Exit nodes to restrict internet access

Community Support Self-Hosted
1

With the current fortinet VPN, when users start the production vpn all internet access is blocked by fortinet. It is something we would want to implement with netbird, when users connect to production infra via netbird we would want to block internet access (for security). I did set-up an exit node, as it seemed a possible solution, but there is no possibility to exclude some IP’s from the exit node, and this caused issue I think with the P2P connection (they all became relayed), maybe because the STUN could not be accessed or because the peers that have a public IP could not be reached neither ? On top of that the user can deselect the route with netbird client command, so it defeats a bit the purpose. For the first issue, I could add routing rules and a routing table to force this traffic via the eth0 interface, but it seems a bit overkill and complex.

So I came to the conclusion that using exit node for that purpose is not a good idea, we could force the usage of a proxy alternatively (to be security compliant).

Do you have the same requirement, and did you find a solution ?

A clear and concise description of what the problem is.

To Reproduce
Set-up an exit node. Connections became relayed iso P2P. Also some ip’s must be accessed always, even when netbird is down, like STUN, the google DNS, .. and the exit node interfered with that.

Expected behavior

Probably exit node is not the right way to achieve what I want, asking for advice or if I missed something

Are you using NetBird Cloud?

self-hosted

NetBird version

0.49

Is any other VPN software installed?

no

Debug output

To help us resolve the problem, please attach the following anonymized status output

netbird status -dA

Create and upload a debug bundle, and share the returned file key:

netbird debug for 1m -AS -U

Uploaded files are automatically deleted after 30 days.

Alternatively, create the file only and attach it here manually:

netbird debug for 1m -AS

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Have you tried these troubleshooting steps?

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings
2

So while I can’t directly give you an solution. You could try capturing the DNS requests and null routing everything except the domains that still need to be reachable. At least, this is the one way I can imagine your specific use case to work.

As for the exit node, make sure the group is applied for the devices that need it. Otherwise it could apply to any device. Even if they don’t need it.

3

Thank you Codixer. I think indeed there are better solutions to achieve the requirement.
We want to replace fortinet by netbird, so naturally people will compare both on each point and this is one of them.
But overall netbird is a more secure solution, especially with the posture check and the ability to restrict access based on the device

4

I think Exit Nodes are your answer as they do exacly what you are looking for. Route all interesting traffic via the Netbird VPN.

What you would need to do is apply a ACL to the outbound Exit Node. Not unlike you did with the Fortigate.

If evevrything went relayed then your correct the STUN most likely got messed up and this could be a bug as that traffic IMO should be ignores by the Netbird routing engine and should be left split.