Netbird Support/Discussion Thread

macAttack · July 27, 2025, 11:10pm

I took the jump from tailscale to self-hosting via a VPS to fully own the process. I've made a few mistakes along the way, only to stumble across clear instructions across the interwebs.

Hoping that this thread makes it easier for others to make the plunge.

macAttack · July 27, 2025, 11:17pm

Setting up netbird w/ OpenWrt by wehagy

Install netbird ~~and kmod-wireguard (dependency not installed by default, I have opened a PR, waiting merge).~~ (Included by default now)

netbird: add kmod-wireguard dependency openwrt/packages#23926

opkg update opkg install netbird # ~~kmod-wireguard~~ (Added by default now)

Stop netbird, login via setup keys, need to be created in netbird interface, and start netbird again:

service netbird stop netbird login --setup-key service netbird start

Go to luci Network -> Interfaces -> Add new interface... and Save:

Name: netbird

Protocol: Unmanaged

Device: wt0

Create a new firewall zone in Luci Network -> Firewall -> Zones -> Add and Save & Apply:

Name: netbird

Input: accept

Output: accept

Intra zone forward: accept

Covered networks: netbird

Allow forward to destination zones: lan put **wan** if you want to use exit node

Allow forward from source zones: lan

macAttack · July 27, 2025, 11:23pm

Using netbird w/ dnsmasq by wehagy

I'm glad to hear that my reply on GitHub was helpful to someone!

I'm using a similar config for DNS, and from what I can see, your setup allows netbird to function only for the *.netbird.cloud domain, at the same time, you need to prevent DNS leaks to ensure that your DNS server is enforced.

My config is dnsmasq --> netbird --> custom DNS. The custom DNS is managed through the netbird dashboard, and I assume you're familiar with how to set this up. In my case, I have a server running Pi-hole to block ads, utilizing EDNS0 and a recursive DNS server, all configured with internal routes through netbird. However, that's a topic for another day...

If I'm not mistaken, by default, netbird tries to run the DNS server on port 53 at the same IP as the internal WireGuard interface (wt0), which falls within the range of 100.127.0.1 to 100.127.255.254. If that fails, it attempts 127.0.0.1, and if that also fails, it gives up. It will always give up because, in OpenWrt, all ports 53 is already occupied by dnsmasq. To resolve this, modify the file /etc/netbird/config.json to ensure that the changes are persistent.
[...]
    "CustomDNSAddress": "127.0.0.1:5335",
[...]
The 127.0.0.1 is mandatory because it is the IP address where the netbird DNS server will listen. The :5335 is the port, which can be any arbitrary number, except for :53, which is the default port where the dnsmasq DNS server listens.

Why is 127.0.0.1 mandatory? Sometimes, dnsmasq and netbird fight for the /etc/resolv.conf file. /etc/resolv.conf is responsible, simplifying, for informing OpenWrt about the DNS server. This file does not support custom ports, only IP addresses. If, for some reason, this file is changed to an arbitrary address from netbird, it is better for it to match the one from dnsmasq to ensure that OpenWrt does not lose domain name resolution.

Now add or change the values in the file cat /etc/config/dhcp:
config dnsmasq
[...]
        # Disable the use of the ISP's DNS server to effectively enable split DNS.
        option noresolv '1'
        # Prioritize the `list server` from top to bottom, this is good to have.
        option strictorder '1'
        # The two `arpa` configurations may have some side effects,
        # here, I'm limiting the resolution of local addresses to be local only,
        # without making requests to upstream servers.
        # This is for reference, but in my case, if not configured, it can become annoying.
        list server '/in-addr.arpa/'
        list server '/ip6.arpa/'
        # Allow the resolution of `netbird.io` to be sent to any arbitrary public DNS server, in this case, 9.9.9.9 (Quad9).
        # If you are self-hosting, replace `netbird.io` with the address of your server.
        # Without this, you will encounter a race condition,
        # `netbird` cannot connect because `dnsmasq` is unable to resolve addresses,
        # and `dnsmasq` cannot resolve addresses because `netbird` cannot connect.
        list server '/netbird.io/9.9.9.9'
        # Use `netbird` DNS server.
        list server '127.0.0.1#5335'
[...]

config dhcp 'lan'
[...]
        # Disable the IPv6 DNS server, it's cursed and has caused me some issues.
        # However, you can test it to see if it works for you.
        option dns_service '0'
        option ra_dns '0'
[...]
Some relevant OpenWrt wiki pages:

DHCP and DNS configuration /etc/config/dhcp

All options

DHCP and DNS examples

Split DNS

Enforcing dnsmasq for local system, this is the default configuration, so there's no need to change it. However, it's good to have it for reference.

