iOS/iPadOS Client Can't Connect to Peers When Using Non-Permissive Rosenpass

Describe the problem

I was doing a fresh network configuration, so I configured all of my clients to use Rosenpass without the permissive switch. With this arrangement, iOS/iPadOS clients couldn't connect to any peers. They work fine when permissive mode is turned on.

To Reproduce

In the iOS/iPadOS client enable Rosenpass and disable permissive mode.
On other peers disable permissive mode via GUI or command line.
Check Quantum protection status in the iOS/iPadOS client and note that it is false on desktop OS peers that successfully connect using quantum protection to each other.
Attempt (and fail) to connect to those peers from iOS/iPadOS
Switch to "permissive" mode on both peers and note that communication resumes.

Expected behavior

If the iOS/iPadOS client has mirrored non-permissive quantum protection enabled, one would expect it to successfully establish connections with like configured desktop OS peers.

Are you using NetBird Cloud?

Selfhosted.

NetBird version

A mix of 0.28.x - 0.29.4 peers, plus the latest iOS/iPadOS client.

NetBird status -dA output:

From one of the desktop peers the mobile peer couldn't connect to while on non-permissive mode:

Peers detail:
 iphone-admin.anon-uVhPV.domain:
  NetBird IP: 100.68.26.148
  Public key: S+4WdLdmo6im05ndW2ccPhdoQMVa7lvmQ4nXSMvIPHQ=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/host
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/192.168.0.90:51820
  Relay server address: 
  Last connection update: 10 minutes, 27 seconds ago
  Last WireGuard handshake: 46 seconds ago
  Transfer status (received/sent) 1.2 KiB/1.4 KiB
  Quantum resistance: false (remote didn't enable quantum resistance)
  Routes: -
  Latency: 51.378ms

 little-hills-live-stream.anon-uVhPV.domain:
  NetBird IP: 100.68.40.244
  Public key: yBhdVf0uxhuvaAr4tVbFDLUWnTWg/JCOviH5T3KmphM=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/prflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.1:51820
  Relay server address: 
  Last connection update: 10 minutes, 25 seconds ago
  Last WireGuard handshake: 1 minute, 34 seconds ago
  Transfer status (received/sent) 1.6 KiB/1.4 KiB
  Quantum resistance: true
  Routes: -
  Latency: 154.732875ms

 franklin.anon-uVhPV.domain:
  NetBird IP: 100.68.104.177
  Public key: v9F8qsB+L4fpvuTv9B8NiD27cx6h6dzVMC0XBwtw4WA=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/srflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.2:2184
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 27 seconds ago
  Last WireGuard handshake: 3 seconds ago
  Transfer status (received/sent) 584 B/1.8 KiB
  Quantum resistance: true
  Routes: 192.168.4.0/23
  Latency: 28.132334ms

 ipad-admin.anon-uVhPV.domain:
  NetBird IP: 100.68.119.15
  Public key: oBnIFFtgnPA6SDOJcSHlR1BbIM5h7WudevvgmkDRLzQ=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false (remote didn't enable quantum resistance)
  Routes: -
  Latency: 0s

 independence.anon-uVhPV.domain:
  NetBird IP: 100.68.136.48
  Public key: wwROJuAi9t5d7W8DnF78sdMTm13iDZ9YcrtjjHtIYDM=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/srflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.2:3723
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 26 seconds ago
  Last WireGuard handshake: 1 minute, 54 seconds ago
  Transfer status (received/sent) 1.8 KiB/2.9 KiB
  Quantum resistance: true
  Routes: -
  Latency: 28.637042ms

 spruce.anon-uVhPV.domain:
  NetBird IP: 100.68.172.123
  Public key: 0sA1GjrlFs+yPKlh7CARYIoFA/Ydsa4Tq/jnpLw1axk=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/prflx
  ICE candidate endpoints (Local/Remote): 192.168.0.48:51820/198.51.100.3:51820
  Relay server address: 
  Last connection update: 10 minutes, 27 seconds ago
  Last WireGuard handshake: 26 seconds ago
  Transfer status (received/sent) 4.0 MiB/325.8 KiB
  Quantum resistance: true
  Routes: -
  Latency: 71.189958ms

