mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-17 21:52:24 -04:00
Allow Route to FreeBSD client #1019
Open
opened 2025-11-20 05:21:54 -05:00 by saavagebueno
·
199 comments
No Branch/Tag Specified
main
embedded-vnc
fix-dns-fallback-self-loop
claude/webtransport-relay-wasm-mUjY9
claude/vnc-udp-feasibility-6KB1U
readme-cleanup
client/capture-dns-forwarder-port
fix-ssh-authorized-users-multi-rule
fix/wireguard-port-zero
windows-dns-firewall
ui-refactor
fix/wgport-config
feature/refactor-clusters
fix/rosenpass
drop-candidateviaroutes-filter
e2e-windows-dns-combined
refactor-combined
wasm-websocket-dial
feature/affected-peers
dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1
debug-logs
reduce-embed-wg-pool
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2
fix/login-cmd-root-flags
feat/reseller-openapi-spec
github-issue-resolver
add-steamos-support
fix-darwin-uninstaller
flutter-test
dependabot/npm_and_yarn/proxy/web/postcss-8.5.12
ci/freebsd-pkg-bootstrap
cached-serial-check-on-sync
fix-mgmt-cache-bypass-overlay
revert-easyjson-5938
revert-ice-5820
revert-firewalld-5928
refactor/permissions-manager
wasm-js-func-release
revert-dns-5935-systemd-resolved
revert-dns-5935-5945
revert-dns-5945-mgmt-cache
feature/log-most-busy-peers
prototype/ui-wails
coderabbitai/utg/8ae8f20
feature/use-peer-fqdn-on-https
dependabot/go_modules/golang.org/x/image-0.38.0
feature/metrics-push-management-control
release/0.68.3
dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8
dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3
add-slack-channel
claude/rdp-token-passthrough-eNcqW
transparent-proxy
fix/macos-stale-route-eexist
crowdsec-selfhosted
fix/remove-otel-units
entire/checkpoints/v1
dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4
fix/getting-started
feat/static-connectors-combined-server
feature/use-local-keys-embedded
feature/fleetdm
set-env-only-if-not-fork
feature/expose-has-channel
fix/connection-status-race
fix/filter-cgnat-cni-ice-candidates
feature/check-cert-locker-before-acme
test/proxy-fixes
test/proxy-mtu
prototype/ui-tauri
test/proxy-speed
fix-reused-ports
feat/migrate-to-embedded-idp
feature/add-serial-to-proxy-merged
deploy/proxy-serial
test/connection
feature/disable-legacy-port
feature/flag-to-disable-legacy-port
test/perftest
dependabot/go_modules/github.com/pion/dtls/v3-3.0.11
fix/http-redirect
poc-token-command
dn-reverse-proxy
prototype/reverse-proxy-rename
prototype/reverse-proxy-logs-pagination
feature/client-metrics
prototype/reverse-proxy-clusters
debug-dns-route
fix/win-dns-batch
add-extra-route-logs
job-stream-notify-disconnection-eof
deploy/secrets-manager
trigger-proxy-update
bug/update-ios-client-code-build-tags
sync-client-netmap-serial
log/conn-disconn
nmap/compaction-deploy
ci-win-test
feature/disk-encryption-check
wasm-debug
swap-dns-prio
fix/dex-config
feature/migrate-auto-groups-to-table
dependabot/go_modules/github.com/quic-go/quic-go-0.57.0
nmap/compaction
dex-nocgo-stub
feature/exclude-terraform-from-rate-limiting
test-freebsd
retries-refactor
coderabbitai/docstrings/b7e98ac
feat/integrate-zitadel
bug/ios-hanging-reconection
zitadel-idp
feat/network-map-serial
refactor/get-account-no-users
feat/auto-upgrade
feature/report-high-pat-id
feature/temporary-access-for-resource
fix/nmap-fwrules
dont-restart-dns
prototype/ui
update-gomobile
go-dns-for-ice
wasm-ldflags
test-ldflags
wasmbuild-test
feature/networks-s2s
vk/compare-nmaps
dbg/bothmaps
feature/changeset
reorder-dns-shutdown
fix/relay-reconnection-race
fix/nmap-exitnodes
vk/debug/nmap-both
move-licensed-code
feat/better-daemon-connection-lost-message
feat/auto-update-2
test/timings
refactor/getaccount-raw
tests/nmap-getaccount
refactor/nmap
refactor/nmap-limit-buffer
feature/detect-mac-wakeup
feature/extract-modules
quick-setings
feat/sync-limiter
feature/store-cache-impl
fix-install-version
feature/store-metrics
feature/metrics-on-store
feature/use-gorm-cache
loadtest-signal
unsymmetrical-squash
refactor/reducate-signaling
test/update-reduce
feature/store-cache
feature/remote-debug
cli-ws-proxy-backend-addr
feat/mgmt-map-serial
snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2
snyk-fix-7415cea5a11acd66753540ca2c598c63
job-yml-update
feature/android-allow-selecting-routes
fix/up-sequence
fix/dns-hash-update
snyk-fix-967adae9863f17f108ce8948d9117b8d
log/getaccount-by-peer
signal-suppressor
dns-exit-node
feature/auto-updates
feature/cache-srv-key
merged-fixes
fix/missed-offers-and-debug
debug-and-fixes
poc-wasm-clean-backend-s2s
test/remote-debug
debug-api
dependabot/go_modules/github.com/docker/docker-28.0.0incompatible
fix/remove-gpo-if-empty
fix/test-freebsd
fix/mysql-setup
fix/remove-logout-btn
handle-existing-domain-user
chore/unify-domain-validation
snyk-fix-c5fafc8a50ce1f29046e25a1fc346185
feat/profile-edit-btn
snyk-fix-a54966211e18d4cf67e5a2757cc006d1
log-short-id
feat/logout-ephemeral
log-checks
batch-wg-ops
nb-interface-default
feat/aws-integration
add/race-test
feature/relay-feature-versioning
fix/systemd-service-logs
poc/preprocessed-map
add-account-onboarding
bind-ipv6
fix/merge-main
logs/peerlogs-addpeer
feature/net-297-network-migration
feature/support-skip-auto-apply-exit-node-routes
set-cmd
set-command-with-cursor
feature/limit-update-channel
stop-using-locking-share
feature/poc-lazy-detection
feature/net-248-removal-of-sync-mutex-locks
test/multiple-peer-logging
preresolve
add-ns-punnycode-support
apply-routes-early
windows-search-domains
fix/connecting-route-filter
feature/management/rest-client/impersonate
debug-local-records
resource-fields-snake-case
test/grpc-rate-limit
traffic-correlation-policy
feature/rest-client-options
feat/events-metrics
feature/buf-cli
test/add-ratelimiter
test/remove-write-lock-on-add-peer
fix/add-peer-semaphore
feature/users-roles-endpoint
mlsmaycon-patch-1
debug-user-role
chore/primary-key-on-networks
feature/update-account-peers-buffer-startup
remove-ubuntu2004-runners
refactor/permissions-no-pat-allowed
ref/logrus-factory
use-conntrack-zone
deploy/permissions-account
feature/lazy-connection-idle
ref/improve-test-cov
restore-pr-3440
test/increase-grpc-timeouts
feat/buffer-account-peers-update
test/networkmapgeneration-changes
feature/base-manager
feature/flow-receiver
chore/benchmark-with-large-runner
refactor/handshake-initiator
client/ui-update-systray-icons
userspace-router
wgwatcher-test
output-if-key-already-exists
fix/relay-reconnection
feature/port-forwarding-client-codecleaning
detached2
test/callbacks-nil-iceconninfo
refactor/optimize-peer-expiration
enable-udp-port-for-docker-template
fix/relay-update
feature/apply-posture-netmap
fix/group-update-existing-resource
conntrack-stats
upgrade-okta-sdk
multi-price
test/conn-stat
set-min-parallel-tests-for-management
dns-interceptor
debug-dns
router-dns
add-static-system-info
debug-0.29.4
debug-0.33.0
account-refactoring
relay/2800_quic
route-get-account-refactoring
test/seed-random-routes
feature/get-account-refactoring
test/reconnect-race-condition
refactor/get-account-usage
feature/add-session-id-to-update-channel
improve-ipv4conn
fix/async-pion-event-handling
debug
add-offload
feature/validate-group-association-debug
fix/limit-conn-for-sqlite
test/engine-iface
test/transaction-for-jwt-sync
fix/engine-stop-in-foreground
feature/add-mysql-support
test-migration
refactor/header-size-values
relay/eliminate-gob
test/signal-dispatcher-with-relay
relay/debug
validate-icon
feature/ipv6-support
use-pre-expanded-peers-map
feature/use-signal-dispatcher
validate/peer-status
add-read-write-times
fix/sync-peer-race
feature/relay-status
netmap
evaluate/network-map-hash
fix/lower-dns-resolve-interval-on-fail
feature/relay
fix/go-mod-version
upgrade-nftables
synology-userspace-mode
fix/use-ip-for-default-routes-on-darwin
fix/proxy_close
enable-release-workflow-on-pr
deploy/peer-performance
feature/permanent-turn
feature/permanent-turn-proxy
deploy/posture-check-sqlite
feature/optimize_sqlite_save
debug-ios-behavior
fix/delete-route-only-after-adding
tshoot/windows-logger
remove-new-routing
refactor/eliminate-repo-dependency
add-arm-to-ci
refactor-demo-account-object
test/abc2
test/abc
send-ssh-rosenpass-config-meta
refactor-demo
ensure-schedule-never-runs-non-positive
feature/peer-validator-groupmgm
feature/peer-validator-fix
fix/include-active-dashboard-users
fix/handle-canceling-schedule
fix/geo-download
debug-google-workspace
yury/resolve-ip-to-location
feature/extend-sysinfo
sqlite-async-peer-status
yury/add-postgresql-store
fix/route
test-build
posture-checks-poc
debug-keycloak-idp
poc/netstack
for-pascal-tmp
peer-logout-management
manual-peer-logout
detached
chore/refactor-management
test/dns-bind
fix/enforce-acl-for-containers
yury/use-sync-map-in-updatechannel
fix/events-key-handling
filter-cache-on-load-account
fix/user-expiration
handle-user-context-cancellation
nb-client-k8s-statefulset
fake-addr
fix/iptables_in_docker
ebpf-debug
update-getting-started-flow-use-postgres
fix/peer_list_notification
feature/device-authentication-with-client-secret
feature/keep_alive
feat-groups-from-jwt
separate_proxy_from_wgconfig
fix/wg_conn
wg_conn_fix
wg_bind_parallel_processing
fix-rollback-get-acls
proxy_cfg_cleanup
performance-improvement-rego
update-lock-log-level
feat-client-side-acl
refactor/move_grpcserver_logic_to_account_manager
feature/event-storage
feature/update-idp-redeeming-invite
feature/api-peer-info
return-groupminimum-setupkey
feature/interface-bind
documentation_enhancement
fix-peer-registration
ssh
users_cache
pass-client-caller
client_caller_type
revert-283-feat-fix-windows-installer
periodic-peer-updates
ebpf
braginini/wasm
v0.71.2
v0.71.1
v0.71.0
v0.70.5
v0.70.4
v0.70.3
v0.70.2
v0.70.1
v0.70.0
v0.69.0
v0.68.3
v0.68.2
v0.68.1
v0.68.0
v0.67.4
v0.67.3
v0.67.2
v0.67.1
v0.67.0
v0.66.4
v0.66.3
v0.66.2
v0.66.1
v0.66.0
v0.65.3
v0.65.2
v0.65.1
v0.65.0
v0.64.6
v0.64.5
v0.64.4
v0.64.3
v0.64.2
v0.64.1
v0.64.0
v0.63.0
v0.62.3
v0.62.2
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.9
v0.60.8
v0.60.7
v0.60.6
v0.60.5
v0.60.4
v0.60.3
v0.60.2
v0.60.1
v0.60.0
