mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-16 21:22:12 -04:00
Feature Request: raw Wireguard/dumbed-down client implementation for devices with limited capabilities #197
Open
opened 2025-11-20 05:07:47 -05:00 by saavagebueno
·
37 comments
No Branch/Tag Specified
main
embedded-vnc
readme-cleanup
client/capture-dns-forwarder-port
fix-ssh-authorized-users-multi-rule
fix/wireguard-port-zero
windows-dns-firewall
ui-refactor
fix/wgport-config
feature/refactor-clusters
fix/rosenpass
drop-candidateviaroutes-filter
e2e-windows-dns-combined
refactor-combined
wasm-websocket-dial
feature/affected-peers
dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1
debug-logs
reduce-embed-wg-pool
dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2
fix/login-cmd-root-flags
feat/reseller-openapi-spec
github-issue-resolver
add-steamos-support
fix-darwin-uninstaller
flutter-test
dependabot/npm_and_yarn/proxy/web/postcss-8.5.12
ci/freebsd-pkg-bootstrap
cached-serial-check-on-sync
fix-mgmt-cache-bypass-overlay
revert-easyjson-5938
revert-ice-5820
revert-firewalld-5928
refactor/permissions-manager
wasm-js-func-release
revert-dns-5935-systemd-resolved
revert-dns-5935-5945
revert-dns-5945-mgmt-cache
feature/log-most-busy-peers
prototype/ui-wails
coderabbitai/utg/8ae8f20
feature/use-peer-fqdn-on-https
dependabot/go_modules/golang.org/x/image-0.38.0
feature/metrics-push-management-control
release/0.68.3
dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8
dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3
add-slack-channel
claude/rdp-token-passthrough-eNcqW
transparent-proxy
fix/macos-stale-route-eexist
crowdsec-selfhosted
fix/remove-otel-units
entire/checkpoints/v1
dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4
fix/getting-started
feat/static-connectors-combined-server
feature/use-local-keys-embedded
feature/fleetdm
set-env-only-if-not-fork
feature/expose-has-channel
fix/connection-status-race
fix/filter-cgnat-cni-ice-candidates
feature/check-cert-locker-before-acme
test/proxy-fixes
test/proxy-mtu
prototype/ui-tauri
test/proxy-speed
fix-reused-ports
feat/migrate-to-embedded-idp
feature/add-serial-to-proxy-merged
deploy/proxy-serial
test/connection
feature/disable-legacy-port
feature/flag-to-disable-legacy-port
test/perftest
dependabot/go_modules/github.com/pion/dtls/v3-3.0.11
fix/http-redirect
poc-token-command
dn-reverse-proxy
prototype/reverse-proxy-rename
prototype/reverse-proxy-logs-pagination
feature/client-metrics
prototype/reverse-proxy-clusters
debug-dns-route
fix/win-dns-batch
add-extra-route-logs
job-stream-notify-disconnection-eof
deploy/secrets-manager
trigger-proxy-update
bug/update-ios-client-code-build-tags
sync-client-netmap-serial
log/conn-disconn
nmap/compaction-deploy
ci-win-test
feature/disk-encryption-check
wasm-debug
swap-dns-prio
fix/dex-config
feature/migrate-auto-groups-to-table
dependabot/go_modules/github.com/quic-go/quic-go-0.57.0
nmap/compaction
dex-nocgo-stub
feature/exclude-terraform-from-rate-limiting
test-freebsd
retries-refactor
coderabbitai/docstrings/b7e98ac
feat/integrate-zitadel
bug/ios-hanging-reconection
zitadel-idp
feat/network-map-serial
refactor/get-account-no-users
feat/auto-upgrade
feature/report-high-pat-id
feature/temporary-access-for-resource
fix/nmap-fwrules
dont-restart-dns
prototype/ui
update-gomobile
go-dns-for-ice
wasm-ldflags
test-ldflags
wasmbuild-test
feature/networks-s2s
vk/compare-nmaps
dbg/bothmaps
feature/changeset
reorder-dns-shutdown
fix/relay-reconnection-race
fix/nmap-exitnodes
vk/debug/nmap-both
move-licensed-code
feat/better-daemon-connection-lost-message
feat/auto-update-2
test/timings
refactor/getaccount-raw
tests/nmap-getaccount
refactor/nmap
refactor/nmap-limit-buffer