 boaz.anon-uVhPV.domain:
  NetBird IP: 100.68.191.18
  Public key: ydFumIBVUwCGBjx5Xh0pZPW1G6kFq2v+8DPNz1XYkRE=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/srflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.4:51820
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 25 seconds ago
  Last WireGuard handshake: 47 seconds ago
  Transfer status (received/sent) 1.2 KiB/1.6 KiB
  Quantum resistance: true
  Routes: -
  Latency: 58.120292ms

 mesquite.anon-uVhPV.domain:
  NetBird IP: 100.68.191.220
  Public key: vp6GLJc22GQXj2Ht5deowZp0OA8kG7XJS1kYl3zc6lI=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/host
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.5:51820
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 27 seconds ago
  Last WireGuard handshake: 2 minutes, 2 seconds ago
  Transfer status (received/sent) 492 B/1.8 KiB
  Quantum resistance: true
  Routes: -
  Latency: 118.2895ms

 touchstone.anon-uVhPV.domain:
  NetBird IP: 100.68.218.63
  Public key: PAzQjGnO5xftL4rgeX9SdkajCjEJA3A+iViMbXoPgXE=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/srflx
  ICE candidate endpoints (Local/Remote): 192.168.0.48:51820/198.51.100.2:51820
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 26 seconds ago
  Last WireGuard handshake: 3 seconds ago
  Transfer status (received/sent) 552 B/1.8 KiB
  Quantum resistance: true
  Routes: -
  Latency: 36.93425ms

 rahab.anon-uVhPV.domain:
  NetBird IP: 100.68.228.94
  Public key: hxczQ9TIXjpDAFHDVzwjH6aDPlC5l5GcTj0LEmhgfRQ=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/srflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.4:2911
  Relay server address: rels://sugarmaple.serverforest.com:443
  Last connection update: 10 minutes, 27 seconds ago
  Last WireGuard handshake: 3 seconds ago
  Transfer status (received/sent) 552 B/1.8 KiB
  Quantum resistance: true
  Routes: -
  Latency: 22.512375ms

 rosalind.anon-uVhPV.domain:
  NetBird IP: 100.68.249.136
  Public key: 8ulzaG4yTm9RqIYMwRQXkw4LB7LDdhXy1ocdNCuEqBA=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/prflx
  ICE candidate endpoints (Local/Remote): 198.51.100.0:51820/198.51.100.6:51820
  Relay server address: 
  Last connection update: 10 minutes, 26 seconds ago
  Last WireGuard handshake: 19 seconds ago
  Transfer status (received/sent) 3.9 MiB/313.0 KiB
  Quantum resistance: true
  Routes: -
  Latency: 75.569041ms

OS: darwin/arm64
Daemon version: 0.29.4
CLI version: 0.29.4
Management: Connected to https://sugarmaple.anon-4I0sh.domain:443
Signal: Connected to https://sugarmaple.anon-4I0sh.domain:443
Relays: 
  [stun:sugarmaple.anon-4I0sh.domain:3478] is Available
  [turn:sugarmaple.anon-4I0sh.domain:3478?transport=udp] is Available
  [rels://sugarmaple.anon-4I0sh.domain:443] is Available
Nameservers: 
FQDN: falstaff.anon-uVhPV.domain
NetBird IP: 100.68.36.98/16
Interface type: Userspace
Quantum resistance: true 
Routes: -
Peers count: 10/11 Connected

Do you face any (non-mobile) client issues?

No.

netbirdio / netbird

iOS/iPadOS Client Can't Connect to Peers When Using Non-Permissive Rosenpass #2629