v0.59.13
v0.59.12
v0.59.11
v0.59.10
v0.59.9
v0.59.8
v0.59.7
v0.59.6
v0.59.5
v0.59.4
v0.59.3
v0.59.2
v0.59.1
v0.59.0
v0.58.2
v0.58.1
v0.58.0
v0.57.1
v0.57.0
v0.56.1
v0.56.0
v0.55.1
v0.55.0
v0.54.2
v0.54.1
v0.54.0
v0.53.0
v0.52.2
v0.52.1
v0.52.0
v0.51.2
v0.51.1
v0.51.0
v0.50.3
v0.50.2
v0.50.1
v0.50.0
v0.49.0
v0.48.0-dev2
v0.48.0
v0.47.2
v0.47.1
v0.47.0
v0.46.0
v0.45.3
v0.45.2
v0.45.1
v0.45.0
v0.44.0
v0.43.3
v0.43.2
v0.43.1
v0.43.0
v0.42.0
v0.41.3
v0.41.2
v0.41.1
v0.41.0
v0.40.1
v0.40.0
v0.39.2
v0.39.1
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.2
v0.37.1
v0.37.0
v0.36.7
v0.36.6
v0.36.5
v0.36.4
v0.36.3
v0.36.2
v0.36.1
v0.36.0
v0.35.2
v0.35.1
v0.35.0
v0.34.1
v0.34.0
v0.33.0
v0.32.0
v0.31.1
v0.31.0
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.4
v0.29.3
0.29.3
v0.29.2
v0.29.1
v0.29.0
v0.28.9
v0.28.8
v0.28.7
v0.28.6
v0.28.5
v0.28.4
v0.28.3
v0.28.2
v0.28.1
v0.28.0
v0.27.10
v0.27.9
v0.27.8
v0.27.7
v0.27.6
v0.27.5
v0.27.4
v0.27.3
v0.27.2
v0.27.1
v0.27.0
v0.26.7
v0.26.6
v0.26.5
v0.26.4
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.9
v0.25.8
v0.25.7
v0.25.6
v0.25.5
v0.25.4
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.9
v0.23.8
v0.23.7
v0.23.6
v0.23.5
v0.23.4
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.7
v0.22.6
v0.22.5
v0.22.4
v0.22.3
v0.22.2
v0.22.1
v0.22.0
v0.21.11
v0.21.10
v0.21.9
v0.21.8
v0.21.7
v0.21.6
v0.21.5
v0.21.4
v0.21.3
v0.21.2
v0.21.1
v0.21.0
v0.20.8
v0.20.7
v0.20.6
v0.20.5
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.1
v0.18.0
v0.17.0
v0.16.0
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.14.6
v0.14.5
v0.14.4
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.6
v0.11.5
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.10.10
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.12
v0.8.11
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.11
v0.5.10
v0.5.1
v0.5.0
v0.4.0
v0.3.5
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.3
v0.2.2-beta.1
v0.2.1-beta.5
v0.2.0-beta.5
v0.2.0-beta.4
v0.2.0-beta.3
v0.2.0-beta.2
v0.2.0-beta.1
v0.1.0-beta.3
v0.1.0-beta.2
v0.1.0-beta.1
v0.1.0-rc.2
v0.1.0-rc-1
v0.0.8-hotfix-1
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
v0.0.0
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
saavagebueno
Clear assignees
saavagebueno
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: SVI/netbird#1019
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @moserpjm on GitHub (Jun 26, 2024).
I've created a quick and dirty FreeBSD port and an OPNSense plugin for the netbird client. This works quite well but I had to patch it.
To prevent netbird from messing with the routing table of the firewall I've set NB_DISABLE_CUSTOM_ROUTING to true.
Then I tried to enable a route to the network behind the firewall. This failed because the management service only allows routes to Linux clients. To fix this I made the client pretend to be running on linux. e.g. I've patched info_freebsd.go.
Now our firewall works as netbird gateway for our LAN.
Are there any plans to allow routes to FreeBSD clients?
@mlsmaycon commented on GitHub (Jun 26, 2024):
Really Cool, @moserpjm. Would you share the port and the code changes you've done? We plan to add support to PFsense and OPNSense soon, but we are a bit short on capacity and any community help is welcome.
@moserpjm commented on GitHub (Jun 26, 2024):
Due to the fact that we're a JVM shop I'm not an expert on BSD ports. :D
I have two repos on our Bitbucket server. One with a clone of the FreeBSD ports tree plus the folder security/netbird and a second with a clone of the OPNSense plugins GH repo plus the folder net/netbird.
The feature set of the plugin is service control and creation of a CARP hook script to execute netbird up/down on change of the master node.
What would be the best way to make this source accessible for you? Unfortuately I don't have the time to try to get it into the official ports / plugin trees.
@mlsmaycon commented on GitHub (Jun 26, 2024):
@moserpjm you can give access to m.santos@netbird.io and from there I can fork it.
@moserpjm commented on GitHub (Jun 26, 2024):
I'll cleanup the code a little bit, push it to GitHub and then invite you.
@moserpjm commented on GitHub (Jun 26, 2024):
I've forked the repos on GH and added my changes.
Build works for me on the newest OPNSense version.
Netbird has to be configured manually via the CLI. In case the CARP feature should be used auto connect must be disabled. Without CARP it has to be enabled.
Netbird port
https://github.com/moserpjm/freebsd-ports
Build instruction:
cd net/netbirdmake makesummake packageOPNSense plugin
https://github.com/moserpjm/opnsense-plugins
Build instruction:
cd net/netbirdmake package@IanMoroney commented on GitHub (Jun 27, 2024):
Great to see the community getting involved and being able to contribute towards this!
Well done @moserpjm :)
This is a feature that a lot of us are waiting for (reduces infrastructure requirements for self-hosting netbird and lets us re-use existing equipment)
@robdeweese commented on GitHub (Jun 27, 2024):
@moserpjm thanks for this, built and tested on pfsense arm and opnsense x86-64, works on both, including egress.
@moserpjm commented on GitHub (Jun 27, 2024):
@robdeweese great to hear.
I'm currently reworking the CARP support. The current implementation regenerates the hook script every time the settings are saved. Unfortunately the execute flag of the script gets lost in this process. After digging through other plugins I'm now reimplementing it as a PHP script which dynamically fetches the settings. Looks like that's the preferred way.
@hongkongkiwi commented on GitHub (Jul 8, 2024):
Is there an OPNSense repo I can use to install these? I'd love to test them out.
@robdeweese commented on GitHub (Jul 14, 2024):
I've put the packages ive built here https://nhd.cx/w6we3 but I only build the client, not the web interface. They will run on pfsense and opnsense
but they are very easy to build yourself as well, @moserpjm provided instructions above
@moserpjm commented on GitHub (Jul 15, 2024):
Just some quick updates:
I found out hat OPNSense is maintaining a fork of the freebsd-ports repo with tags of all releases in it. So I've rebased on that.
https://github.com/moserpjm/opnsense-ports -> Current branch is 24.1.10-netbird-develop.
There are new patches included:
It would be really nice to have environment variables for those settings in netbird to get rid of the patches.
The plugin now has some new features:
My current working branch is "new-status".
We're currently testing it with our firewalls at the office. A repo for internal use is already in place. I'll try to get a cheap VPS to let you try my builds.
@moserpjm commented on GitHub (Jul 16, 2024):
If you're brave enough you can try the build in my RC repo.
@moserpjm commented on GitHub (Jul 22, 2024):
I've uploaded 0.28.5 builds to the PR repo.
Please stop the service before installing the update.
This update fixes problem of netbird not stating if it crashed before and didn't delete it's wt0 tun device.
Also syslog output is now enabled.
The OS plugin now contains the appropriate syslog filter and a link to the log viewer.
I've also restructured the repos. There are now development branches for OS 24.1 and 24.7 in both repos. For future builds I'll tag them in GIT with the port/plugin version.
24.7 versions work fine on the latest R2.
My only problem is the maintainance nightmare of two versions. :D
@Hobby-Student commented on GitHub (Jul 27, 2024):
@moserpjm
nice work! I compiled both packages from your github repos on 24.7_5 myself and it is up and running. I do see the opnsense online on netbird admin page. I can ping opnsense and the networks behind, but I don't get any traffic through. I assignedwt0and added a firewall rulefrom any to any. Without this rule, pings are also not possible. The status page of the plugin shows all peers as connected.Am I missing something?I think I do have some glitches in my config. This plugin seems to work without any problem and the problems came (unexpected) out of my system.
@Hobby-Student commented on GitHub (Jul 27, 2024):
I was not clear in my previous post. I only tried traffic to port 443 on several web services behind opnsense and opnsense. Also opnsense is configured as routing peer in netbird.I now found 2 rules in NAT.
If I disable the 443 rule, traffic on 443 to clients behind opnsense is working.Just opnsense itself is complaining about potential DNS rebind attack, if connecting through netbird DNS. This behaviour is fine and default to OPNsense.
Using e. g. LAN IP of opnsense, everything is working as expected.I think I do have some glitches in my config. This plugin seems to work without any problem and the problems came (unexpected) out of my system.
@moserpjm commented on GitHub (Jul 30, 2024):
@Hobby-Student nice to hear that it works for you.
Just created the RC repo for 24.7:
fetch -o /usr/local/etc/pkg/repos/netbird-rc-247.conf https://os-pkg.pjm.co.at/netbird-rc-247.conf
@Hobby-Student commented on GitHub (Aug 4, 2024):
@moserpjm
with the netbird port wt0 is added to the system and we enable the netbird interface within opnsense. For me it looks like you then need to manage the firewall rules for the netbird interface. If netbird would add routes in the background, those routes wouldn't affect opnsense in a negative way?
As far as I can see, tailscale is doing it the same way. Just doing stuff in background and opnsense can handle this through firewall rules on the interface.
I'll do some tests.
@moserpjm commented on GitHub (Aug 4, 2024):
Yes you have to manage the rules on your own. If you configure a network route via a node in Netbird firewall rules don't apply anyway. Don't get me wrong but no sane sysadmin would trust the firewall mechanism of some third party VPN tool on a firewall. Client maybe but not on a firewall.
Like I said I'm also no big fan of letting netbird change the routing table. Wrong entries, like overriding the standard gateway, could bring the whole firewall down.