feature/detect-mac-wakeup
feature/extract-modules
quick-setings
feat/sync-limiter
feature/store-cache-impl
fix-install-version
feature/store-metrics
feature/metrics-on-store
feature/use-gorm-cache
loadtest-signal
unsymmetrical-squash
refactor/reducate-signaling
test/update-reduce
feature/store-cache
feature/remote-debug
cli-ws-proxy-backend-addr
feat/mgmt-map-serial
snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2
snyk-fix-7415cea5a11acd66753540ca2c598c63
job-yml-update
feature/android-allow-selecting-routes
fix/up-sequence
fix/dns-hash-update
snyk-fix-967adae9863f17f108ce8948d9117b8d
log/getaccount-by-peer
signal-suppressor
dns-exit-node
feature/auto-updates
feature/cache-srv-key
merged-fixes
fix/missed-offers-and-debug
debug-and-fixes
poc-wasm-clean-backend-s2s
test/remote-debug
debug-api
dependabot/go_modules/github.com/docker/docker-28.0.0incompatible
fix/remove-gpo-if-empty
fix/test-freebsd
fix/mysql-setup
fix/remove-logout-btn
handle-existing-domain-user
chore/unify-domain-validation
snyk-fix-c5fafc8a50ce1f29046e25a1fc346185
feat/profile-edit-btn
snyk-fix-a54966211e18d4cf67e5a2757cc006d1
log-short-id
feat/logout-ephemeral
log-checks
batch-wg-ops
nb-interface-default
feat/aws-integration
add/race-test
feature/relay-feature-versioning
fix/systemd-service-logs
poc/preprocessed-map
add-account-onboarding
bind-ipv6
fix/merge-main
logs/peerlogs-addpeer
feature/net-297-network-migration
feature/support-skip-auto-apply-exit-node-routes
set-cmd
set-command-with-cursor
feature/limit-update-channel
stop-using-locking-share
feature/poc-lazy-detection
feature/net-248-removal-of-sync-mutex-locks
test/multiple-peer-logging
preresolve
add-ns-punnycode-support
apply-routes-early
windows-search-domains
fix/connecting-route-filter
feature/management/rest-client/impersonate
debug-local-records
resource-fields-snake-case
test/grpc-rate-limit
traffic-correlation-policy
feature/rest-client-options
feat/events-metrics
feature/buf-cli
test/add-ratelimiter
test/remove-write-lock-on-add-peer
fix/add-peer-semaphore
feature/users-roles-endpoint
mlsmaycon-patch-1
debug-user-role
chore/primary-key-on-networks
feature/update-account-peers-buffer-startup
remove-ubuntu2004-runners
refactor/permissions-no-pat-allowed
ref/logrus-factory
use-conntrack-zone
deploy/permissions-account
feature/lazy-connection-idle
ref/improve-test-cov
restore-pr-3440
test/increase-grpc-timeouts
feat/buffer-account-peers-update
test/networkmapgeneration-changes
feature/base-manager
feature/flow-receiver
chore/benchmark-with-large-runner
refactor/handshake-initiator
client/ui-update-systray-icons
userspace-router
wgwatcher-test
output-if-key-already-exists
fix/relay-reconnection
feature/port-forwarding-client-codecleaning
detached2
test/callbacks-nil-iceconninfo
refactor/optimize-peer-expiration
enable-udp-port-for-docker-template
fix/relay-update
feature/apply-posture-netmap
fix/group-update-existing-resource
conntrack-stats
upgrade-okta-sdk
multi-price
test/conn-stat
set-min-parallel-tests-for-management
dns-interceptor
debug-dns
router-dns
add-static-system-info
debug-0.29.4
debug-0.33.0
account-refactoring
relay/2800_quic
route-get-account-refactoring
test/seed-random-routes
feature/get-account-refactoring
test/reconnect-race-condition
refactor/get-account-usage
feature/add-session-id-to-update-channel
improve-ipv4conn
fix/async-pion-event-handling
debug
add-offload
feature/validate-group-association-debug
fix/limit-conn-for-sqlite
test/engine-iface
test/transaction-for-jwt-sync
fix/engine-stop-in-foreground
feature/add-mysql-support
test-migration
refactor/header-size-values
relay/eliminate-gob
test/signal-dispatcher-with-relay
relay/debug
validate-icon
feature/ipv6-support
use-pre-expanded-peers-map
