netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.05k stars 509 forks source link

slow enable of VPN routes #2154

Open gecube opened 4 months ago

gecube commented 4 months ago

Describe the problem

When I start netbird and connect to VPN, all resources behind VPN becomes accessible only after 10 sec - 1 minute - 5 minutes. No idea on what the time depends. It could be critical if the service behind VPN is checking the GeoIP and gives the block to the user after several tries to connect it from forbidden GeoIP.

To Reproduce

Steps to reproduce the behavior:

  1. Start netbird client
  2. connect to vpn
  3. try to connect to resource behind vpn
  4. check that the resource detects the original IP (if it was available without VPN), not the masked one, or if the resource is available ONLY in VPN - it is not accessible (connection refused and other connection related errors).

Expected behavior

Netbird should connect and set up routes ASAP and explicitly show the state of VPN. State connected != state VPN is operational and it is very important to the user understand clearly if VPN is working correctly.

Are you using NetBird Cloud?

no

pascal-fischer commented 4 months ago

Hi @gecube , so the client shows connected as soon as it is connected to management and receives a network map. After that, the time it takes for the peers to connect to each other can vary based on multiple factors like latency between peers, load on either peer, load on signal, etc.

Can you explain more about the "VPN operational state"? How would you define that state? If we expect all peers to be connected before we show an operational state this might never happen if some peers are offline or not reachable at a given time.

We do have the netbird status -d output that will show if the connection to a specific peer is operational. As this is only available via command line this might not be very usable for GUI users so we might have to think about adding this information there as well.

n0nvme commented 3 months ago

Can you explain more about the "VPN operational state"? How would you define that state?

User should be able to communicate with services accessible only using VPN. Especially connection to internal DNS nameservers should work.

Currently, bugs like #1704 happen when netbird agent already reports connected state.