But hey that's just my option. The beauty of open source is that you can change it however you like. 😉
@Hobby-Student commented on GitHub (Aug 4, 2024):
I agree, but I want to give the possibility a chance and take a look at how things are handled this way. I did try tailscale the other day and I think they use this approach.
Also the wireguard plugin of opnsense is adding the routes from the config file and I'm not experienced enough to see, if adding routes by netbird would act the same way. If so, a sane admin could whitelist the needed netbird IPs without relying on the netbird created peers (and routes) as a whole 😉
Of course, I could be totally wrong 😄
@Hobby-Student commented on GitHub (Aug 5, 2024):
little Update:
I compiled the ports version of @moserpjm with some modifications to
patch-opnsense. I removed everything except the changes for operating system and dns. I then added a static route to opnsense withroute -n add -inet 10.0.0.16/28 -interface wt0. netbird routing is configured with a linux machine providing the route to 10.0.0.16/28 (masquerade) and opnsense is allowed to use it. But it's not working. For other peers, the route is working as expected.Is netbird client not able to use the routes because it's not implemented for FreeBSD and therefore static routes are not working?
@moserpjm commented on GitHub (Aug 6, 2024):
Pro tip #1: Don't mess around with the shell. OPNsense has it's own configuration system. If you fiddle around with the CLI it will end in some undefined state. I'd reboot it first before you do anything else.
I haven't tried what you try to accomplish myself so this is just a lucky guess.
Try adding a gatway with the netbird ip of your linux machine on the netbird interface. Then add a route via the gateway to 10.0.0.16/28.
Yes all via the webui. ;)
This is what netbird would do automatically if it would know how on BSD.
@Hobby-Student commented on GitHub (Aug 6, 2024):
I tried it first through the web UI. It failed. Then I did what wireguard does (or how I think it does), just add the route on the interface without a gateway. Perhaps I missed something and I will try again as soon as possible.
@Hobby-Student commented on GitHub (Aug 7, 2024):
Mystery solved (perhaps):
netbird routes list->No routes available@mlsmaycon
Am I right, that routing is not working because it's not implemented yet for FreeBSD? Or should routing work if I add it manually as a static route - with or without the routing peer as gateway?
@Hobby-Student commented on GitHub (Aug 7, 2024):
removed netbird from opnsense, rebooted, deleted the peer in netbird management, compiled netbird v0.28.7 and just used the mod by @moserpjm to identify the FreeBSD as linux -> It works!
Don't know exactly why it wasn't before, but I think there was something wrong on my side. Also the rules of opnsense are working with the netbird routing.
I'll test this some more and report back.
@Hobby-Student commented on GitHub (Aug 8, 2024):
Deployed it on 3 opnsense boxes and configured routes via netbird management. Every firewall rule inside OPNsense is respected and withtout any rule on netbird interface, traffic is blocked (default).
So far I can't see any showstoppers in this small test environment. Routing between the OPNsense boxes and access to all networks (with configured firewall and outbound NAT rules) are working as intended.
@moserpjm commented on GitHub (Aug 8, 2024):
I'll have a look at the source. Looks like Nerbird needs those routes set via the management service. Makes somehow sense. Wireguard connections have allowed CIDRs configured on them. Nerbird is setting up the connections so it has to do the configuration. You also removed the patches which disable setting DNS servers. They are not really necessary. Nerbird fails setting them on OPNsense anyway (no resolve.conf in the locations it searches for one) but I wanted to get rid of the errors in the log file. ;)
I'll look into patching in an environment variable to enable or disable routes. Like the accept routes option in Tailscale. People who need them can then enable it via the UI and people like me can disable it. We only use Nerbird on OPNsense to make our office network available to clients. No outgoing routes needed.
Better safe than sorry. I managed to push a wrong route once via Zerotier which brought our whole network down...
@skillcoder commented on GitHub (Aug 13, 2024):
I have added FreeBSD support to Netbird client, and from what I know, routing on FreeBSD untested, and currently 3 routing related e2e tests completely disabled for FreeBSD.
Take a look this issue for details: https://github.com/netbirdio/netbird/issues/2386
But I have not found any critical problems with routing on FreeBSD so far in the current version, but that doesn't mean they don't exist.
It would be great if you could share any routing or DNS-related problems and how to reproduce them on FreeBSD as a separate issue.
Also please be aware of following breaking changes on FreeBSD in next release
https://github.com/netbirdio/netbird/pull/2388
https://github.com/netbirdio/netbird/pull/2389
@lixmal commented on GitHub (Aug 13, 2024):
@skillcoder I think the issue is about freebsd being the router, not client routes. Client routes should work and not be much different from
darwin@moserpjm commented on GitHub (Aug 14, 2024):
Looks like routing works fine. In both directions. The breaking changes should be no problem for the OPNsense port as it specifies the config file explicitly.
I can't say anything about the DNS stuff just that it doesn't find resolv.conf on OPNsense. I'm not a BSD expert so I have no idea if it would be in this location on a standard system.
I have disabled setting system DNS in code anyway because in my opinion this feature is to dangerous on a firewall/gateway.
@Gauss23 commented on GitHub (Aug 19, 2024):
Hi, just did some tests with Netbird on OPNsense. Thanks @moserpjm for the great work. However I'm not able to route traffic through the Netbird interface. The 100.115.0.0/16 IPs are reachable. But I want to route traffic like @Hobby-Student did (10.x.0.0/16). I installed it with
fetch -o /usr/local/etc/pkg/repos/netbird-rc-247.conf https://os-pkg.pjm.co.at/netbird-rc-247.confDo I need to compile something on my own? As I understood @Hobby-Student changed something in the initial patch? Where do I find instructions how to do that?
Ideally this could be a switch in the UI to accept routes or not.
Thank you.
@moserpjm commented on GitHub (Aug 20, 2024):
I'll do a new release after my vacation. From what I've seen also the Web UI now has a new method of detecting BSD which disables routing configuration.
@Hobby-Student commented on GitHub (Aug 20, 2024):
@Gauss23 I could make my compiled pkg available, if you know how to install via command line.
@Gauss23 commented on GitHub (Aug 20, 2024):
Thanks for your help. @moserpjm would be great to create a new release after your vacation which allows routing on OPNsense.
@Hobby-Student would also be nice to try out your version. Could you make it available somewhere? Thanks in advance.
@Hobby-Student commented on GitHub (Aug 21, 2024):
just a few words before someone will use it:
it's compiled on an opnsense 24.7 developer system. no warranties, use at your own risk.
here you go
netbird 0.28.8
EDIT:
updated netbird to 0.28.8
@Hobby-Student commented on GitHub (Aug 22, 2024):
quick update:
deployed another OPNsense box yesterday and added routes (the new OPNsense as router) in the management console. I don't know what is happening, but I get this on all OPNsense boxes:
received a route to manage, but agent doesn't support router mode on freebsd OSThe previous 3 OPNsense share their routes as expected. Just after adding the 4th OPNsense, the new routes won't be accepted. With
netbird status -dall peers and assigned routes are visible. I guess, this is the part where it comes from:manager.go, line 289
All OPNsense have the same package installed, it's compiled with
GoOS: "linux", so it should work. What am I missing, that this behaviour wasn't shown in the beginning of my tests?EDIT:
It seems that this message can be ignored, because it states that the assigned (management console) routes can't be configured on routers with freebsd. The routes itself are accepted by the other peers and routing is working as expected. When adding new routes (with new or existing peers as router) netbird must be restarted on all peers that should accept those new routes.
@Gauss23 commented on GitHub (Aug 22, 2024):
Thanks @Hobby-Student, I just did a small test run. It's now routing traffic. So, the Netbird daemon needs to know where to send the data.
I removed the version from moserpjm via the web UI and installed your pkg via the console with pkg add . The webinterface is missing completely in your version, right? Running netbird status -d, I now see the routes I assign via Netbird-Server.
Why do I need to restart the netbird service on the OPNsense after each route-change? That's something which works better for Linux hosts. Do you see a difference?
So great to see it coming to reality. Using Netbird as a MPLS replacement, would be really nice. Currently every location needs a small Linux box to run Netbird, with your solution we can clean this up. I don't see it production ready yet, but it already feels good.
EDIT:
I just checked a node I added with the package from moserpjm and it shows as:
another node, which I used for my tests with the 0.28.8 package now shows as (the inital connect was done with the old package from moserpjm, then removed and installed the 0.28.8 package):
For some reason it shows FreeBSD. And I thought I was seeing one of the nodes listed with Linux a few days ago.
@Hobby-Student commented on GitHub (Aug 22, 2024):
sorry, forgot to mention. I didn't provide the plugin, because it's not mine. you could use the plugin from moserpjm's repo. @moserpjm are you ok, if I offer your plugin as download?
I just found out when adding another peer and had no time in digging deeper. The routes (from the connected router peers) are visible with
netbird status -dbut netbird needs a restart to apply them accordingly.Same here. Fresh installed system shows FreeBSD and updated system shows "empty".
@moserpjm commented on GitHub (Aug 22, 2024):
The packages in my repo now have routing enabled. Plus another patch to report itself as FakeBSD to management. The web UI now knows FreeBSD and disables all rooting features. Idk why they are checking the OS Name field but whatever. The route warning can safely be ignored. On Linux Nerbird can configure routing and NAT. The important things happen without it. It configured allows IPs on the wt Inteface which automatically adds the IF routes.
I'm not sure it the custom routing has any side effects. In our use case it doesn't. Anyway. I'll add a button to disable it.
From what I have seen custom rouiting adds routes to the next hops to other peers. This prevents problems with overlapping routes. Like exit nodes. The routes it adds on our firewalls are not harmful but also completely useless. 😔
@moserpjm commented on GitHub (Aug 22, 2024):
Another side note. Ipv6 doesn't work at all on BSD. I mean it's also not very stable on Linux. E.g. If the privacy extensions are enabled or doesn't add the candidates.
But anyway. I had a nice 3 hour remote debugging session with GoLand. It finds the interfaces. It finds the V6 Adresses but it ignores them. From what I've seen the whole magic happens in the ice agent. Third party code.
Maybe an expert like @skillcoder could take a look.
I'm really sorry but I'm a Linux / JVM guy. 😂
@Gauss23 commented on GitHub (Aug 23, 2024):
@moserpjm your new package works. The routes are set via the netbird daemon, not only on connection level, but also in the system itself. No need for a gateway or a manual static route, just the interface is sufficient. You need to be careful what you configure on the Netbird server, but this feels good until now in my test environment. Even added new nodes and routes just works. I did not re-register the node. It still reports with an empty OS.
Added a fresh node and it reports as FakeBSD like you said.
Big thanks @moserpjm and @Hobby-Student. Great work!
What does it take to make it an official plugin in OPNsense?
@moserpjm commented on GitHub (Aug 23, 2024):
Great to hear! My plan is to patch the Nerbird source to make it possible to disable client routes via an env variable. Should be quite straight forward. Then I can add an option to the GUI for it. A good safety measure for peers who don't need them.