feature/use-signal-dispatcher
validate/peer-status
add-read-write-times
fix/sync-peer-race
feature/relay-status
netmap
evaluate/network-map-hash
fix/lower-dns-resolve-interval-on-fail
feature/relay
fix/go-mod-version
upgrade-nftables
synology-userspace-mode
fix/use-ip-for-default-routes-on-darwin
fix/proxy_close
enable-release-workflow-on-pr
deploy/peer-performance
feature/permanent-turn
feature/permanent-turn-proxy
deploy/posture-check-sqlite
feature/optimize_sqlite_save
debug-ios-behavior
fix/delete-route-only-after-adding
tshoot/windows-logger
remove-new-routing
refactor/eliminate-repo-dependency
add-arm-to-ci
refactor-demo-account-object
test/abc2
test/abc
send-ssh-rosenpass-config-meta
refactor-demo
ensure-schedule-never-runs-non-positive
feature/peer-validator-groupmgm
feature/peer-validator-fix
fix/include-active-dashboard-users
fix/handle-canceling-schedule
fix/geo-download
debug-google-workspace
yury/resolve-ip-to-location
feature/extend-sysinfo
sqlite-async-peer-status
yury/add-postgresql-store
fix/route
test-build
posture-checks-poc
debug-keycloak-idp
poc/netstack
for-pascal-tmp
peer-logout-management
manual-peer-logout
detached
chore/refactor-management
test/dns-bind
fix/enforce-acl-for-containers
yury/use-sync-map-in-updatechannel
fix/events-key-handling
filter-cache-on-load-account
fix/user-expiration
handle-user-context-cancellation
nb-client-k8s-statefulset
fake-addr
fix/iptables_in_docker
ebpf-debug
update-getting-started-flow-use-postgres
fix/peer_list_notification
feature/device-authentication-with-client-secret
feature/keep_alive
feat-groups-from-jwt
separate_proxy_from_wgconfig
fix/wg_conn
wg_conn_fix
wg_bind_parallel_processing
fix-rollback-get-acls
proxy_cfg_cleanup
performance-improvement-rego
update-lock-log-level
feat-client-side-acl
refactor/move_grpcserver_logic_to_account_manager
feature/event-storage
feature/update-idp-redeeming-invite
feature/api-peer-info
return-groupminimum-setupkey
feature/interface-bind
documentation_enhancement
fix-peer-registration
ssh
users_cache
pass-client-caller
client_caller_type
revert-283-feat-fix-windows-installer
periodic-peer-updates
ebpf
braginini/wasm
v0.71.2
v0.71.1
v0.71.0
v0.70.5
v0.70.4
v0.70.3
v0.70.2
v0.70.1
v0.70.0
v0.69.0
v0.68.3
v0.68.2
v0.68.1
v0.68.0
v0.67.4
v0.67.3
v0.67.2
v0.67.1
v0.67.0
v0.66.4
v0.66.3
v0.66.2
v0.66.1
v0.66.0
v0.65.3
v0.65.2
v0.65.1
v0.65.0
v0.64.6
v0.64.5
v0.64.4
v0.64.3
v0.64.2
v0.64.1
v0.64.0
v0.63.0
v0.62.3
v0.62.2
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.9
v0.60.8
v0.60.7
v0.60.6
v0.60.5
v0.60.4
v0.60.3
v0.60.2
v0.60.1
v0.60.0
v0.59.13
v0.59.12
v0.59.11
v0.59.10
v0.59.9
v0.59.8
v0.59.7
v0.59.6
v0.59.5
v0.59.4
v0.59.3
v0.59.2
v0.59.1
v0.59.0
v0.58.2
v0.58.1
v0.58.0
v0.57.1
v0.57.0
v0.56.1
v0.56.0
v0.55.1
v0.55.0
v0.54.2
v0.54.1
v0.54.0
v0.53.0
v0.52.2
v0.52.1
v0.52.0
v0.51.2
v0.51.1
v0.51.0
v0.50.3
v0.50.2
v0.50.1
v0.50.0
v0.49.0
v0.48.0-dev2
v0.48.0
v0.47.2
v0.47.1
v0.47.0
v0.46.0
v0.45.3
v0.45.2
v0.45.1
v0.45.0
v0.44.0
v0.43.3
v0.43.2
v0.43.1
v0.43.0
v0.42.0
v0.41.3
v0.41.2
v0.41.1
v0.41.0
v0.40.1
v0.40.0
v0.39.2
v0.39.1
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.2
v0.37.1
v0.37.0
v0.36.7
v0.36.6
v0.36.5
v0.36.4
v0.36.3
v0.36.2
v0.36.1
v0.36.0
v0.35.2
v0.35.1
v0.35.0
v0.34.1
v0.34.0
v0.33.0
v0.32.0
v0.31.1
v0.31.0
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.4
v0.29.3
0.29.3
v0.29.2
v0.29.1
v0.29.0
v0.28.9
v0.28.8
v0.28.7
v0.28.6
v0.28.5
v0.28.4
v0.28.3
v0.28.2
v0.28.1
v0.28.0
v0.27.10
v0.27.9
v0.27.8
v0.27.7
v0.27.6
v0.27.5
v0.27.4
v0.27.3
v0.27.2
v0.27.1
v0.27.0
v0.26.7
v0.26.6
v0.26.5
v0.26.4
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.9
v0.25.8
v0.25.7
v0.25.6
v0.25.5
v0.25.4
