search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.14k stars 512 forks source link

wrong detected endpoint / ICE candidate for server behind cloud firewall #639

Open northys opened 1 year ago

northys commented 1 year ago

Describe the problem

TLDR the ICE candidate is host/prflx or host/host. If it would be prflx/prflx it would work because TURN server would come into play.

Netbird detected endpoint for my server as publicIP:51820. Because of that I can't connect from the server to my laptop and vice versa. Why is netbird detecting endpoint for my server to be publicIP:51820 while the port is blocked by cloud firewall?

To Reproduce Steps to reproduce the behavior:

  1. netbird @ laptop behind NAT and server on digitalocean (or probably any other cloud) with allowed incoming ICMP, blocked UDP and TCP (some TCP ports are whitelisted - 22, 80, 443)
  2. cannot connect from laptop to server and vice versa because the laptop side endpoint is set to blocked port @ serverPublicIP:51820

Expected behavior

Server with public IP and blocked 51820 port is clasified as prflx/prflx in ICE candidate field which would lead to use of TURN server relay.

NetBird status -d output:

# server to laptop
root@masked ~ # netbird status -d | grep -A 10 laptop
 northys-laptop.netbird.selfhosted:
  NetBird IP: 100.70.11.95
  Public key: maskedPublicKey1=
  Status: Connected
  -- detail --
  Connection type: P2P
  Direct: false
  ICE candidate (Local/Remote): host/prflx
  Last connection update: 2022-12-30 11:19:13

# laptop to server
 masked.netbird.selfhosted:
  NetBird IP: 100.70.55.22
  Public key: maskedPublicKey2=
  Status: Connected
  -- detail --
  Connection type: P2P
  Direct: true
  ICE candidate (Local/Remote): host/host
  Last connection update: 2022-12-30 12:19:13

Additional context

# get public key of masked
northys at laptop in ~
» netbird status -d | grep -A 5 masked
 masked.netbird.selfhosted:
  NetBird IP: 100.70.55.22
  Public key: maskedPublicKey=
  Status: Connected
  -- detail --
  Connection type: P2P
  Direct: true
  ICE candidate (Local/Remote): host/host
  Last connection update: 2022-12-30 12:19:13

# grep public key in wg to see endpoint
northys at laptop in ~
» sudo wg | grep -A 5 maskedPublicKey=
[sudo] password for northys: 
peer: maskedPublicKey=
  endpoint: maskedPublicIP:51820
  allowed ips: 100.70.55.22/32
  transfer: 0 B received, 19.08 KiB sent
  persistent keepalive: every 25 seconds

# check masked's publicIP
northys at laptop in ~
» dig +short masked
maskedPublicIP

# can't ping because my laptop cannot connect to maskedPublicIP:51820 because port is blocked
northys at laptop in ~
» ping masked.netbird.selfhosted
PING masked.netbird.selfhosted (100.70.55.22) 56(84) bytes of data.
^C
--- masked.netbird.selfhosted ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4083ms
mlsmaycon commented 1 year ago

@northys could check the recent versions? Since v0.20.0 we've refactored the core connectivity layer and improved the rate of direct connections.