I have no idea what it takes to make it an official plugin. I think it would be best that the Nerbird project team takes over maintenance of the code at some point in time how @mlsmaycon suggested. Than they can coordinate this with the OPNsense team.
@Gauss23 commented on GitHub (Aug 25, 2024):
One addition for anyone who wants to try this. I activated Rosenpass and wondered why traffic stopped after 1-2 minutes. For this, there is an extra rule needed:
Is there a better to allow this traffic? The ports seem to be dynamic after each restart. Saw ports from 3.xxx-57.xxx, so I allowed all ports from 1025 upwards with UDP for Netbird addresses to the netbird interface address. Not really happy with this rule. Is there a way to set those ports statically in Netbird?
@Gauss23 commented on GitHub (Aug 25, 2024):
This would be nice. If there is any help needed regarding the communication with the OPNsense team, I'm more than happy to help.
@moserpjm commented on GitHub (Aug 25, 2024):
@Gauss23 oh that's the problem with rosenpass. It also stopped working for me. Didn't think much about it bescaus it's experimental and I thought it's just broken in the current version.
@Gauss23 commented on GitHub (Aug 30, 2024):
@skillcoder and @mlsmaycon did you see the recent answers in this issue? I would really like to know how soon we could bring the needed changes upstream, so that the official FreeBSD port is useful for OPNsense. My testlab is working for almost one week without any issues with the latest version of moserpjm. As soon as that's done, we could ask the OPNsense team to start the process of integrating the plugin in the official tree.
@moserpjm is it possible to list the routes associated with a peer in the Netbird plugin status page?
Thank you very much for your attention and your great work!
@Gauss23 commented on GitHub (Sep 11, 2024):
Any idea how a road map could like for this topic?
@fakebizprez commented on GitHub (Sep 13, 2024):
I've been checking in on this thread periodically the last month to see the kind of progress you gentlemen have made in coming up with a stable method to host Netbird from OPNsense.
You're doing the lord's work.
@JakobEichler commented on GitHub (Sep 14, 2024):
https://github.com/moserpjm/freebsd-ports is no longer online, but I found it (think it's the same project renamed?) here:
https://github.com/moserpjm/opnsense-ports
My goal is to use self-hosted netbird with SSO through the UCS LDAP for company intranet connection in a separate subnet for the VPN users which is integrated in the companies intranet through OPNsense.
Netbird should be used to add an authentication layer to wireguard. If I disable accounts from the authetication service, the netbird connections won't be dropped but cannot be reestrablished?
@JakobEichler commented on GitHub (Sep 14, 2024):
So it neems you are working on the net/bird/ folder and OPNsense works on /net/bird2
I cannot see if bird2 is already functional and which of the two I should rather use.
@JakobEichler commented on GitHub (Sep 14, 2024):
I am a bit confused, as there is no /net/netbird folder. but /net/bird2 does not seem to be the right plugin.
where did the netbird one go? It's closed source now?
I found it in the stable branche:
https://github.com/moserpjm/opnsense-plugins/tree/stable/24.7/net/netbird
but in the master branch it was missing.
@Hobby-Student commented on GitHub (Sep 14, 2024):
moserpjm wrote before, that he published 2 branches. netbird is therefore not missing in the master branch.
@JakobEichler commented on GitHub (Sep 14, 2024):
I have the plugin now installed. Issues that others can avoid that I stumbled into:
If you select the correct repositories and fully clone them the installation is quite simple. make makesum failed for me but I ignored this and just used make package and make install.
@moserpjm commented on GitHub (Sep 14, 2024):
Great that you got it working.
You could also have used the repo I provided for testing. We also use it for deployment on our firewalls.
There's now also some tailscale stuff in there because the netbird client in its current state is not very stable for road warriors. Luckily we only have it in a limited test with 4 users.
Don't get me wrong. My PC connected via a stable connection is always reliably connected with all of our netbird nodes. In contrast my laptop and the ones from my other three test users need constant reconnects when changing networks, suspending the machine or if the network is a little flaky. Tailscale and Zerotier handle this stuff much better. NAT traversal is another thing the competition handles much better.
Anyway I'm going to support this plugin and port until it gets upstreamed.
Netbird has a nice UI and features the others lack without paying a lot of money. I hope 1.0 is bongo going to solve all those problems. 😉
@moserpjm commented on GitHub (Sep 14, 2024):
Shouldn't be hard. I'll include it in the next release.
@Hobby-Student commented on GitHub (Sep 15, 2024):
I added this already for my deployments and created a pull request for your 24.7 branch: https://github.com/moserpjm/opnsense-plugins/pull/1
@Hobby-Student commented on GitHub (Sep 16, 2024):
I tried to deploy a netbird peer behind an OPNsense. In fact, the client was for testing before I installed netbird on the OPNsense and I just powered it on today for a few tests. At first it seemed to work, but in the end it fails. I don't know the exact problem, but the peer seems to constantly reconnect and ping from a working netbird peer is repeating the pattern
2x good, 4x failing. After upgrading to 29.2 on the peer (management server is not up to date) I see this inclient.log:2024-09-16T11:15:24+02:00 INFO [peer: xxxxxxxxxxx] client/internal/peer/worker_relay.go:59: Relay is not supported by remote peer 2024-09-16T11:15:25+02:00 INFO [peer: xxxxxxxxxxx] client/internal/peer/conn.go:430: set ICE to active connectionBut this could be totally irrelevant.
Perhaps it's just a bad idea to run netbird on OPNsense and a client behind 🤡
@Gauss23 commented on GitHub (Sep 17, 2024):
@Hobby-Student just to get this right.
You have:
The Netbird client on the OPNsense is connecting to other locations?
The Netbird client behind the OPNsense is also connecting to other locations?
The Netbird client behind the OPNsense should use the Netbird client on the OPNsense as a peer?
As soon as I understood your setup, I would give it a try.
@Hobby-Student commented on GitHub (Sep 17, 2024):
Yes, 24.7
Yes.
Yes, but accidently.
Yes.
Yes and serving routes to its subnets.
It was. I had this peer as a test for netbird, before installing netbird on OPNsense. After some testing I shut the client down and forgot about it. With netbird deployed on OPNsense I powered this specific peer on and had some problems reaching it. I saw it was also connecting with netbird. After disabling netbird everything was fine again. OPNsense was not affected in any way, it was just the peer behind OPNsense.
Yes, this peer connected to OPNsense, because OPNsense connects to "everything" to publish the routes.
@Gauss23 commented on GitHub (Oct 3, 2024):
@skillcoder and @mlsmaycon do you see any chance to move this forward? I‘m happy to help, if there is help needed.
@moserpjm have you been able to add the routes to the peers view? If yes, I‘m not able to see it.
Thanks everyone for this great improvement.
@Gauss23 commented on GitHub (Oct 5, 2024):
@moserpjm: I just installed your plugin on a new OPNsense box. I saw that you released a new version 0.7_2. But it now says in the plugin overview: os-netbird (misconfigured).
It installed Netbird version 0.30.0. But it seems it has some problems. The initial connection to the control server seem to have worked as the Setup key was used. The peer is listed but not as online.
The status says:
The peer is shown as FakeBSD 14.1.
The logs say:
Did you see this behaviour on your test boxes?
Update:
I forgot to mention: during the inital setup process, after clicking the Setup button, it never finishes. The process just hangs. netbird status is hanging also.
netbird service restart won't work either. So only a reboot helps. But then netbird behaves like I described above.
@Gauss23 commented on GitHub (Oct 5, 2024):
Update: I also updated another box from 0.4_x to 0.7_2 with Netbird 0.30.0_2. It still says os-netbird (misconfigured) in the plugin overview. But other than the fresh box, which never saw Netbird before, the connections come up again and netbird status shows a healthy state.
Thanks for the Routes column, that's perfect!
@Gauss23 commented on GitHub (Oct 14, 2024):
@moserpjm or @Hobby-Student are you able to reproduce the error for new OPNsense installations and version 0.30.0?
@ditronicos commented on GitHub (Oct 20, 2024):
It works mostly fine in my opnsense (24.7.6) simply adding the repo, installng the plugin (self server) and configuring firewall and outbound rules. Can you guys update from version 0.30.0 to 0.30.2 please?
@Gauss23 commented on GitHub (Oct 24, 2024):
It now works also on my test machines. What can we do to get some progress here?
@Hobby-Student commented on GitHub (Oct 25, 2024):
I'm compiling the versions myself and not using moserpjm's repos. For me, it's working like it should. I currently don't have enough free time to maintain an OPNsense plugin and it's moserpjm's work (if I wanted to do it, he has to give me his permission first).
For now, (I think) moserpjm's repo is your best way to use netbird.
@moserpjm commented on GitHub (Oct 25, 2024):
I'm also a little bit short on free time but I'll update the repo today. Additionally I'll sunset the 24.1 version. The only system left in our company with this version is my dev system...
@stalane commented on GitHub (Oct 25, 2024):
Hii guys @moserpjm @Hobby-Student
I would be willing to sponsor your efforts if the exit node function works as expected.
@Hobby-Student commented on GitHub (Oct 25, 2024):
I appreciate your offer, but a working exit node (FreeBSD) is another beast, completely detached from the OPNsense plugin.
I didn't test it, but chances are good, that it's already working - with a correct configured OPNsense of course.
@stalane commented on GitHub (Oct 25, 2024):
Appreciate your honesty. A NetBird implimentation with an OPNsense plugin and Exit Node functionality would remove my Zerotier lock in.
@ditronicos commented on GitHub (Oct 25, 2024):
So we must to assume that Netbird is not interested about give support to FreeBSD (or at less PfSense/Opnsense)?
Thank you so much @moserpjm for your effort here.
@Hobby-Student commented on GitHub (Oct 25, 2024):
have you ever tried to set OPNsense as an exit node and configure things like
Outbound NATaccordingly?I don't assume anything. The maintainers of netbird are doing a great job! One can't satisfy everybodies needs in such a project. We, the community, are supporting the project with our time an knowledge to create things like the OPNsense plugin. If the team behind netbird is ready to support OPNsense, they will eventually maintain the plugin. Till then (or forever) someone in this community has to maintain it.
@ditronicos commented on GitHub (Oct 25, 2024):
Yep, I already agree with the the great job the maintainers of Netird are doing. But I wonder if some of the supported features are community maintained, will them works also outside of a selfhosted server?
Appreciate your point @Hobby-Student
@ditronicos commented on GitHub (Oct 27, 2024):
Can you please explain how to do that?
@ditronicos commented on GitHub (Nov 2, 2024):
@moserpjm thank you for the latest update, now it is up to the 30.3 version. Netbird has publish the 31.0. I don´t know if you can do a quick update of the repo to reach that version, but please it will be appreciated.
If there is anyway to learn how to compile it will be really helpful, anyway thank for your time.
@Hobby-Student commented on GitHub (Nov 2, 2024):
I would start here: https://github.com/opnsense/tools/blob/master/README.md
There you'll find OPNsense specific instruction how to build ports. You could download the github repo of moserpjm and start building a netbird package. If you update the port to your desired netbird version, you can do updates yourself.
