search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.61k stars 474 forks source link

Poll-based clients with limited features (for example Mikrotik routers) #496

Open dionorgua opened 1 year ago

dionorgua commented 1 year ago

It would be cool to have a way to benefit from automatic mesh on systems where it's impossible to run native client or where client is not available yet.

For example Mikrotik routers supports Wireguard. But they don't have way to run custom binaries. At the same time they have own scripting language that is able to do HTTP requests, configure network interface, add routes, etc.

Similar Wireguard-based mesh networks are solving this by using 'gateway' servers (one machine in network that has public IP is assigned a 'gateway' role and such 'static' clients have config with just one peer to that 'gateway' ). So basically 'unsupported' platforms are more like traditional VPN servers. They accessing network through fixed gateway that routes traffic to other peers without mesh.

But I think that better solution should be possible:

Generally it should looks like:

  1. generate some sort of authentication 'token' to access server, plus Wireguard private key
  2. Provide certain HTTP endpoint to get actual wireguard config with all known peers and their addresses. It may be whole wireguard config file (maybe just without private key) or just some JSON (or even both depending on parameter)
  3. Client may send list of ip address/ports that it listens via same or additional HTTP request. And servers should update it's internal DB with such information and notify other clients if it's changed.
  4. Client will poll server periodically to sync it's wireguard config

Surely such client will be unable to do NAT traverse, but it'll be able to reach others with public IP or others who runs native client

There are a few related issues, like:

PS. Feel free to rename issue to something more easy to understand.

misuzu commented 1 year ago

RouterOS supports containers now, it should be possible to run netbird in such container

dionorgua commented 1 year ago

Yes, I'm aware of this feature. It requires RouterOS 7.5 to create TUN device.

Right now the most difficult part that makes it almost impossible is 'grpc'. The only way to solve this for netbird is to use some sort of proxy/adapter...

giovannicandido commented 2 months ago

This feature is an excellent addition. I finally have a decent firewall with a Mikrotik Router. My board has Native Wireguard support and container support, but the container feature is a HIGH RISK feature covered in documentation with no guarantee of security I will probably never use it in a router. If we can use vanilla Wireguard as a client even with restrictions it would be nice. In the meantime, I can create a site-to-site connection with clients using the native wireguard in a static manner and use routes to expose the net bird network if necessary.

JoNatGeekFiWiFi commented 1 month ago

This feature is an excellent addition. I finally have a decent firewall with a Mikrotik Router. My board has Native Wireguard support and container support, but the container feature is a HIGH RISK feature covered in documentation with no guarantee of security I will probably never use it in a router. If we can use vanilla Wireguard as a client even with restrictions it would be nice. In the meantime, I can create a site-to-site connection with clients using the native wireguard in a static manner and use routes to expose the net bird network if necessary.

I seccond this need limited wiregaurd client support

aweher commented 1 month ago

+1 here

westerlind commented 1 month ago

In my opinion, this would be the most important missing feature in Netbird. Having this ability would add a lot more flexibility and open Netbird for many more use cases.