SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-09 09:42:12 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Issues with site-2-site VPN on version 0.25.9 #656

New Issue
Open
opened 2025-11-20 05:15:27 -05:00 by saavagebueno · 11 comments
saavagebueno commented 2025-11-20 05:15:27 -05:00
Owner
Copy Link

Originally created by @deB4SH on GitHub (Feb 26, 2024).

Describe the problem

NOTE: this is copies from a slack thread

Hi all,
I have a selfhosted netbird running with three clients joined.
All clients should share their specific lan environments with each other and allow other devices in their own network to use the others.
I already have setup all network routes required and configured the according ip ranges, routing peers, distribution groups and masquerade for each route.
The hosts with the client installed are able to reach ips in other local networks but sadly not other hosts using them as gateway.

As example:
192.168.10.0/24 made available over node-1 ( .10.2)
192.168.11.0/24 made available over node-2 ( .11.2)

Routers in each network do provide a network route for clients to communicate towards the other network over the given gateway ip.
Node-1 can reach ips within the .11 network.
When tracerouting from a host near to node-1 it gets stuck on node-1 and the traffic is not forwarded over the wireguard interface

What configuration did I miss?
Did i missunderstood the automatic masquerade setup of netbird?

Somehow I can't get site-to-site vpn working with netbird.
Seems that the masquerading is not working properly.
Before my switch to netbird I configured all "ingress"-nodes to each site via PostUp and PostDown to build up the masquarade rules via iptables

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE;

The issue resolved when downgrading to version 0.25.4 from 0.25.9
Also needed to add an iptable entry for the masquerade
iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE

To Reproduce

Steps to reproduce the behavior:

  1. Setup Netbird in different Networks
  2. Create Access Rules and Network Configurations to share networks to each other instance
  3. enable masquarade

Expected behavior

Working site 2 site networking

Are you using NetBird Cloud?

selfhosted

Originally created by @deB4SH on GitHub (Feb 26, 2024). **Describe the problem** **NOTE: this is copies from a slack thread** Hi all, I have a selfhosted netbird running with three clients joined. All clients should share their specific lan environments with each other and allow other devices in their own network to use the others. I already have setup all network routes required and configured the according ip ranges, routing peers, distribution groups and masquerade for each route. The hosts with the client installed are able to reach ips in other local networks but sadly not other hosts using them as gateway. As example: 192.168.10.0/24 made available over node-1 ( .10.2) 192.168.11.0/24 made available over node-2 ( .11.2) Routers in each network do provide a network route for clients to communicate towards the other network over the given gateway ip. Node-1 can reach ips within the .11 network. When tracerouting from a host near to node-1 it gets stuck on node-1 and the traffic is not forwarded over the wireguard interface What configuration did I miss? Did i missunderstood the automatic masquerade setup of netbird? Somehow I can't get site-to-site vpn working with netbird. Seems that the masquerading is not working properly. Before my switch to netbird I configured all "ingress"-nodes to each site via PostUp and PostDown to build up the masquarade rules via iptables PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE; The issue resolved when downgrading to version 0.25.4 from 0.25.9 Also needed to add an iptable entry for the masquerade `iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE` **To Reproduce** Steps to reproduce the behavior: 1. Setup Netbird in different Networks 2. Create Access Rules and Network Configurations to share networks to each other instance 3. enable masquarade **Expected behavior** Working site 2 site networking **Are you using NetBird Cloud?** selfhosted
saavagebueno added the bugclientwaiting-feedback labels 2025-11-20 05:15:27 -05:00
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@xiaolei0125 commented on GitHub (Mar 1, 2024):

I also encountered a similar issue when using 0.25.8, but it was resolved after rolling back to 0.24.3.

@xiaolei0125 commented on GitHub (Mar 1, 2024): I also encountered a similar issue when using 0.25.8, but it was resolved after rolling back to 0.24.3.
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@ednxzu commented on GitHub (Apr 17, 2024):

I also have the same issue, tho the peers in each of my sites can ping and connect to remote machines on their netbird IP (100.x.y.z).