@OBXMan commented on GitHub (Nov 4, 2024):
Non-IT home lab enthusiast here. This question may just mean I shouldn't be playing with this but why does the plugin require a port opened when my other "Netbird Peer" installs do not?
@Hobby-Student commented on GitHub (Nov 4, 2024):
Direct connection without relay or because it's a firewall and would block this traffic on WAN?
@moserpjm commented on GitHub (Nov 5, 2024):
FYI: Just updated the 24.7 packages to 0.31.0.
Good question. I've never tried it without opening the WG port to "This Firewall".
@OBXMan commented on GitHub (Nov 5, 2024):
When I set up a client/node I don't really recall ever setting a WG port at all. Thats why I was surprised there was even a port setting in the plugin. I know you have to set ports for the netbird server but I haven't seen anything for the clients. Is a wireguard port setting even necessary? Sorry I'm not technically savvy enough to try and figure it out myself just barely smart enough to come up with the question. Thanks again for the work on this!
For fun, I just went ahead and enabled the plugin without opening any ports. I only tried a few pings, but seems to work fine. Haven't set interfaces etc but feeling like opening a port may not be necessary. Begs the question of whether the port setting is needed I guess.
@johnjoy commented on GitHub (Nov 5, 2024):
Many thanks @moserpjm for your effort!
Exit node is working for me except for I have to restart the plugin (service) every time new client is joining. Do you have any tips on how to avoid it?
@Gauss23 commented on GitHub (Nov 27, 2024):
@moserpjm I still want to bring this into production by adding it to the OPNsense ports and plugins. Just checked your repos. I think the plugin is not an issue. I can raise a pull request for that. What concerns me more is the patch in your ports repo. As soon as Netbird changes something here, we might break new build for OPNsense.
@mlsmaycon Therefore it would be great if the Netbird team would adopt the changes moserpjm did. Any chance the Netbird team will look into this?
I would take care of the OPNsense side to get Netbird onboarded there, but it would be great to get rid off the additional patches for the port.
@Gauss23 commented on GitHub (Dec 3, 2024):
Thank you.
Again, I would like to support and help to move it upstream at least into the OPNsense repos. As far as I see we need to make PRs for the OPNsense ports and the OPNsense plugins, right? Your patches would be applied when building the ports. The only question is what happens, when Netbird changes their code and the patch would break something. Therefore your patch should be pushed into the Netbird codebase. Should we do this via a PR? I think the discussion here is not moving us any further, when we raise a PR there should be more discussion coming up. Are you able to prepare this?
@ditronicos commented on GitHub (Dec 14, 2024):
Is there a way to help to push this project ahead?
@Gauss23 commented on GitHub (Jan 1, 2025):
Happy New Year!
With the introduction of the new network concept, I think we need to adopt the changes. I just compiled a 0.35.2 version and it still seems to run with the old network route config and the old patch.
The management server now shows new OPNsense boxes with an empty OS string. Maybe just a smaller issue, but for some reason the FakeBSD is not accepted anymore.
netbird status -d now shows:
2 lines instead of one, which was Routes. I think this is just an intermediate step, to move all the users to the new network concept.
I think we need to fix the os-netbird package to show not only the Routes but also this new line Networks.
And we need to check what code needs to be changed in order to reflect the new instructions coming from the management server. Maybe it's not too bad and only small to no change is needed.
Who is able to help here? I can provide a repo with the current version from @moserpjm: for os-netbird it is still 0.7_2 and for netbird package it's on the current 0.35.2 version. Please give me a heads up if anyone is willing to move this forward. In my test lab the 0.35.2 seems to be stable.
My repo is here:
https://os-pkg.sun-ri.se/netbird-rc-247.conf
you can use it with:
fetch -o /usr/local/etc/pkg/repos/netbird-rc-247.conf https://os-pkg.sun-ri.se/netbird-rc-247.conf@ditronicos commented on GitHub (Jan 2, 2025):
Yep, happy new year everyone.
I will test it in an opnsense machine I have for testing and will give you feedback in a few days.
Let's cross fingers !
@lixmal commented on GitHub (Jan 3, 2025):
Hey folks,
heads up, https://github.com/netbirdio/netbird/pull/3134 will add userspace routing, which also works on freebsd. Consequently it removes the Linux router restriction.
If you want to keep using freebsd's capabilities with manual configuration instead, you'll have to set
NB_FORCE_NATIVE_ROUTER=truewhich disables the userspace router and route ACLs.Not sure why you set
NB_DISABLE_CUSTOM_ROUTING, that just prevents netbird from excluding peers/mgmt/etc from being routed over netbird, i.e. it could create routing loops. E.g. when the peer is set up to route its traffic over an exit nodeThe network map hasn't changed. If you find this to be false then it's a bug
@Gauss23 commented on GitHub (Jan 7, 2025):
@lixmal thank you very much. Interesting. I think the idea behind
NB_DISABLE_CUSTOM_ROUTINGis, that it should prevent the OPNsense to accept any external routes. When this variable is active the Netbird agent on those OPNsense boxes should only be used to reach the OPNsense from other Netbird peers for administration purposes and there shouldn't be any kind of changes in the routing table. Is this the wrong environment variable for this purpose?I'm using Netbird on OPNsense with routing enabled and use it as a kind of MPLS replacement.
And why is userspace routing in the OPNsense use-case better than the current solution? With the patch @moserpjm created everything seems to work perfectly.
@Gauss23 commented on GitHub (Jan 17, 2025):
OPNsense 25.1 is in likely to be released in the near future. With OPNsense 24.7 and Netbird 0.35.2 everything looks stable at the moment.
I'll try to build a repo for OPNsense 25.1 and the most recent Netbird version in the next days.
The os-netbird shows up as misconfigured in OPNsense after installation: os-netbird (misconfigured), but it works and I don't see an issue with it.
Is anyone still interested in bringing this forward?
@rudiservo commented on GitHub (Jan 17, 2025):
Hey guys, what is the state of this either being in the official plugins or having it's official repo?
Do you need any help?
@Gauss23 commented on GitHub (Jan 18, 2025):
Yes, I would be happy to discuss the steps needed to bring this upstream to OPNsense. Currently there is still a patch included for the netbird binaries and we have the cosmetic issue. that the os-netbird plugin reports itself as misconfigured, although it works.
Are you able to contribute @rudiservo ?
@JinxCappa commented on GitHub (Jan 18, 2025):
Good day all. I would like ask a question in regards to this issue. Do people feel this patch is upstream worthy?
The way I see it, the initial patch is more of a bandage in the sense that you are fooling the client into thinking that it is running on a completely different OS. Netbird should be able to natively support its functions on BSD, not be tricked into doing it.
I admit I have not looked into all reference coding and such that other people may have linked to in this thread but reviewing the initial code shared by the OP, I can't help but wonder.
I create this comment to see if my rationale is maybe irrational. Don't get me wrong, this isn't a rant or to downplay efforts as I would love to be able to use Netbird from within OPNsense. I use both softwares and dream for native interoperability.
@Gauss23 commented on GitHub (Jan 18, 2025):
Yes, maybe the patch is not needed anymore. The os-netbird plugin would of course be needed. Without the patch bringing it upstream would be much easier.
Will check if I can run the client without the patch. The patch was created to fool the Management server, as routes were not distributed to clients other than Linux at the time when the patch was created. But I think this limitation is gone.
@Gauss23 commented on GitHub (Jan 19, 2025):
Status update:
From my perspective this leads to 3 open points here:
NB_DISABLE_CLIENT_ROUTES, is there an equivalent available now, which we could use?Who would be able to help out here? Bringing this upstream to the OPNsense Team would be very nice.
@ditronicos commented on GitHub (Jan 19, 2025):
I have a 4 nodes (different locations and different public ips, but the same isp) for testing purposes and a selfhosted netbird server, so I did update the repo with yours, later I did update netbird-os directly in the opnsense ui in all nodes.
It's accept existing routes fine, but netbird ui refuses to add a network route from any opnsense, it simply does not seems to be available to do that.
With the "old" @moserpjm patched it works, so I need to switch again to his repo, remove the netbird-os, and install it to get the v0.31.0 patched again to be able to route from opnsense.
@Gauss23 commented on GitHub (Jan 19, 2025):
@ditronicos thank you for your feedback. Indeed, although the OPNsense with the patch also reports with an empty operating system, the patch from Moserpjm seems to confuse the Management server and lets the user add new routes.
I applied the patch in my repo now again. Again 0.36.3 but with the patch. I can now register routes in the management server and the checkbox to disable the client routes is also working again.
So we need to decide how to proceed. The patch seems to be still useful.
@lixmal commented on GitHub (Jan 19, 2025):
@Gauss23 consider the
netbird upflags (and env vars) added inv0.36.0The PR that disables the router restriction hasn't been merged yet.
See
--disable-client-routesabove.It's not better, it's just automatically configured as per mgmt server instructions and universally available.
@ditronicos commented on GitHub (Jan 19, 2025):
Well, i didn't test 0.36.3 with the patch, so will be interesting to have it available in your repo to perform the test.
I will report you about, then we will have data enough to think about the next step.
@Gauss23 thank you, time is a precious thing these days.
@rudiservo commented on GitHub (Jan 19, 2025):
@Gauss23 the only thing I can promise is that I will try.
tell me what you need.
@Gauss23 commented on GitHub (Jan 19, 2025):
I created a version 0.8 of os-netbird. It's on my repo. I changed the logic for handling the client routes and renamed the custom routing setting to server routes. I'm not using the command line arguments, I change the netbird config file via the exisiting logic to enable or disable those features. Works for me.
I reduced the patch file for the netbird package. It now only reports as FakeBSD and I left the DNS patch in there, as I don't know if it's still needed.
Would be great if we could collect come feedback. Here is the code I used: https://github.com/Gauss23/netbird-opnsense_dev
Sadly the problem with the misconfigured state is still there. I opened a thread in the OPNsense forum, hopefully someone has an idea, what needs to be changed to fix that. Here you find that thread: https://forum.opnsense.org/index.php?topic=45288.0
@lixmal do you think this PR (to disable router restriction) is making it into production anytime in the near future?
I still don't understand why the Operating System is empty for my OPNsense boxes, with patch and without patch. Shouldn't they be listed as FreeBSD?
@lixmal commented on GitHub (Jan 19, 2025):
@Gauss23
Hopefully
v0.37.0The file
/etc/os-releaseis missing.Running `/etc/rc.d/os-release start fixes that.
If you want to patch the restriction, just remove these lines:
https://github.com/netbirdio/netbird/pull/3134/files#diff-77c076c1b98ae936dd1521e0e8f615d52ee5a3ccf9ea2c8fdfde78176b008200L425-L429
There's still a dashboard restriction for Linux that we will remove as well. Currently you can use a peer group to work around that.
@Gauss23 commented on GitHub (Jan 20, 2025):
@lixmal thank you very much. Indeed, the file /etc/os-release was just empty on the OPNsense boxes. I think I will add the command to populate the file to the Netbird installer on OPNsense. Would that be an idea?
