Site to VPN without masquerade

I’m trying to connect from clientless devices on my home network to a remote peer on a VPS. I have a local peer in an LXC which I’m routing traffic through.

The route is:
Clientless laptop (192.168.6.0/24) → Router (Unifi gateway) (192.168.6.1/24) → Local peer [Netbird network] (10.70.0.3/24) → Remote peer

I have route on the Unifi gateway to route the Netbird subnet via the local peer 10.70.0.3.

I have a network route in place for this with a Peer Group containing just the local peer, and a distribution group containing just the remote peer (although I intend to add others once it works).

image1166×168 13.9 KB

I have access policies allowing traffic in both directions.

The following works fine:

• connectivity from local peer to remote peer and vice versa
• connectivity from the remote peer to local clientless devices (192.168.6.0/24) via the local peer, onward routed through the Unifi gateway.
• routing from the local clientless devices to the remote peer when masquerade is enabled

But, when I disable masquerade:

• packets reach the remote peer with their original source address and can be seen with tcpdump -i wt0
• packets are dropped in the kernel before being processed, i.e. no response to ICMP or SSH
• tcpdump shows no response packet
• netbird status -d on the remote peer shows the correct route: Networks: 192.168.6.0/24

Thanks in advance for any advice.

A clear and concise description of what the problem is.

As above

Steps to reproduce the behavior:
As above

Expected behavior

As the routes and access policies are present and routing works in the other direction, I’d have expected to be able to be able to route from my local clientless device to the remote peer without masquerading.

Are you using NetBird Cloud?

NetBird Cloud

0.66.0

Is any other VPN software installed?

No

Debug output

I’ve collected this and can provide to support if required.

Screenshots

See above

Additional context

N/A

Have you tried these troubleshooting steps?

• Reviewed client troubleshooting (if applicable)
• Checked for newer NetBird versions
• Searched for similar issues on GitHub (including closed ones)
• Restarted the NetBird client
• Disabled other VPN software
• Checked firewall settings

Clientless devices (as far as I know) aren’t supported within Netbird at the moment, at best making a reverse proxy for stuff like that is the only realistic solution, but don’t quote me on that*. I’d have to ping @Ashley for that to confirm.

I am having the same exact issue. I’m actually trying to connect from an ArgoCD instance that controls a K3S node with Netbird on it. Everything looks right except the netfilter rules do not include the remote network on the single host I’m trying to connect to from the network subnet.

I was able to fix it with by adding the network to the this netfilter rule:

sudo nft insert rule ip netbird netbird-acl-input-rules ip saddr 10.64.0.0/16 accept

It seems like this is something that should work… But I’m not sure how to quantify it. You kind of are connecting from a “resource” to a peer.

I don’t really want to enable NAT because then I lose all visibility into the source IP from the NetBird peers into the network.

I hacked a fix together… Essentially I inject a MASQUERADE rule..

iptables -t nat -A POSTROUTING -s "$CIDR" -o wt0 -m conntrack --ctstate NEW -j MASQUERADE

I don’t love it.. but it works… ie any new connection originating from $CIDR (my site network) going into the VPN interface will masquerade. This allows the VPN to talk to my site network and I can see the source IP (and presumably enforce policies) and anything coming from my site VPN node will have to be a single policy of that VPN node.

It’s effectively enabling the masquerade switch in one direction only. It will do for my use case.

I will most defenitly be mistaken. I’m assuming it’s a similair solution like the following?

(I’m an voulenteer, so excuse me for my lack of networking knowladge )