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.9
v0.23.8
v0.23.7
v0.23.6
v0.23.5
v0.23.4
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.7
v0.22.6
v0.22.5
v0.22.4
v0.22.3
v0.22.2
v0.22.1
v0.22.0
v0.21.11
v0.21.10
v0.21.9
v0.21.8
v0.21.7
v0.21.6
v0.21.5
v0.21.4
v0.21.3
v0.21.2
v0.21.1
v0.21.0
v0.20.8
v0.20.7
v0.20.6
v0.20.5
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.1
v0.18.0
v0.17.0
v0.16.0
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.14.6
v0.14.5
v0.14.4
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.6
v0.11.5
v0.11.4
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.10.10
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.12
v0.8.11
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.11
v0.5.10
v0.5.1
v0.5.0
v0.4.0
v0.3.5
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.3
v0.2.2-beta.1
v0.2.1-beta.5
v0.2.0-beta.5
v0.2.0-beta.4
v0.2.0-beta.3
v0.2.0-beta.2
v0.2.0-beta.1
v0.1.0-beta.3
v0.1.0-beta.2
v0.1.0-beta.1
v0.1.0-rc.2
v0.1.0-rc-1
v0.0.8-hotfix-1
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
v0.0.0
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
Mirrored from GitHub Pull Request
No Label
feature-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
saavagebueno
Clear assignees
saavagebueno
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: SVI/netbird#197
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @dionorgua on GitHub (Oct 7, 2022).
It would be cool to have a way to benefit from automatic mesh on systems where it's impossible to run native client or where client is not available yet.
For example Mikrotik routers supports Wireguard. But they don't have way to run custom binaries. At the same time they have own scripting language that is able to do HTTP requests, configure network interface, add routes, etc.
Similar Wireguard-based mesh networks are solving this by using 'gateway' servers (one machine in network that has public IP is assigned a 'gateway' role and such 'static' clients have config with just one peer to that 'gateway' ). So basically 'unsupported' platforms are more like traditional VPN servers. They accessing network through fixed gateway that routes traffic to other peers without mesh.
But I think that better solution should be possible:
Generally it should looks like:
Surely such client will be unable to do NAT traverse, but it'll be able to reach others with public IP or others who runs native client
There are a few related issues, like:
PS. Feel free to rename issue to something more easy to understand.
@misuzu commented on GitHub (Oct 10, 2022):
RouterOS supports containers now, it should be possible to run netbird in such container
@dionorgua commented on GitHub (Oct 10, 2022):
Yes, I'm aware of this feature. It requires RouterOS 7.5 to create TUN device.
wireguard-goand Wireguard over TUN device because there is no access to Wireguard kernel module from container. And all of this will run on pretty low power router.Right now the most difficult part that makes it almost impossible is 'grpc'. The only way to solve this for
netbirdis to use some sort of proxy/adapter...@giovannicandido commented on GitHub (Jul 13, 2024):
This feature is an excellent addition. I finally have a decent firewall with a Mikrotik Router. My board has Native Wireguard support and container support, but the container feature is a HIGH RISK feature covered in documentation with no guarantee of security I will probably never use it in a router.
If we can use vanilla Wireguard as a client even with restrictions it would be nice.
In the meantime, I can create a site-to-site connection with clients using the native wireguard in a static manner and use routes to expose the net bird network if necessary.
