will have some ON/OFF Toggle for globally turning off the Connection (e.g. im Working for Company #2 only 1 Week per Month, and dont want to have this Connection open all the time)

For the Linux Client, you can implement some "Add/Delete/Enable/Disable Profile" command through the CLI

Scenario 2

Multi Tenancy for the Management Server Scenario: I want to have multiple Isolated "Networks" for whatever reason. (e.g. one for my private Smarthome Network and one only for my Friends, sharing a Minecraft Server)

  • Just add an Dropdown Field on the upper left Navigation bar where the User can choose which Tenant is currently active in the UI
  • One User can belong to multiple Tenants with different Roles (Admin/Regular Peer)
  • You need also a "Superuser" Role which is able to manage the tenants per Management Server

I guess this two are the most Important Scenarios which is needed to build up complex Architectures

Later you could for example add an fancy Gateway function to connect two Tenants (Kind of Site2Site VPN) -> Example: You have two Companies which each use their own Netbird and want to share some Services Transparently (Without adding the opposite Profiles to all employees).... But...., thats stuff for some advanced Use Cases in the Future..... 😀

fti7 avatar Sep 09 '22 00:09 fti7

@fti7 thank you so much for your suggestions and my apologies for not giving feedback earlier, we are aligned on the use cases, for the profile switching I think we can improve a bit more and make things more simpler, just by connecting and the app will handle the rest, and in case you are connecting to multiple self-hosted we can add a Add profile with custom manager.

We are looking at a major account refactor that will allow for better multi-tenancy and isolation. The same goes for the network range management.

Time wise, these changes might come in Q4 or early Q1/2023.

mlsmaycon avatar Sep 15 '22 10:09 mlsmaycon

@mlsmaycon This is great! It seems like this is a solution for combining meshnets of my friends' networks and my own? I came accross this because I opened a case for something very similar over on innernet here. If you wouldn't mind reading my use-case over there, would you mind clarifying if and how this would work for it?

alexlyee avatar Mar 05 '23 13:03 alexlyee

We are looking at a major account refactor that will allow for better multi-tenancy and isolation. The same goes for the network range management.

Time wise, these changes might come in Q4 or early Q1/2023.

Are these features released or still in development? If in development, is there a new roadmap?

helmut72 avatar Mar 08 '23 22:03 helmut72

i think that one machine can be part of multiple network is a very basic requirements. even openvpn knows this feature from the very beginning. of course this should support multiple interface and multiple config file (or one config file support for multiple interface). imho multiple config file would be more robust. what's more with multiple config file we can use systemd's template services the same way as openvpn do it systemd.unit.html. in this case netbird@work, netbird@home service can be used. of course this requires different network interface and different CGNAT.

is there any progress with it?

lfarkas avatar Apr 20 '23 13:04 lfarkas

I'm running multiple systemd services: 1 for each network I connect to, don't remember the exact reason, but I had trouble getting it to run using instantiated systemd.unit (I guess it boiled down to running Wireguard listener on different port for each instance)

  • https://github.com/netbirdio/netbird/pull/659 - to set ports on first start without editing later on

nazarewk avatar Apr 24 '23 12:04 nazarewk

I'm evaluating Netbird and super impressed so far! Our use case requires key employees to have access to multiple client isolated networks from a single device. Any updates on this?

bc24fl avatar Jul 13 '23 11:07 bc24fl

one other thing that I see should be modified for support multiple netbird instance is windows firewall rule, actually the name of rule is fixed to "Netbird", I suppose is enough a simple change the rule name to "Netbird-"+$WgIface (for example "Netbird-wt0")

Fantu avatar Oct 30 '23 09:10 Fantu

Any update on this?

fti7 avatar Mar 02 '24 03:03 fti7

Any update on this?

jyolo avatar Mar 19 '24 08:03 jyolo

Multi Tenancy would be so nice. What are the current news on this? Thanks a lot.

pete1019 avatar May 02 '24 08:05 pete1019