Regarding the limitation: fingers crossed for 0.37.0
@ditronicos commented on GitHub (Jan 20, 2025):
With this changes the network routes work. Now the nodes appear in the list of peers to select them and works perfect.
By the way, the icons in the peer list have changed, now it shows a Linux logo instead the FreeBSD one if you upgrade it from the 0.34.0 and os 0.7 to 0.36.3 and the os to 0.8. If you simply upgrade the 0.36.3 os 0.7 to os 0.8 it keeps showing the FreeBSD icon.
@Gauss23 you are doing right!
@moserpjm commented on GitHub (Jan 20, 2025):
Hello guys. Thanks for taking over development. We've stopped using netbird because of various issues. In addition I've also been quite busy the last couple of montth.
@Gauss23 commented on GitHub (Jan 20, 2025):
@moserpjm sorry to hear that.
Thank you for your great contribution on this topic! Without your work this wouldn’t be this far.
If possible I would like to get more to know about those issues you had.
@moserpjm commented on GitHub (Jan 21, 2025):
Our main VPN is openvpn. We did a netbird trial run with a limited number of users in our RnD department. Windows and Linux clients.
They used it to connect to our main company network and a couple of servers in the cloud.
The main issue was reliability.
A regular conversation I had was:
Changing connections also didn't work half of the time. (WiFi to wired or mobile)
So we gave Tailscale with headscale as controller a try. Sure it has a couple of issues with route failover and missing features in comparision to the cloud version but it works rock solid. Haven't had a single complaint aboud connectivity issues. The performance in user space mode (Windows) is also great. What makes things easier is the well defined routing behaviour. If routes overlap the tailscale route wins except you tinker with the routing table.
I still love all of netbirds features and the nice web ui so we've decided to reevaluate it in the near future.
@Gauss23 commented on GitHub (Jan 21, 2025):
I agree on the stability issues with the Windows&Mac clients, especially waking up from standby. Also not happy with the battery consumption on iOS. But I see improvements with the clients. It would also be nice to trigger a client update from the management interface, where possible. Or to set a flag on a peer to automatically pull updates.
I'll keep pushing the OPNsense plugin. I'll implement the possibility to set --disable-dns, which would remove another part of your patch.
And as soon as 0.37.0 has hopefully the patch included to remove the routing limitation, we don't need any patching on the OPNsense anymore.
I use Netbird mainly as a MPLS replacement, which of course could be done with other tools, too, or just plain WireGuard but the complexity raises with the amount of branches you want to interconnect. Therefore I love Netbird to help me to organize this in a nice way. Connections are rock solid, never had an issue.
Thanks for the great work and hope to see your company using Netbird in the near future again :). Maintaining a headscale installation can also be a "Pita" :)
@Gauss23 commented on GitHub (Jan 22, 2025):
Small update: I just released version 0.8.1 of os-netbird and 0.36.3_2 of Netbird for the OPNsense. It now also includes the option to enable or disable the DNS resolution through the Netbird network.
I therefore reduced the Netbird client patch. There was a patch which removed the DNS resolution. It's gone now.
I kept the FakeBSD reporting for the moment, as long as the routing feature is Linux only. That is the last portion of patch which is left. So I'm looking forward to having a Netbird package without patching.
As soon as this is done I'll create a pull request for the new plugin in the OPNsense plugins repo.
Here is the commit:
aa472be3a1@ditronicos commented on GitHub (Jan 28, 2025):
It seems to be some progress with the latest version.
https://github.com/netbirdio/netbird/releases/tag/v0.36.4
@Gauss23 commented on GitHub (Jan 28, 2025):
@ditronicos the limitation on the management server regarding the Network routes seems to be still there. Let' s hope for 0.37.0
I'll build the new package for 0.36.4 in the next days
@td007 commented on GitHub (Jan 29, 2025):
A quick message from me.
I have been using the plugin for about a week and it works very well.
Thank you for your effort and the work you do.
A Netbird integration in OPNsense is incredibly useful :-)
@ditronicos commented on GitHub (Feb 1, 2025):
For the record: opnsense 25.1 has been released. 24.7 can be easily upgraded from the UI. https://opnsense.org/about/road-map/
The plugin still working fine. Just after the last upgrade reboot, the ping to the rest of the netbird network was a bit large, it connects relayed. Shutting down the VM (i have installed opnsense in proxmox) and it connects p2p again.
Some minors aesthetics issues in the connection status page related with the search button, not a big deal (cicada theme).
@Gauss23 commented on GitHub (Feb 4, 2025):
Hey everyone,
I created 2 pull requests for OPNsense:
Fingers crossed, that the OPNsense team is happy with it.
@ditronicos commented on GitHub (Feb 5, 2025):
Yep, all the fingers.
@td007 commented on GitHub (Feb 5, 2025):
You are simply the best.
Thank you very much for your work.
They are clever people at Opnsense, they give their ok
@Hobby-Student commented on GitHub (Feb 5, 2025):
@Gauss23 thanks for your work. I use my own compiled version on several opnsense boxes. I would have waited with the pull requests until netbird merged all changes for FreeBSD. Now it's "netbird with custom patches, which make it work, but there could be unwanted side effects in regards of routing security and netbird will soon merge changes in routing for FreeBSD".
@Gauss23 commented on GitHub (Feb 5, 2025):
@Hobby-Student the only part of the patch which is left, is the reporting as FakeBSD. DNS and Routing patches were removed replaced by the built-in functions. So, yes, as soon as the Netbird Management server accepts all peers as routing peers, this patch can also be removed.
@Hobby-Student commented on GitHub (Feb 5, 2025):
just my 2 cents. OPNsense is trying to keep everything secure to not damage its reputation. New VPN plugin with workarounds seems not to be the best idea.
My point of view. Perhaps they accept your pull requests right away.
@moserpjm commented on GitHub (Feb 6, 2025):
I hope they accept the PR.
Just took a look at the source of the new official tailscale plugin . Looks like we didn't do a lot of "non best practice" stuff in os-netbird. :D
Fingers crossed for the code review.
@IceFlom commented on GitHub (Feb 14, 2025):
Hi, I've installed netbird on my OPNSense with this repo:
https://os-pkg.sun-ri.se/netbird-rc-247.confAfter upgrading from 24.7.12 to 25.1.1 the plugin is shown as "misconfigured", which seems to be a known problem according to the history in this issue. But I also get "duplicate dependency" messages when checking for updates. The plugin still seems to work normally.
@Gauss23 commented on GitHub (Feb 14, 2025):
Hi @IceFlom, thanks for bringing that up. It seems that I missed to clean up the repo. There were multiple versions and there therefore it complained. Now it's fixed. The repo is 24.7. I need to create one for 25.1. Hope to do this this weekend.
The misconfigured seems to be normal for all 3rd party plugins. At least that's what I understood in the answer of the OPNsense team:
https://forum.opnsense.org/index.php?topic=45288.0
It was noted as misconfigured also in 24.7.x
@ditronicos commented on GitHub (Feb 22, 2025):
Hi guys, 0.37.0 is finally here.
https://github.com/netbirdio/netbird/releases/tag/v0.37.0
@Gauss23 commented on GitHub (Feb 22, 2025):
Thank you for the heads up. From reading the release notes I can't see that the limitation for Linux a routing peer was removed. Maybe someone else can comment on that.
@Gauss23 commented on GitHub (Feb 24, 2025):
@lixmal do you know when the limitation will be gone? It doesn't seem to be included in 0.37.x yet. Any plans?
@lixmal commented on GitHub (Feb 24, 2025):
It was released with
v0.36.6@Gauss23 commented on GitHub (Feb 24, 2025):
Thank you. Are there any plans to remove the management UI restriction?
@lixmal commented on GitHub (Feb 24, 2025):
There's never been one, only a dashboard limitation. It has been lifted as well
@Gauss23 commented on GitHub (Feb 24, 2025):
Perfect, turns out I just pulled the new docker images but forgot to restart the containers. Now it works as expected. That's great! Thank you!
Now we just wait for the FreeBSD port to be accepted: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284877
And then the OPNsense plugin can be released.
@scroguard commented on GitHub (Feb 25, 2025):
this is excellent news! i look forward to the plugin being released.
@xromansx commented on GitHub (Mar 12, 2025):
It there any workaround to assignee it as routing peer mine still has empty Linux version. Thanks
@mlsmaycon commented on GitHub (Mar 13, 2025):
Hey Folks,
As you know, we've submitted our FreeBSD port for NetBird but haven’t received any response from the FreeBSD team yet. We’d really appreciate it if you could leave a comment on the issue. Your support can help bring more attention to the submission and speed up the review process.
Here’s the link to the issue: Bugzilla
Thanks for your support! Every comment helps!
@Gauss23 commented on GitHub (Mar 13, 2025):
Waiting for the creation of my account there to be able to add a comment.
@ditronicos commented on GitHub (Mar 13, 2025):
+1
@ditronicos commented on GitHub (Mar 22, 2025):
It does not looks like this is going forward form the FreeBSD side.
Any alternative solution?
@Gauss23 commented on GitHub (Mar 22, 2025):
I‘m also frustrated about the whole process. It’s seems to be very erratic. No queue where we would see how long it might take. OPNsense folks say that the port is needed for the plugin.
@ditronicos commented on GitHub (Mar 22, 2025):
May be it will be easiest to try with pfsense ? Nahh, forget it, it is freebs too.
@stalane commented on GitHub (Mar 22, 2025):
guys.... there hasn't been any real attempt to explain why they should
spend time on this.
i had the same a couple years ago with zerotier and last year with
tailscale. they consider this edge case and frankly it is.
looking at the PR history it's very (how can i say it) homelab.
i don't want to be mean but maybe phone them up instead?
On Sat, 22 Mar 2025 at 22:03, ditronicos @.***> wrote:
@joBr99 commented on GitHub (Mar 23, 2025):
Waiting on account creation too now.
I'm looking for something to replace a ton of Site2Site OpenVPN Tunnels with a simpler and more "agile" solution like netbird. (That also easily works with dynamic IPs and Grade Carrier Nat on Backup Internet Connections.)
It would be possible to do the same with zerotier, but only with netbird it's possible to easily self host everything.
So definitly not a Homelab Topic for myself.
@ditronicos commented on GitHub (Mar 25, 2025):
It is moving forward now, let's cross fingers !!
@fernandogobah commented on GitHub (Apr 4, 2025):
+1
@CodeAdminDe commented on GitHub (Apr 13, 2025):
+1 .. and some love ❤️
@ginsul commented on GitHub (Apr 21, 2025):
while waiting create account for https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284877
is it still working? or there is any temporary workaround?
*sorry i'm newbie on opnsense/freebsd
Thanks
@drawioks commented on GitHub (Apr 24, 2025):
Hi,
Is it possible to run NetBird using Docker on FreeBSD?
Has anyone tried it?
@ginsul commented on GitHub (May 11, 2025):
Hi, just got an update email that https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284877 is already marked as Closed—Fixed. So we just need to wait for the OPNsense plugin now, right?
@ditronicos commented on GitHub (May 13, 2025):
I hope so !!