@JoNatGeekFiWiFi commented on GitHub (Jul 23, 2024):
I seccond this need limited wiregaurd client support
@aweher commented on GitHub (Jul 31, 2024):
+1 here
@westerlind commented on GitHub (Aug 4, 2024):
In my opinion, this would be the most important missing feature in Netbird.
Having this ability would add a lot more flexibility and open Netbird for many more use cases.
@nazarewk commented on GitHub (Apr 17, 2025):
a short (possibly already outdated/incomplete by the time you are reading) list of feature requests related to implementing a raw wireguard and/or very dumbed down script-style client utilizing it:
@robertpenz commented on GitHub (May 16, 2025):
It would be nice if the actual WireGuard configuration could be abstracted in a way that allows different devs to implement the interface for their wished setup. This would allow it to separate the control plane from the data plane. e.g. I could write a plugin that configures a WireGuard on Mikrotik router via the RouterOS Rest API. I could do that from another system or a container which only runs the control plan, so I get full speed. Someone other could write something for Ubiquity or pfSense/OpenSense.
The default module would be the integrated Kernel Wireguard you currently have and the backup for the user space Wireguard via tun.
@excavador commented on GitHub (May 27, 2025):
I rethink about the same ideas until I have this ticket.
My proposal the very straightforward and direct:
As the result - Mikrotik RB4011iGS+RM - I will launch two containers
On Mikrotik I could isolate & manage container in the way, where they could access each other, but not outside world
Realiable, clean, straightforward solution
@nazarewk
@excavador commented on GitHub (May 28, 2025):
Also
The only question is how to delivery this extra configuration (like endpoint-user-password or endpoint-user-private-ssh-key) from netbird client inside this library, but this purely technical question :)
@robertpenz commented on GitHub (May 28, 2025):
I would just abstract the WireGuard/NAT calls in Netbird, so instead of calling the local WireGuard/Firewall stuff, anyone can write custom code for their router. Your idea with a webhook and running a second container is one way. Another way is just to call a script in the container. With docker images, it is easy to take one docker image as base image and extend it. This allows the Netbird code to stay small and manageable, but everyone can take the base image and extend it with their script/binary and just set and environment variable so it is called by Netbird.
No need for 2 Container and HTTP API. As I'm not a go programmer I just need someone to but the code into Netbird that external scripts can be called, the REST API for the Mikrotiks I can then do :-) and someone else can then write a code for pfSense/openSense or something like this
@excavador commented on GitHub (May 28, 2025):
Or add ability to use golang plugin with so files
One plugin could call scripts, other could work with RouterOS :)
@robertpenz commented on GitHub (May 28, 2025):
goland plugin so files are also ok ... with an example plugin which calls external scripts - I would be happy :-)
@excavador commented on GitHub (May 28, 2025):
I do not have any problem to quickly implement it.
I just need confirmation from maintainers, that this is okay and will be eventually merged and supported
I do not like waste time to idea which will not be approved by maintainers
@robertpenz commented on GitHub (May 28, 2025):
ok, the golang plugins have the additional benefit if a plugin is in mature and in high demand it could go into the base docker image at some point and others can stay separate.
@excavador commented on GitHub (May 28, 2025):
Also
I could implement all this, I just need confirmation from maintainers, for instance, from @nazarewk that this is okay for project and will be merged/supported (in case of proper implementation, of course)
After that I will implement it.
I just want to avoid time wasting to dead-end, which never will be accepted by netbird's team
@trbutler commented on GitHub (May 29, 2025):
For what it is worth, I'd just copy Netmaker's approach -- given the same Wireguard base, I'm guessing maybe even some of the code could be reused? -- which allows one to use any standard Wireguard client. While I've found Netbird more reliable than Netmaker, this is a spot they have a clear edge since it doesn't require implementing new clients or anything like that. https://www.netmaker.io/features/client-types
@robertpenz commented on GitHub (May 30, 2025):
@trbutler I don't believe that is possible with the mesh traffic and therefore tunnels .. netbirds needs to create a wireguard peer on every endpoint so they talk with each other, that configurations needs to be done somehow. If you only connect to a central spoke with a "standard wireguard" that's ok, no need to create peers ... but that's not how netbird works, which is also the main differentiator to others.
