Almost working setup of Netbird behind Cloudlfare Proxy

[R-Nabil]

Hi all, Not sure if this is a bug, a setup issue (most likely) or a missing feature. I'm trying to setup Netbird to be behind CloudFlare proxy (i do not plan on using Turn and have enabled the grpc mode).

My netbird is behind a traefik reverse proxy. If the CloudFlare proxy is deactivated, it works fine. If I activate it, it doesnt, and i believe the reason is because the IP of the devices are reported as the CloudFlare Proxy IP.

However, my traefik has been setup properly (to trust the headers), and the Traefik Logs are reporting the correct Client IP (device IP). SImilarly, im using a middleware that overrides the X-Real-IP by the correct IP.

However, Netbird still displays the proxy IP, and I guess because of that client can't P2P (as they are not reaching the appropriate IP).

I'm wondering if its :

• My setup is partially correct and I've missed a step ?
• There is something else that needs to be changed/configured on the Netbird side ?
• Sthg else ?

Thank you in advnace

[lixmal]

Hi @R-Nabil,

The management connection is not involved in the P2P process, that's why the displayed IP doesn't matter.

I'm trying to setup Netbird to be behind CloudFlare proxy (i do not plan on using Turn and have enabled the grpc mode).

Have you ditched the coturn server completely? You will still need the STUN functionality if your peers are behind NAT. Can you provide a netbird status -dA from one of the clients?

(Please stick to the github template)

[R-Nabil]

Hi @R-Nabil,

The management connection is not involved in the P2P process, that's why the displayed IP doesn't matter.

I'm trying to setup Netbird to be behind CloudFlare proxy (i do not plan on using Turn and have enabled the grpc mode).

Have you ditched the coturn server completely? You will still need the STUN functionality if your peers are behind NAT.

Can you provide a netbird status -dA from one of the clients?

(Please stick to the github template)

Realised I didn't answer to the message so I updated here:

First thanks for your answer.

1. Noted regarding the management connection. I guess it would still be a nice to have to have correct IP but we can leave that one aside for now I agree.
2. I haven't fully ditched them as they are still enabled in my docker-compose, but, they are not used (the VM hosting it hasn't opened the port for it). I want my "mobile" devices only to connect to home (where I have a static IP). My understanding is that it should not require TURN then ?
3. Unfortunately I dont think I can ? As in, my first device is an iPhone, the device at home is a docker container (which doesn't seem to be able to call netbird status -dA ?).

DO let me know if i missed something.

[R-Nabil]

As an update, I've done the below exercise :

I have one client at home (static IP, port forwarding setup correctly), and one mobile device. I aim at doing P2P direct connection only. The management is on a VPS with open ports for 443/3478 UDP

Current setup : No proxy, Netbird behind traefik -> Clients connect fine Testing setup : Proxy enabled for all clients (so netbird.mydomain.com points to Cloudflare IP). Clients on the management interface show incorrect IP. P2P connection fails (it seems to try to connect to Cloudflare IP believing its the client IP). Traefik logs do show the correct IP (forwardedHeaders are trusted). New Setup to confirm the suspicion : In my home DNS, i override the management interface to point to the VPS IP (bypassing locally the proxy). Now the home device shows correctly in the management interface, and P2P connection works.

So the issue definitely is linked to the devices not knowing each others IP when using Proxy.

I was pointed at the fact the CloudFlare proxy doesn't allow port 3478 through their proxy. Is this port really used when doing P2P connection ?

I've tried to use a supported port (I override turnserver.conf and management.json to use either 8443 UDP or 8443 TCP with no success).

Thanks