Open Integral-Tech opened 2 months ago
pascal-fischer
commented
2 months ago Hi @Integral-Tech,
to have a full P2P connection both peers need to be reachable directly. In your status output you see
ICE candidate (Local/Remote): host/relay so one way is connected on host level (due to the public IP) which would allow P2P but the opposite direction is relayed. Thats why overall the connection type is listed as Relayed
Marcus1Pierce
commented
2 months ago @Integral-Tech From what I know, if you want both peers to communicate via P2P, both peers must be on the same IP segment, or both peers must have a public IP and be accessible from outside.
Spiritreader
commented
1 month ago Hi @Integral-Tech, to have a full P2P connection both peers need to be reachable directly. In your status output you see
ICE candidate (Local/Remote): host/relayso one way is connected on host level (due to the public IP) which would allow P2P but the opposite direction is relayed. Thats why overall the connection type is listed as Relayed
If one direction can connect via host, isn't it possible to just establish a direct wireguard connection? This is essentially the base scenario of manually setting up a wireguard tunnel for machines behind CGNAT:
Now, as long as there is a keepalive interval to prevent the CGNAT's stateful FW from closing the connection, you're good to go. I had to do this fairly often for peers before I used netbird, as some of my devices are behind CGNAT.
Having host/relay, kinda sounds like calling a friend on his phone via the number they gave you, they pick up and say "Hello" and in order to respond you send your grandma to his house via bike.
if we had a TCP connection on port 80 for CGNATed devices, some form of return traffic must be allowed directly because we need some form of traffic to flow between devices if they have a connection to each other.
Or am I understanding sth fundamentally wrong here, for example that the ICE candidate doesn't show an established connection, but rather only the peer addresses?
vampywiz17
commented
3 weeks ago Hi @Integral-Tech, to have a full P2P connection both peers need to be reachable directly. In your status output you see
ICE candidate (Local/Remote): host/relayso one way is connected on host level (due to the public IP) which would allow P2P but the opposite direction is relayed. Thats why overall the connection type is listed as RelayedIf one direction can connect via host, isn't it possible to just establish a direct wireguard connection? This is essentially the base scenario of manually setting up a wireguard tunnel for machines behind CGNAT:
- Open whatever port (12345) on PeerA.
- Configure wireguard on CTNATed PeerB to add PeerA with the address of PeerA:12345.
Now, as long as there is a keepalive interval to prevent the CGNAT's stateful FW from closing the connection, you're good to go. I had to do this fairly often for peers before I used netbird, as some of my devices are behind CGNAT.
Having host/relay, kinda sounds like calling a friend on his phone via the number they gave you, they pick up and say "Hello" and in order to respond you send your grandma to his house via bike.
if we had a TCP connection on port 80 for CGNATed devices, some form of return traffic must be allowed directly because we need some form of traffic to flow between devices if they have a connection to each other.
Or am I understanding sth fundamentally wrong here, for example that the ICE candidate doesn't show an established connection, but rather only the peer addresses?
This is how it work Tailscale. not need to "active" both client, it enought that only one is active.
Describe the problem
I am pretty sure that one of my peers has public IPv4 address, however I fail to connect two peers via P2P.
To Reproduce
Steps to reproduce the behavior:
netbird status -dExpected behavior
Are you using NetBird Cloud?
Yes
NetBird version
0.28.9
NetBird status -dA output: