Connectivity Issues with Active Mullvad VPN on a Netbird Peer

Issue Description:

Overview:

I am facing connectivity issues in my self-hosted Netbird setup when Mullvad VPN is active on a peer. This setup, inspired by Tailscale + Mullvad VPN integrations for enhanced privacy, fails to maintain peer accessibility and network functionality with the VPN activated.

Detailed Description:

Setup:

Self-hosted Netbird on a VPS running Ubuntu 22.04.
Domain secure.connect.domain.com set with an A record pointing to the VPS IP.
Installation followed the Quickstart guide, with necessary ports opened on UFW (noting Docker's UFW bypass).
Netbird clients on:
- Ubuntu VPS
- Docker on the same Ubuntu VPS
- MacOS host running Sonoma 14.3.1
All clients appear connected and healthy in the dashboard.

Observations:

The Ubuntu VPS client can communicate with the Docker client.
The MacOS client, when connected to Mullvad VPN (both Wireguard and OpenVPN protocols tried), loses connectivity to other clients.
Disabling Mullvad VPN restores connectivity.
Adjusting DNS to use Quad9 did not solve connectivity issues under VPN use.

DNS Monitoring and Fixes:

Originally, DNS resolution failed on MacOS with Mullvad VPN active, showing Nameserver I/O timeout errors.
By monitoring DNS settings in MacOS system preferences, I noted default ISP DNS settings switch to Mullvad's DNS when the VPN is active.
Forcing Mullvad VPN to use custom DNS servers (Quad9) corrected the I/O timeout errors and showed correct DNS in system settings.
Despite these adjustments, hostname resolution and peer connectivity were not restored while Mullvad VPN was active.

Current Issue: Even after addressing DNS I/O errors and ensuring DNS settings are correctly pointed to Quad9, the MacOS client cannot resolve hostnames or connect to peers when Mullvad VPN is turned on.

Expected Behavior:

Activating Mullvad VPN should not disrupt the Netbird network. Peers should remain accessible, and DNS resolution should work as configured, without needing to deactivate the VPN.

Actual Behavior:

With Mullvad VPN active, the affected peer becomes isolated; unable to communicate with other peers or resolve hostnames, despite DNS configurations appearing correct.

Steps to Reproduce:

Setup a Netbird instance on a VPS with Ubuntu 22.04.
Configure Netbird clients on Ubuntu, Docker, and MacOS.
Activate Mullvad VPN on the MacOS client.
Attempt to access or resolve hostnames from other peers.

Additional Information:

Addressing this issue is crucial for ensuring that privacy-focused setups using Mullvad VPN can operate seamlessly with Netbird, allowing for secure and private network configurations without compromising connectivity.

I wanted to update that this issue isn't only occurring on the MacOS client when running Mullvad VPN, but also affects Docker setups. I tested this using the Gluetun VPN Client container, specifically configured for Mullvad with Wireguard on port 60000. Here's a quick rundown of the setup I used:

Gluetun Container Setup:

sudo docker run --rm -it --cap-add=NET_ADMIN --name gluetun \
-e VPN_SERVICE_PROVIDER=mullvad \
-e VPN_TYPE=wireguard \
-e WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU= \
-e WIREGUARD_ADDRESSES="10.64.222.21/32" \
-e SERVER_HOSTNAMES="nl-ams-wg-002" \
-e OWNED_ONLY=yes \
-e VPN_ENDPOINT_PORT=60000 \
-e DOT_PROVIDERS=quad9 \
-e BLOCK_MALICIOUS=off \
qmcgaw/gluetun

Netbird Client Container Setup Using Gluetun Network:

sudo docker run --rm -d --cap-add=NET_ADMIN --name netbird-client \
--network="container:gluetun" \
-v netbird-client:/etc/netbird \
-e NB_SETUP_KEY=SETUP_KEY \
-e NB_MANAGEMENT_URL=MANAGEMENT_URL \
netbirdio/netbird:latest

The peer connects successfully to the dashboard, but no communication is possible unless Mullvad VPN is deactivated. This seems to confirm that the problem isn’t isolated to a specific client setup but might be inherent to how VPN networking interferes with Netbird’s operation.

Hopefully, this additional detail can help in diagnosing and resolving the issue.

Thank you!

netbirdio / netbird