@trbutler commented on GitHub (May 30, 2025):
@robertpenz I admittedly didn't explore too much how exactly Netmaker's system handled Wireguard clients in relation to other peers (other than that it worked), but the overall architecture is very close to Netbird's or Talescale's with a central controller and peer-to-peer communication beyond coordination. It too is a "mesh" system. I find that Netbird's management system has been more reliable (or was when I decided to go with Netbird instead of Netmaker back in 2022), but the basic design is very similar.
@scr4tchy commented on GitHub (Jun 1, 2025):
Mikrotik has native Wireguard support - so why not let Netbird use the Mikrotik API to manage Wireguard interfaces/peers?
@robertpenz commented on GitHub (Jun 3, 2025):
@scr4tchy: that's the idea, but to be able to manage the Mikrotik API we need to add that functionality in Netbird, hence this discussion. Adding this is fine, but the maintainers of Netbird also need to stated that they will to accept such a pull request - therefor, we are waiting on @nazarewk. And do not be vendor specific, the idea is a plugin system which allows writing to different router APIs.
@mlsmaycon commented on GitHub (Jun 3, 2025):
Hello folks. NetBird won't work with vanilla Wireguard without major changes on the system since it defines the best endpoint for the p2p connections for every peer. For instance, we launch local proxies when the connection should be using relay, and that's something that would require more than the plain Wireguard client.
If anyone has experience building a client for Mikrotik, we would be happy to discuss how to build and integrate NetBird directly.
We do have some users that used docker in Mikrotik and generated a nice doc on that: https://docs.netbird.io/how-to/client-on-mikrotik-router
@excavador commented on GitHub (Jun 3, 2025):
Hello!
Thank you so much for your reply!
I take a look to netbird source code, and it's clear how you build up abstraction on WireGuard/DNS/Firewall configuration
I have understanding how to implement MikroTik API client to perform the same actions on Mikrotik side
Pre-requisite - should be container on MikriTik in host network mode (to share NAT traversal port directly)
So, @mlsmaycon , my questiion the following:
Option A. would you like to have support of RouterOS API directly in netbird client source code? (my be with some golang build tag)
OR
Option B. would you like to have some "external" kind of configuration, where netbird receive in configuration path to custom scripts?
OR
OptionC. would you like to have some "plugin" kind of configuration, where netbird load golang plugin of certain interface?
The difference the followings
Option A. Simpler for user, for it will force to add all other devices, different from RouterOS, directly to the source code base
Option B. Ideal for non-developers, system administrators. They will able to DIY integration with own router or very custom devices
Option C. Ideal for developer, implement own plugin, load it, no injection to codebase
@mlsmaycon I could implement any approach, my question to you - what NetBird team prefer?
@nazarewk commented on GitHub (Jun 5, 2025):
Let's keep this issue in the spirit of supporting low-capability devices, either through raw Wireguard or a separate resource-conscious implementation/operation mode for NetBird.
I would be very wary of saying that running a full client in compatibility mode would be sufficiently resource-efficient to run on most of the networking devices, let's move this part to https://github.com/netbirdio/netbird/issues/3921
To summarize the on-topic discussion https://github.com/netbirdio/netbird/issues/496#issuecomment-2933728123 .
We are not discarding the possibility of supporting this in the distant future, but we are not planning to support a plain WireGuard client or low-resources operation mode in the foreseeable future. In short, this is too large a codebase rework effort for too little perceived benefit. It seems like a relatively niche usage, considering most of the use cases could be achieved by running a client/routing peer externally to the routing devices.
We would definitely put more emphasis on the feature if a large enough number of customers required this, funded or took the bulk of the development effort on themselves (which again, is expected to be large).
PS: feel free to keep the discussion going and ideas flowing, it won't go to waste :)
@mlsmaycon commented on GitHub (Jun 6, 2025):
@excavador would you be available for a chat? we are on Slack and perhaps we can arrange a call to discuss how the Mikrotik integration would look like
@excavador commented on GitHub (Jun 6, 2025):
Slack or meeting is fine. Send link or calendar event to o.tsarev@truvity.com
@mlsmaycon commented on GitHub (Jun 6, 2025):
@excavador I've sent you an invite for today.