@Gauss23 commented on GitHub (May 13, 2025):
There is now also movement in the OPNsense plugin. Some points need to be changed.
But we have an issue with the /etc/os-release file not being created automatically in FreeBSD. There is the command:
/etc/rc.d/os-release startbut this may have other effects and won't be automatically updated during an OS update of FreeBSD.There is the suggestion to use another source for the version info. Is Netbird able to check for those other sources if /etc/os-release is missing?
See the discussion including other version sources here:
https://github.com/opnsense/plugins/pull/4531#discussion_r2086801182
@ditronicos commented on GitHub (May 15, 2025):
Any news?
@Gauss23 commented on GitHub (May 15, 2025):
Yes, there are some minor changes needed to my PR for the OPNsense plugin. Hope to find some time in the next days.
Here are the open topics:
https://github.com/opnsense/plugins/pull/4531
@Gauss23 commented on GitHub (May 18, 2025):
@moserpjm one comment is about missing copyright information. As most of the work was done by you, do you want me to add your name to the copyright note?
@Gauss23 commented on GitHub (May 20, 2025):
@moserpjm as this is the last point for the plugin, could you please tell me if and how I should mention you in the Copyright note?
@Hobby-Student I think you also added some code, do you want to be listed in the note? If yes, how?
@moserpjm commented on GitHub (May 21, 2025):
Sure, why not. My first OS contribution with a mention. :)
@Hobby-Student commented on GitHub (May 22, 2025):
Thanks for asking! Would be nice if you could include me as "squared GmbH".
@Gauss23 commented on GitHub (May 23, 2025):
@moserpjm: great, how would I mention you? As moserpjm, a real name or a company? Could you please contact me at
opn-netbird [at] sun-ri.sewith this information? Thank you.@ditronicos commented on GitHub (May 25, 2025):
@Gauss23 is it there any working installable version newest than 0.36.5_1?
@mlsmaycon commented on GitHub (Jun 1, 2025):
Hello, Guys; we are finally getting more development power to work on different integrations.
@Gauss23 , I know that your plugin has been under review for some time. But I wonder if there is something we can support you with.
@KeenanFalcon commented on GitHub (Jun 3, 2025):
@mlsmaycon, I don't know how much time @Gauss23 had to look at it lately and if he have gotten worked on it.
But i have had been looking in to making the plugin work too.
I'm rather new to this, but the plugin it self seems to need some work too, as it's buggy when run on OPNsense-devel, but seems to work fine on production opnsense, but i think that comes down to an newer code being implemented in Devel.
There is an problem with the rc.d script in the ports, so i used some time to make newer one, and i have made a pull request to the ports tree: https://github.com/freebsd/freebsd-ports/pull/404
For the problem mentioned here, https://github.com/opnsense/plugins/pull/4531#pullrequestreview-2836586025 about that "/etc/os-release" shouldn't be read on opnsense, i have looked in to it, and tried to come up with an solution. I don't know if it's the best one, but it returns the Name and Version of opnsense, equal to the cmd "opnsense-version -Nv".
It report the name and version in Netbird's dashboard, but the icon shows as linux, which it defaults back to, because freebsd isn't fully implemented yet, as there isn't an official installation guide for freebsd, and also not in posture checks yet.
The work for this is placed here:
169ab274c7But i haven't made any pull request for it yet.
Maybe you can tell if the global flag "--hostname" only works when initializing Netbird the first time. I tried to change it on an running instance, both in the service and with "netbird up", but it don't work, only from within the dashboard?
This is what i think can be done form your side at the moment, but maybe @Gauss23 have something to add to the list.
@ditronicos commented on GitHub (Jun 15, 2025):
Seems like @Gauss23 is busy this days.
I hope it's for something good and be back soon.
@Gauss23 commented on GitHub (Jun 22, 2025):
Sorry guys, I am busy all June with other topics. Will pick up the work in July. If someone has ideas on how to solve the open topics - they are all in the issue threads - feel free to comment and I'll review and add the code.
@mlsmaycon commented on GitHub (Jun 22, 2025):
Hey @Gauss23, we are looking into the specifics for OPNSense and your PR, too. We have something for PFsense almost ready, too. So we can potentially continue what you started with a fork/PR or do something inspired by it. We are open to anything you think makes sense.
@ditronicos commented on GitHub (Jun 27, 2025):
HI guys !!
Well looks that if delete the "old" plugin and reinstall it again all works normally, the (missconfigured) label is not showed anymore.
My only question: still the 0.36.05 version. Any clue how to reach the latest one?
I believe today is the 0.49.0
Congrats to all who put time and knowledge in this code, and thank you in deep.
@AT-StephenDetomasi commented on GitHub (Jun 29, 2025):
Hey guys, has anyone had success with this in OPNsense 25.1.x? I have heard a few reports of firewall related issues with WireGuard traffic and not sure if this would possibly affect Netbird. I'm considering giving it a try but hesitant to invest time if it's not ready for a production enviornment
@azdolinski commented on GitHub (Jul 3, 2025):
On the latest version, OPNsense
Before you start
Install
SelfHosted
Netbird.cloud
Enable monitor (if needed)
After Installation
Restart interfaces
Final
Create firewall rules to allow all connection on the new interface
Netbird.@Sgt-Ogre commented on GitHub (Aug 5, 2025):
These instructions worked great on a virtualized OPNSense install that is on the latest version as of this post (25.1.12). I do wish there was a newer netbird version, but at least 43 has most of the improvements that really matter. Once the official one is ready im guessing it wont be hard to swap.
@Gauss23 commented on GitHub (Aug 5, 2025):
The Netbird binary is already in the FreeBSD Ports and therefore also in the OPNsense Ports repo. The plugin is also already in the OPNsense Plugins repo, but I don't know when it will be released. The PRs were merged, seems like there are small adjustments underway. I hope it's getting released soon.
@SirAry commented on GitHub (Aug 6, 2025):
How may I install it please?
@ditronicos commented on GitHub (Aug 7, 2025):
I don'know if it is the right way, but this is the one I use.
netbird-0.49.0_1 Peer-to-peer VPN that seamlessly connects your devices
os-netbird-devel-0.2 Peer-to-peer VPN that seamlessly connects your devices
netbird-0.36.5_1 Mesh VPN
os-netbird-0.8_1 Netbird plugin
I don't use the os-netbird-devel-0.2 (that's the ui to handle the port inside Opnsense), so the os-netbird-0.8_1 is the right one right now for me. It will install the plugin and the netbird-0.36.5_1 port.
Then: pkg install netbird-0.49.0_1 (it works fine, may be a bit more ping), it will upgrade the port.
Also if you like you can download the latest. curl https://repo.nhdit.com/netbird-pfsense//netbird-0.43.3-amd.pkg --output netbird-0.43.3-amd.pkg
pkg add -f netbird-0.43.3-amd.pk and upgrade with it netbird-0.36.5_1, if you like it rather netbird-0.49.0_1.
I recommend to reboot the Opnsense server just to be sure everything loads fine.
Later you may enable the service in the ui and connect the port using shared-key or netbird up --management-url https://xxx.xxx.xx (I use this second option for deployment reasons).
Then Interfaces --> Assignments there will be a wt0 device that must to be assigned.
Now inside Firewall--> NAT an Outbond rule is needed (Hybrid Outbond NAT rule generation) from the Netbird device with LAN net as source.
Finish it with an firewall rule for the Netbird device as you wish.
It is a must to set correctly network, dns or whatever the resources you want to be able to access inside you LAN for other Netbird connected devices outside it in the Netbird ui.
That's all !
@fuma-afk commented on GitHub (Aug 7, 2025):
Just a heads up on this:
i stumbled upon this after searching how to use it for a customer of mine that has opnsense but i did manage to make netbird work fine with pfsense since there is some sort of an easy install process.
I'm still speaking about pfsense, but i fear the issue i encountered might occur in opnsense too, this happened to me last week:
After the installation i went through the same process and added the wg0 interface and configured rules to allow to reach the internal LAN as i would have with any other wireguard VPN.
It worked fine for about 5 days until the electricity went out for a while and the UPS gave up. Pfsense wouldn't properly boot anymore.
I rebuilt the system from scratch because i immediatly thought of some corruption to the configuration and went back home.
everything worked fine for about 5 days and the electricity went off again and pfsense wouldn't boot anymore for the second time in a week.
This time i was determined to understand what happened and i connected a screen and studied the boot process,
True enough it would get stuck when assigning the interfaces and specifically when trying to assign the wg0 interface.
I realized that it got stuck, because the interface didn't exist as the netbird package would bring it to existance later in the boot process and pfsense crapped itself as it tried to load it and all the rules without success. I had to manually assign WAN, LAN and the various vlans, and when finally getting to the wg0 skip it. Then after the boot it was there again to be assigned if i wanted too.
in the end i solved this by changing approach and creating a rule in each permanent inerface (aka LAN and various vlans) to allow traffic from the netbird subnet, without actually assigning and applying rules to the interface itself.
Again i'm not sure if this issue replicates on opnsense as well, but i would advice caution as there is a chance you soft brick the device at the first outage.
anyway by following this to the extent that i could i managed to get netbird up and connected inside opnsense, but router are not working.
i cannot ping anything from outside even though routes are available and i dare not bring up the interface because i really don't want to risk the same crap that happened with pfsense. I tried adding rules to acces connection from netbird subnet but it's not working, even though i have disabled the "disable server routes" from the GUI management of opnsense and correctly set up policies in netbird page.
@Hobby-Student commented on GitHub (Aug 22, 2025):
I wanted to update an opnsense develop box with netbird and was willing to clone the new ports / plugins repo from opnsense. Fortunately I found something and didn't need to build it myself. If you upgraded to the latest OPNsense 25.7.2 open a shell and type:
pkg install netbird os-netbird-develnetbird 0.52.2 running stable since 24 hours. OPNsense as routing peer with an interface wt0 and some firewall rules.
@Geertkok1 commented on GitHub (Aug 26, 2025):
I tried to configure netbird using the steps that you mentioned. But I cannot start NetBird.
I have input the setup key and tried it with both the firewill option enabled an disabled. But the service does not start
Also under plugin it says: os-netbird-devel (misconfigured)
Did you take any other steps to get it to work?
I did find the following entries in the log:
2025-08-26T11:57:20 Error opnsense netbird: failed to decode configuration: Syntax error 2025-08-26T11:57:20 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure netbird_sync_config (execute task : netbird_configure_do(1)) 2025-08-26T11:57:20 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure netbird_sync_config (1)@Hobby-Student commented on GitHub (Aug 26, 2025):
open a console and try
@Geertkok1 commented on GitHub (Aug 26, 2025):
I can confirm that this fixed. The service started succesfully an after clicking on connect under Authentication it showed up in the netbird portal.
@panteparak commented on GitHub (Aug 26, 2025):
Will it survive a reboot?
@Hobby-Student commented on GitHub (Aug 26, 2025):
reboot is a different thing. I had to manually start the service (via GUI) after a reboot. I had no time to dig into it, because normally my boxes reboot once a year or later. If it hits me again, I will take a look.