I was using latest, tried to roll back as advised here, but it didn't change anything.

I'll keep posting if I make any progress.

@ednxzu commented on GitHub (Apr 17, 2024): I also have the same issue, tho the peers in each of my sites can ping and connect to remote machines on their netbird IP (100.x.y.z). I was using latest, tried to roll back as advised here, but it didn't change anything. I'll keep posting if I make any progress.
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@deB4SH commented on GitHub (Apr 22, 2024):

I'm still on 0.25.4 and need to manually add need to manually add iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE after each boot. (iptable-save)
After this everything work quite well - maybe you are missing the postrouting @ednxzu ?

@deB4SH commented on GitHub (Apr 22, 2024): I'm still on `0.25.4` and need to manually add need to manually add `iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE` after each boot. (iptable-save) After this everything work quite well - maybe you are missing the postrouting @ednxzu ?
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@ednxzu commented on GitHub (Apr 22, 2024):

I forgot to report back, but I managed to get it to work.

Each nodes on each site needed:
-A FORWARD -d <subnet_of_remote_site> -j ACCEPT
-A FORWARD -s <subnet_of_remote_site> -j ACCEPT

these had to be added manually (maybe an improvement ?)

where subnet_of_remote_site is the subnet englobing all your site LAN, in my case, each site gets
10.x.0.0/16 so site 1 would be 10.1.0.0/16, site 2 10.2.0.0/16

to be manually added. Other than that, I had issue with port security in openstack not allowing traffic from the tunnel network to exit the router instance.

using the latest version worked in my case.

@ednxzu commented on GitHub (Apr 22, 2024): I forgot to report back, but I managed to get it to work. Each nodes on each site needed: -A FORWARD -d <subnet_of_remote_site> -j ACCEPT -A FORWARD -s <subnet_of_remote_site> -j ACCEPT these had to be added manually (maybe an improvement ?) where subnet_of_remote_site is the subnet englobing all your site LAN, in my case, each site gets 10.x.0.0/16 so site 1 would be 10.1.0.0/16, site 2 10.2.0.0/16 to be manually added. Other than that, I had issue with port security in openstack not allowing traffic from the tunnel network to exit the router instance. using the latest version worked in my case.
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@dobe commented on GitHub (May 14, 2024):

same here using. netbird version 0.27.6 i also need to:

iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE

expecting this to be configured automatically

@dobe commented on GitHub (May 14, 2024): same here using. netbird version 0.27.6 i also need to: ```shell iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE ``` expecting this to be configured automatically
saavagebueno commented 2025-11-20 05:15:28 -05:00
Author
Owner
Copy Link

@cassidea commented on GitHub (May 27, 2024):

Each nodes on each site needed:
-A FORWARD -d <subnet_of_remote_site> -j ACCEPT -A FORWARD -s <subnet_of_remote_site> -j ACCEPT

these had to be added manually (maybe an improvement ?)

Same here. Unfortunately I couldn't get it working in systemd's ExecStartPre or ExecStartPost-hook but had to execute it manually. The rules showed up in iptables -S but packets wouldn't be handled correctly.

My current solution:
in systemd-script: ExecStartPre=iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE
manually after every reboot: sudo iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT; sudo iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT

@cassidea commented on GitHub (May 27, 2024): > Each nodes on each site needed: > -A FORWARD -d <subnet_of_remote_site> -j ACCEPT -A FORWARD -s <subnet_of_remote_site> -j ACCEPT > > these had to be added manually (maybe an improvement ?) Same here. Unfortunately I couldn't get it working in systemd's `ExecStartPre` or `ExecStartPost`-hook but had to execute it manually. The rules showed up in `iptables -S` but packets wouldn't be handled correctly. My current solution: in systemd-script: `ExecStartPre=iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE` manually after every reboot: `sudo iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT; sudo iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT`
saavagebueno commented 2025-11-20 05:15:29 -05:00
Author
Owner
Copy Link

@nazarewk commented on GitHub (Apr 23, 2025):

Is it still an issue for you with the latest NetBird version?