DNS filtering

DNS forwarding

Going further, you can configure the firewall to enforce the use of OpenWrt as the DNS server at all times to prevent DNS leaks. More information about this can be found in the DNS hijacking documentation.

This probably requires your own topic too, but without going into too much detail, here is my /etc/config/firewall for reference:
[...]
config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'

config rule
        option name 'Block-Public-DNS'
        option src '*'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
        option target 'REJECT'
        option dest 'wan'

# IPv6 is cursed
config rule
        option name 'Block-IPV6-DNS'
        option src 'lan'
        option target 'REJECT'
        option family 'ipv6'
        # Common ports used for DNS servers
        option dest_port '53 5353 5335 853'
[...]
Now you are leveraging all the capabilities of netbird DNS server... Probably...

wehagy · July 28, 2025, 12:12am

Integrate netbird with uci

Netbird package not customizable enought

I'm playing a bit with netbird, and I feel like the netbird package lacks configuration customization.
Thats why I modified it a bit to have a /etc/config/netbird configuration file so you can actually tune it a bit, here are the files for thoses who are interested in the same feature:

The service file in /etc/init.d/netbird:

#!/bin/sh /etc/rc.common

START=90
STOP=10
USE_PROCD=1

handle_netbird_instance() {
	local section="$1"

	config_get_bool enabled "$section" 'enabled' 0
	if [ $enabled -le 0 ]; then
		return 1
	fi
	
	config_get_bool allow_server_ssh "$section" 'allow_server_ssh' 0
	config_get daemon_addr "$section" daemon_addr
	config_get config "$section" config
	config_get log_level "$section" log_level
	config_get log_file "$section" log_file
	config_get management_url "$section" management_url

	allow_server_ssh_value="false"
	if [ ${allow_server_ssh} -gt 0 ]; then 
		allow_server_ssh_value="true"
	fi

	config_filename="${config:-/etc/netbird/config.${section}.json}"

	[ -f "${config_filename}" ] && sed 's/"ServerSSHAllowed"\s*:[^,]*/"ServerSSHAllowed": '"${allow_server_ssh_value}"'/' "${config_filename}"

	procd_open_instance "$section"
	procd_set_param command /usr/bin/netbird
	procd_append_param command service run
	procd_append_param command --config "${config_filename}"
	procd_append_param command --log-level "${log_level:-info}"
	procd_append_param command --daemon-addr "${daemon_addr:-unix:///var/run/${section}.sock}"
	procd_append_param command --log-file "${log_file:-syslog}"
	procd_append_param command --management-url "${management_url:-https://api.netbird.io:443}"
	procd_set_param pidfile /var/run/netbird.pid
	procd_close_instance

	return 0
}

handle_netbird_triggers() {
	local section="$1"

	config_get_bool enabled "$1" 'enabled' 0
	if [ $enabled -le 0 ]; then
		return 1
	fi

	config_get trigger_iface "$section" trigger_iface
	if [ -z "$trigger_iface" ]; then
		return 1
	fi

	procd_add_interface_trigger "interface.*" "$trigger_iface" /etc/init.d/netbird restart
}

service_triggers() {
	config_load 'netbird'
	config_foreach handle_netbird_triggers netbird
}

start_service() {
	config_load 'netbird'
	config_foreach handle_netbird_instance netbird
}

The configuration file in /etc/config/netbird:

#config netbird netbird
#    option enabled '1'
#    option allow_server_ssh '0'
#    option daemon_addr 'unix:///var/run/netbird.sock'
#    option config '/etc/netbird/config.json'
#    option log_level 'info'
#    option log_file 'syslog'
#    option management_url 'https://api.netbird.io:443'
#    option trigger_iface 'wan'

Original post by @NemYr

wehagy · July 28, 2025, 12:27am

netbird has issues with some packages. The problem is known by upstream and reported in the issue, specifically regarding mwan3 and pbr. There may be more packages affected. To circumvent this, you need to set the environment variable NB_USE_LEGACY_ROUTING=true, but I don't know the consequences.

lleachii · July 28, 2025, 9:27am

It there a reason that requires posting copies of other threads?