@Geertkok1 commented on GitHub (Aug 26, 2025):
I just rebooted our Opnsense firewall as a test to see if it surives a reboot and for us it does. I did not have to do anything after the reboot.
We see that all connections to the opnsense router are relayed. We tried opening port 51820 to the WAN address of the router but that does not change it to P2P. Do you know by chance how to get the connections to be P2P?
@Hobby-Student commented on GitHub (Aug 26, 2025):
I've 2 boxes with the "official" 0.52.2 and my Laptop is relayed to one and P2P to the other. Can't say what's the difference. For now they seem to be configured the same - detail: one is a static public IP the other is dhcp, but this shouldn't be the source of difference.
@Gauss23 commented on GitHub (Aug 26, 2025):
The port is open via a firewall rule on the WAN interface?
@KeenanFalcon commented on GitHub (Aug 26, 2025):
From what can see, The plugin don't trigger pluginctl proberly until reboot and the vaule in /etc/rc.conf.d/netbird gets update in regards to starting the service.
About firewall rules there needs to be added an interface and rule to allow traffic, the settings under "Client Firewall" don't work correct on FreeBSD, at least that's my experience.
Have any one tried to test the plugin in a HA setup?
@fuma-afk commented on GitHub (Aug 26, 2025):
Just a quick question,
Did you had the wt0 interface active during the reboot?
As i stated before this was an issue on pfsense as it would stop the boot
process cause the netbird plugin would be loaded after the interface init
process and it would make a mess.
However bringing up the wt0 interface is necessary to configure rules
properly.
Can you confirm wether this is a non issue with opnsense with your reboot
experience?
Il mar 26 ago 2025, 15:43 Geertkok1 @.***> ha scritto:
@KeenanFalcon commented on GitHub (Aug 26, 2025):
I hadn't enabled wt as interface just before when i tried a reboot.
But i made an test just now, and with the plugin as it is, there are an complaint during boot about a missing interface, and the possibility to manual select the interface during the boot sequence.
But by adding this block of code to "/usr/local/etc/inc/plugins.inc.d/netbird.inc"
it will boot as expected
@scimitar4444 commented on GitHub (Aug 26, 2025):
I have the following setup:
OPNsense 25.4.2-amd64 Business
FreeBSD 14.2-RELEASE-p4
netbird-0.36.5_1 and os-netbird-0.8_1
In general, everything works quite well – except for HA.
So far, I haven’t been able to get this running cleanly.
When I configure both firewalls (CARP cluster) as active and add them as a group in the routing section, NetBird automatically decides which firewall the routes should go through. Since the backup firewall is usually only running in hot standby mode, it naturally has better latency values and is therefore chosen by NetBird. This causes issues because I am working with many CARP IP addresses, which are bound exclusively to the Master.
I couldn’t find any option to set a priority within the peer group.
My next attempt was to add the same route in the NetBird Cloud twice – once bound to the Master firewall and once to the Backup firewall, each with different metrics. Unfortunately, this didn’t work. On the client side, the routes were visible, but apparently FreeBSD (or the plugin) cannot really handle the same route being offered twice. Maybe this is also due to the relatively old NetBird version (0.36).
My last attempt was to use the plugin settings CARP Interface and CARP VHID. As soon as I enable these, the connection setup does not even start. It looks as if the Master status is not being detected at all. Even if I manually switch the Master, the plugin does not react – and the backup firewall does not come online either. Maybe I misunderstood how this setting is supposed to work. 😉
@lixmal commented on GitHub (Aug 26, 2025):
@scimitar4444
If you want to use HA routes with a preferred router you'll have to add each routing peer separately and assign a metric.
Creating the same route twice won't lead to HA routes.
@Geertkok1 commented on GitHub (Aug 27, 2025):
I can confirm that there is a firewall rule that allows traffic to the WAN ip address on port 51820:
Do you see anything wrong with this rule? Or does Netbird listen on a different IP?
I did not have the WT0 interface active during reboot. We allow netbird to use it's own firewall instead of the Opnsense firewall
@scimitar4444 commented on GitHub (Aug 27, 2025):
@lixmal
After sleeping on it and looking at it again, I understand what you mean. I simply thought about it wrong. I assigned the HA function under Peer Group. That is, I added the connection to a peer group in the route. Then I added the two firewalls to this group. That worked, but there is no metric there. I understand that now.
@scimitar4444 commented on GitHub (Aug 27, 2025):
Which package allows you to patch 0.36.5 without losing the routing function? As soon as I try to update it, FreeBSD is displayed in the console again....
@ditronicos commented on GitHub (Aug 28, 2025):
Let's see.
I have no good results, unable to get the plugin running, using the os-netbird-develop-xxx.
fetch -o /usr/local/etc/pkg/repos/netbird-rc-247.conf https://os-pkg.sun-ri.se/netbird-rc-247.conf
pkg update
pkg search netbird
netbird-0.52.2_1 Peer-to-peer VPN that seamlessly connects your devices
os-netbird-devel-0.2_1 Peer-to-peer VPN that seamlessly connects your devices
netbird-0.36.5_1 Mesh VPN
os-netbird-0.8_1 Netbird plugin
pkg install os-netbird-0.8_1
New packages to be INSTALLED:
netbird: 0.36.5_1 [netbird-247]
os-netbird: 0.8_1 [netbird-247]
pkg install netbird-0.52.2_1
Installed packages to be UPGRADED:
netbird: 0.36.5_1 -> 0.52.2_1 [OPNsense]
Config it and start the service, it works fine.
For the problem with the service not restarting at boot, do not use Setup Keys, simply run inside opnsense terminal:
netbird up --management-url https://xxx.xxxx.xxx
Like a regular Linux way, it will restart the service o start it at boot without problem.
Good luck all !!
@scimitar4444 commented on GitHub (Aug 28, 2025):
@ditronicos
Are you using OPNsense 25.7.2?
In your previous guide, you had already performed the update back then to version 0.49. But when I do that, I have to re-register the client and lose the routing functionality, because it then recognizes FreeBSD again instead of FakeBSD.
@KeenanFalcon commented on GitHub (Aug 28, 2025):
To my knowledge there aren't migration build in to the plugin yet, so a direct upgrade will properly fail because of the setting being remaped in the backend.
The routing your are talking about, isn't that simply renamed in the later versions of netbird to either networks or forwarding.
@ditronicos commented on GitHub (Aug 30, 2025):
Yep I works with the latest OPNsense realeases.
@mlsmaycon commented on GitHub (Aug 30, 2025):
Hey folks, have you tested the packages for pfsense and OPNSense?
https://docs.netbird.io/how-to/installation/opnsense
https://docs.netbird.io/how-to/installation/pfsense
@ditronicos commented on GitHub (Aug 31, 2025):
Yep I tried !
The ones listed are those you can install with OPNsense 25.7.2-amd64 and FreeBSD 14.3-RELEASE-p2:
pkg search netbird
netbird-0.52.2_1 Peer-to-peer VPN that seamlessly connects your devices
os-netbird-devel-0.2_1 Peer-to-peer VPN that seamlessly connects your devices
I can't make the os-netbird-devel-0.2_1 works fine.
For me is still better the os-netbird 0.8_1 from @moserpjm and @Gauss23 because I can avoid to connect it using a setup key.
When I set the os-netbird-devel-0.2_1 with a setup key there is not (or I can't find) way to make netbird service starts at boot with OPNsense (you must to manually start it every time it happens), and get errors when I tried to connect though netbird up --management-url https://.....
Probably my mistake setting it , but I have several local networks connected and I need them up so I rather prefer to install a os-netbird running stable for months now.
Great work with the Android apk by the way, still is more battery consumer than a simple wireguard connection but works much better now.
@Hobby-Student commented on GitHub (Aug 31, 2025):
Do you use DHCP on your WAN interface or static IP?
@Hobby-Student commented on GitHub (Sep 1, 2025):
I think I found something and created a pull request:OPNsense-plugins 4918@Gauss23 could you please also take a look?Was the wrong idea.
@Gauss23 commented on GitHub (Sep 1, 2025):
There was a PR which addressed the service startup a month ago:
https://github.com/opnsense/plugins/pull/4855
Maybe this code is not yet in the current devel build?
I did not have the time to check the new plugin, still sitting on my old version 😉
@Hobby-Student commented on GitHub (Sep 1, 2025):
I have the version with this change. Will try something later this day.
@ditronicos commented on GitHub (Sep 2, 2025):
Yeps, I agree.
Will try too in a few days and share how it works with you guys
@ditronicos commented on GitHub (Sep 9, 2025):
well these are my results.
Brand new OPNsense installation 25.7:
Following the instructions here--> https://docs.netbird.io/how-to/installation/opnsense,
I don´t know why, but if you try to search the plugin through the GUI there is not any OS-NETBIRD one listed.
Instead, doing a pkg search inside the console you can see the os-netbird-devel-0.2_1 and the netbird-0.52.2_1 available.
So I must to change to the devel repo and upgrade it to 26.1.a_200 to have the chance to install it form the GUI.
I both cases you can install those packages inside OPNsense and then the NETBIRD options are available inside VPN.
According with the doc "After installation, a new interface named wt0 will be available but unassigned. To assign it go to Interfaces > Assignments. Under Assign a new interface, set the following values:"
In both cases the interface wt0 is not available in the Assgnments, so I was unable to set anything.
May be I did something wrong?
@Clementinox commented on GitHub (Sep 13, 2025):
@Clementinox commented on GitHub (Sep 13, 2025):
To install from opnsense,
To install from OPNsense, you need to enable "Show community plugins" at the top right of the plugins page.
For Netbird I get this behaviour as well. I managed to get it running using this command in shell "service netbird onestart"
Right after doing this I get this error but service starts: failed to increase receive buffer size (wanted: 7168 kiB, got 41 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
I don't have much time with buffer size, maybe Netbird is trying to increase UDP buffer size when connecting from GUI and it fails?
Also the Netbird doc doesn't mention anything about enabling the service, there is an option for that in the plugin as well as changing the port. I can use it just fine, doesn't seem to affect anything. DOes anyone know what the enable feature is for?
@Hobby-Student commented on GitHub (Sep 22, 2025):
I was wrong. Everything is working as expected on the current OPNsense version.
I could be wrong, but I think that this wasn't the case in earlier versions.
Somewhere on the way (with newer versions of netbird) I needed to add outbound NAT for the routed subnets. Otherwise routing is not working. On the opnsense box I add this rule for the subnet(s) behind this box. This way traffic leaving this opnsense to other netbird peers / routers is only showing the opnsense IP and not the real source (masquerading). Don't know where / when this was introduced, but I try to get 2 of my opnsense to the latest versions of opnsense and netbird asap.
On involved opnsense boxes, the routes to the subnets do exist.
@Geertkok1 commented on GitHub (Oct 2, 2025):
I am happy to report that NetBird works on Opnsense 25.7.4 without any issues so far.
The only thing that we still see is that connections with the NetBird in Opnsense are relayed instead of P2P.
I have created the following rule for the WAN interface:
But still they are relayed instead of P2P. Has anyone got the P2P connections working?