@nazarewk commented on GitHub (Apr 23, 2025): Is it still an issue for you with the latest NetBird version?
saavagebueno commented 2025-11-20 05:15:29 -05:00
Author
Owner
Copy Link

@ednxzu commented on GitHub (Apr 24, 2025):

Hello, I am on 0.42.x, and I still have to set the iptables manually in order to get routing for non-netbird hosts to the other site, tho this is probbly out of scope for the project and something that sohuld be done manually anyways.

It would be nice to have a piece of documentation about it tho.

Cheers,

@ednxzu commented on GitHub (Apr 24, 2025): Hello, I am on 0.42.x, and I still have to set the iptables manually in order to get routing for non-netbird hosts to the other site, tho this is probbly out of scope for the project and something that sohuld be done manually anyways. It would be nice to have a piece of documentation about it tho. Cheers,
saavagebueno commented 2025-11-20 05:15:29 -05:00
Author
Owner
Copy Link

@skolew commented on GitHub (Apr 30, 2025):

Hello,
does anyone succeeded in this one? I am running in the same issue with 0.43.

I configured 3 vpn peers:

  1. Macbook client
  2. Two debian based routing peer - one for let's say siteA and one of siteB. SiteA and SiteB peers are set as routing peers, I am using the legacy routing peers, not new "Networks" feature as explained in the documentation the new Newtworks features does not support site-to-site connectivity. Actually I tried both methods and with none of them I had success to set up communication between sites.

siteA subnet - 10.16.0.0/16
siteB subnet - 10.17.0.0/16

From every netbird peer I can connect to hosts from 10.16.0.0/16 or 10.17.0.0/16 which is fine, but when I try to connect from 10.16.0.0/16 host to 10.17.0.0/16 host I have no luck. After I added the iptables rules listed in comment I succeeded to make ping response reply, but when I try to make some curl request to http servers in both sites I have no luck:

Here is some examples:

root@netbird-router-site-a:~# ip a s 
2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:f7:f7:79:b6:bb brd ff:ff:ff:ff:ff:ff
    inet 10.16.1.167/24 metric 100 brd 10.16.1.255 scope global dynamic enX0
       valid_lft 2176sec preferred_lft 2176sec
    inet6 fe80::f7:f7ff:fe79:b6bb/64 scope link 
       valid_lft forever preferred_lft forever
4: wt0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 100.104.70.139/16 brd 100.104.255.255 scope global wt0
       valid_lft forever preferred_lft forever
root@netbird-router-site-a:~# ping 10.17.2.6
PING 10.17.2.6 (10.17.2.6) 56(84) bytes of data.
64 bytes from 10.17.2.6: icmp_seq=1 ttl=63 time=1.42 ms
64 bytes from 10.17.2.6: icmp_seq=2 ttl=63 time=1.93 ms
^C
--- 10.17.2.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.424/1.678/1.932/0.254 ms
root@netbird-router-site-a:~# curl 10.17.2.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@netbird-router-site-a:~# curl http://10.16.2.34
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@netbird-router-site-a:~#

When I try same thing from a node on site-b to a node on site-a I get timeout on the curl or telnet, Also looked into the tcpdump on both routing peers it seems that network packets are not arriving when I try curl or telnet, only ping tracked by tcpdump, which is strange:

root@site-b-node:~# ping 10.16.2.34
PING 10.16.2.34 (10.16.2.34) 56(84) bytes of data.
64 bytes from 10.16.2.34: icmp_seq=1 ttl=62 time=1.99 ms
64 bytes from 10.16.2.34: icmp_seq=2 ttl=62 time=2.01 ms
^C
--- 10.16.2.34 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.987/1.997/2.008/0.010 ms
root@site-b-node:~# curl http://10.16.2.34
^C
root@site-b-node:~#

Does someone has solution on that?