@tobias-carlbom commented on GitHub (Jun 14, 2025):
interesting discussion. i am managing a bunch of low-end teltonika routers remotely, which runs on a dinosaur fork of openwrt.
as for now we are only able to configure raw wireguard client in the devices. there is only 1-2MB flash disk, so installing eg https://downloads.openwrt.org/snapshots/packages/mips_24kc/packages/netbird-0.45.3-r1.apk will not work since the binary is 10MB.
having the ability to use "raw" wireguard config files would be very much appreciated!
@haneef95 commented on GitHub (Jul 16, 2025):
@tobias-carlbom - What if there was a shell script that could run on OpenWRT that simply makes regular calls to Netbird to fetch the WireGuard configs to update locally?
@tobias-carlbom commented on GitHub (Jul 16, 2025):
@haneef95 sure that would work.
But I don't know - I actually got the binary working on my test device, running in ram memory.
It feels more "safe" to run the binaries.
Although it feels hacky running from ram, it's pretty easy to automate this to even get it working if the device restarts.
@haneef95 commented on GitHub (Jul 16, 2025):
Oh nice congrats @tobias-carlbom!
Would be interested to know how it pans out
@HammyHavoc commented on GitHub (Jul 16, 2025):
Plenty of things run from RAM, and it's actually desirable in many cases. I don't feel it is all that hack-y in 2025. :- )
And yes, verifiable binaries are always preferable whenever possible!
@haneef95 commented on GitHub (Jul 16, 2025):
I'm still interested in this as a lightweight alternative to the full binary though. And it could potentially work across different envs.
@serossi commented on GitHub (Aug 12, 2025):
you want todo to much
ofc it wont be perfect or even close to the feature set of the full client
it doesnt have to be.
good enough would be sufficent
i think the main thing the system needs to consider to have defautl bypasses that reach the client
so for exmaple plain client (plain1) is connect to full clients (hub1-3)
then instead of doing full mesh for authroized clients everytime you want to config a direct connection to plain1, the config will connect you to hub1-3 for the most ideal path and relay there
ofc plain1 will be pretty static, so we need to be able make config changes and aknolege that now a new config is active so the backend knows of new abilitys with the new config and can consider this then for the other clients
@trbutler commented on GitHub (Aug 12, 2025):
I'm wondering if this is what Netmaker does. That project's functionality is so parallel to Netbird, I'd imagine they'd have run into the same limitations and needed to work around them in a fashion like you describe. I don't know how their implementation works, but I'd think if there were willingness to add this, seeing how they did it might help solve the problem. (It's above my pay grade, sadly.)
Here's how another user described Netmaker's setup: https://github.com/netbirdio/netbird/issues/213#issuecomment-1493124490
@serossi commented on GitHub (Aug 12, 2025):
no idea how netmaker does it and to be honest, i just pulled that out my hiney mid comment, initially i just wanted to write that it doesnt have to be perfect.
i dont think its really that complicated. ofc implementation gremlins always waiting around a corner.
but with a very basic start it could slowly get better and more sophisticated over time
it just needs to start somewhere, instead of thinking for 2 years how complicated it can be implemented
@HammyHavoc commented on GitHub (Aug 12, 2025):
I've seen this mistake dozens of times over the years both in FOSS and proprietary dev.
If it isn't architected sensibly, it won't work long-term, nor become better/more sophisticated, and potentially bottleneck dev on other aspects of the project in avoiding breaking the rapidly dev'd bodge for a niche function.
There are good reasons why any long-term project with traction and plenty of external contributors plans extensively, otherwise it grinds to a halt.
Vibe coding doesn't work for stuff like this because other people are going to need to work on it at some point in terms of maintenance, otherwise you end up with a pile of technical debt. There's no proof-of-concept required though, we already know there would be a demand if this worked well. People won't use a janky solution, and if it causes other issues in terms of access policies, or perf regressions for what is already implemented, then that's a big deal.
If it was as simple as you're thinking it is, it would have already been done. Planning is a skill in and of itself, and planning is extremely important, especially coordinating a new FR relative to dev that's already happening and in terms of roadmap.
Above is not an insult or knock on your skills or management style BTW. I'm a realist. Everything is "just
xyz" if you're not the person implementing it or maintaining it long-term.Sure, I would absolutely love a quick-and-easy solution, but the realistic quick-and-easy solution is likely configuring a separate WireGuard tunnel within a network that your NetBird peers can currently tx/rx with because that solution is here today and doesn't require any additional dev. Is it less elegant than it all being within NetBird? Yup, but chasing ideals is usually not advised, especially with something as messy as networking.