Hi All. I’ve only recently started using Netbird, and loving it. One of my goals with Netbird is to use it as an always-on VPN on my mobile devices, using two other peers in my home network as exit nodes (in HA mode) for internet traffic, and a PiHole in my home network for DNS. I initially got this working with this setup:
Setup v1
Peers:
- AndroidMobile1 (in Mobiles group)
- AndroidMobile2 (in Mobiles group)
- PiHole
- HomelabServer
Groups:
- Mobiles
Exit Nodes / Network Routes:
- Exit Node (PiHole)
- Routing Peer - PiHole
- Distribution Groups - Mobiles
- Metric - 9999
- Exit Node (HomelabServer)
- Routing Peer - HomelabServer
- Distribution Groups - Mobiles
- Metric - 9998
DNS Nameservers
- PiHole DNS
- IP address - address of the PiHole peer @ port 53
- Distribution Groups - Mobiles
- Match Domains - All
Policies:
- Allow TCP port 53 from Mobiles group to PiHole peer
- Allow UDP port 53 from Mobiles group to PiHole peer
The two AndroidMobile devices have Netbird setup as an always-on VPN with the “Block connections without VPN” option enabled. This setup works. No matter where the AndroidMobile devices are (on/off my home network) I can see they are using the PiHole for DNS, and Exit Nodes for routing internet traffic. However, the Exit Node setup is ignoring the Metric values (as the documentation states). I would like the HomelabServer exit node to be the primary one and the PiHole exit node to be the secondary/fallback. So … my second working setup is this …
Setup v2, using the new Networks feature instead of Exit Nodes / Network Routes
Peers:
- AndroidMobile1 (in Mobiles group)
- AndroidMobile2 (in Mobiles group)
- PiHole
- HomelabServer
Groups:
- Mobiles
Networks:
- Mobile Internet
- Resources:
- Internet
- Address - 0.0.0.0/0
- Access Control Policies:
- Allow TCP 80 & 443 from Mobiles group to Internet resource
- Allow ICMP from Mobiles to Internet resource
- Internet
- Routing Peers (HA enabled with two peers):
- PiHole
- Peer - PiHole
- Masquerade - Enabled
- Metric - 9999
- HomelabServer
- Peer - HomelabServer
- Masquerade - Enabled
- Metric - 9998 (lower metric and therefore treated as primary routing peer)
- PiHole
- Resources:
DNS Nameservers
- PiHole DNS
- IP address - address of the PiHole peer @ port 53
- Distribution Groups - Mobiles
- Match Domains - All
Policies:
- Allow TCP port 53 from Mobiles group to PiHole peer
- Allow UDP port 53 from Mobiles group to PiHole peer
So, this setup appears to work. But I have (unsuccessfully) tried to simplify this further by removing the DNS Nameserver and adding the PiHole as a Resource in the Mobile Internet network, using its LAN address 192.168.1.10, and adding the relevant Access Control Policies. So the setup below …
Setup v3, using the new Networks feature with PiHole as a Network resource
Peers:
- AndroidMobile1 (in Mobiles group)
- AndroidMobile2 (in Mobiles group)
- PiHole
- HomelabServer
Groups:
- Mobiles
Networks:
- Mobile Internet
- Resources:
- Internet
- Address - 0.0.0.0/0
- Access Control Policies:
- Allow TCP 80 & 443 from Mobiles group to Internet resource
- Allow ICMP from Mobiles to Internet resource
- PiHole
- Address - 192.168.1.10
- Access Control Policies:
- Allow TCP port 53 from Mobiles group to PiHole resource
- Allow UDP port 53 from Mobiles group to PiHole resource
- Internet
- Routing Peers (HA enabled with two peers):
- PiHole
- Masquerade - Enabled
- Metric - 9999
- HomelabServer
- Masquerade - Enabled
- Metric - 9998 (lower metric and therefore treated as primary routing peer)
- PiHole
- Resources:
But, so far DNS isn’t working for me with this setup. The PiHole devices UFW firewall does allow connections from anywhere to TCP/UDP port 53.
I’m just wondering if anybody else has this “v3” setup working, or could offer some advice on how I could get mine working? Or should I use the “v2” setup with the DNS Nameserver defined instead?