@skolew commented on GitHub (Apr 30, 2025): Hello, does anyone succeeded in this one? I am running in the same issue with 0.43. I configured 3 vpn peers: 1. Macbook client 2. Two debian based routing peer - one for let's say siteA and one of siteB. SiteA and SiteB peers are set as routing peers, I am using the legacy routing peers, not new "Networks" feature as explained in the documentation the new Newtworks features does not support site-to-site connectivity. Actually I tried both methods and with none of them I had success to set up communication between sites. siteA subnet - 10.16.0.0/16 siteB subnet - 10.17.0.0/16 From every netbird peer I can connect to hosts from 10.16.0.0/16 or 10.17.0.0/16 which is fine, but when I try to connect from 10.16.0.0/16 host to 10.17.0.0/16 host I have no luck. After I added the iptables rules listed in comment I succeeded to make ping response reply, but when I try to make some curl request to http servers in both sites I have no luck: Here is some examples: ``` root@netbird-router-site-a:~# ip a s 2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000 link/ether 02:f7:f7:79:b6:bb brd ff:ff:ff:ff:ff:ff inet 10.16.1.167/24 metric 100 brd 10.16.1.255 scope global dynamic enX0 valid_lft 2176sec preferred_lft 2176sec inet6 fe80::f7:f7ff:fe79:b6bb/64 scope link valid_lft forever preferred_lft forever 4: wt0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 100.104.70.139/16 brd 100.104.255.255 scope global wt0 valid_lft forever preferred_lft forever root@netbird-router-site-a:~# ping 10.17.2.6 PING 10.17.2.6 (10.17.2.6) 56(84) bytes of data. 64 bytes from 10.17.2.6: icmp_seq=1 ttl=63 time=1.42 ms 64 bytes from 10.17.2.6: icmp_seq=2 ttl=63 time=1.93 ms ^C --- 10.17.2.6 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.424/1.678/1.932/0.254 ms root@netbird-router-site-a:~# curl 10.17.2.6 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> root@netbird-router-site-a:~# curl http://10.16.2.34 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> root@netbird-router-site-a:~# ``` When I try same thing from a node on site-b to a node on site-a I get timeout on the curl or telnet, Also looked into the tcpdump on both routing peers it seems that network packets are not arriving when I try curl or telnet, only ping tracked by tcpdump, which is strange: ``` root@site-b-node:~# ping 10.16.2.34 PING 10.16.2.34 (10.16.2.34) 56(84) bytes of data. 64 bytes from 10.16.2.34: icmp_seq=1 ttl=62 time=1.99 ms 64 bytes from 10.16.2.34: icmp_seq=2 ttl=62 time=2.01 ms ^C --- 10.16.2.34 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.987/1.997/2.008/0.010 ms root@site-b-node:~# curl http://10.16.2.34 ^C root@site-b-node:~# ``` Does someone has solution on that?
saavagebueno commented 2025-11-20 05:15:29 -05:00
Author
Owner
Copy Link

@Alemiz112 commented on GitHub (Aug 24, 2025):

This still seems to be an issue with the latest Netbird client. Manually adding iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE is a temporary solution.

@Alemiz112 commented on GitHub (Aug 24, 2025): This still seems to be an issue with the latest Netbird client. Manually adding `iptables -t nat -A POSTROUTING -o wt0 -j MASQUERADE` is a temporary solution.
saavagebueno commented 2025-11-20 05:15:29 -05:00
Author
Owner
Copy Link

@zagdrath commented on GitHub (Aug 24, 2025):

This absolutely still is an issue with the latest version.

@zagdrath commented on GitHub (Aug 24, 2025): This absolutely still is an issue with the latest version.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label bug client waiting-feedback
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#656
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?