Won't links work?
What discussion?

macAttack · August 16, 2025, 4:26pm

It took a lot of learning/troubleshooting/handholding from Claude/ChatGPT but IMO my setup now ~~mirrors~~ exceeds my prior Tailscale setup. For example, I can resolve self-hosted sites using my existing .lan addresses. When I used tailscale, I had to fallback to tailscaleIP:port.

Here’s my current config:

[ NetBird Devices ]
│
▼
DNS request to
:53
│
▼
AGH (port 53)
├── If domain is .lan
│     └── forward to dnsmasq (127.0.0.1:54)
│            └── dnsmasq resolves to LAN host
└── Else
└── resolve via upstream resolver (Quad9, etc.)
(traffic still goes over WAN, not PBR/exit node)

I am running the control plane (as well as an exit node) on a VPS. My last remaining step is to configure things so that all WAN traffic exiting my router uses the exit node. This should have the effect of obscuring all traffic from my pesky ISP.

Initially I tried doing this in netbird alone (ie pointing my openwrt router to use the exit node), but I quickly realized that doesn’t work by repeatedly losing internet whenever I tried it.

I am currently learning about policy-based routing to achieve this. Let me know if anyone has any insights there, otherwise I will be following this video and reading the openwrt docs.

macAttack · October 5, 2025, 9:22pm

@wehagy I noticed you updated the OpenWrt netbird pkg again but it isn't showing up as an update in LuCi/opkg for some reason... could you share any steps to upgrade?

wehagy · October 6, 2025, 5:52pm

I’m sure you are looking at the OpenWrt snapshot builds, where netbird is at version 0.58.2, while in the OpenWrt stable release netbird is at version 0.50.2. I rarely backport to the stable version because I don’t use OpenWrt stable, so I have to set up a separate environment each time for testing. In the past I looked for people to test the package, but everyone disappear.

egc · October 10, 2025, 2:17pm

I have just setup Netbird including routes and exit node, I have a Snapshot router with 0.58.2 and one 24.10 Snapshot with Netbird 0.50.2

I am willing to test the 24.10 with 58.2 so I would really appreciate it if you can backport

wehagy · October 16, 2025, 7:17pm

Thanks, I appreciate the help.

I plan to update the OpenWrt snapshot and backport 0.59.6 this week, I’m testing it now.

Could you share your GitHub username so I can ping you after I open the PR? I can also build the image for you using my GitHub Actions script, I just need the target/subtarget/profile. The default installed packages are: luci, luci-ssl, luci-app-attendedsysupgrade, luci-app-uhttpd, owut. I can customize the package list if needed.

egc · October 16, 2025, 8:13pm

Great to hear you are going to update and backport.

My github: https://github.com/egc112?tab=repositories

No need to make a build, I compile myself

My 24.05 router is running 24.05 snapshot and I actually backported 58.2 already my self and compiled for my 24.10 snapshot target and it runs fine, I did need to run the netbird up --setup-key again probably because of the changes and the different path of the config but that only took a minute.
I only did a quick backport not sure if there was anything else needed regarding the different config file etc.

I will test again with 0.59 but I am travelling the next 10 days so that has to wait.

I made some notes and will polish and extend those and see if I can get wiki access, I really love it, also installed it on my Oracle cloud VPS, SSH access from the Netbird Dashboard is very neat.
Sneak preview: OpenWRT Netbird setup
But I have still a lot to learn and discover before it is ready for prime time

Thanks again for all your work

egc · November 4, 2025, 4:16pm

@wehagy any ETA on the upgrade to 0.59 and backport to 24.10?
I am available for testing and can compile.

MilesTEG1 · November 5, 2025, 3:55pm

Hello, I intend to set up a netbird server in my lan.
Is this thread is up to date to setup it on one part 24.10.4? I have a Flint2 MT6000.
Does it provide the latest version of netbird?
Or should I set it up in docker on another server?

egc · November 5, 2025, 4:06pm

I had it running on my R7800 24.04 it had Netbird 0.50.2 not the latest but it worked well also set it up on my DL-WRX36 snapshot build which had 0.58 Netbird and also set it up on my oracle VPS
It functions well especially the SSH access from the Netbird dashboard to all three peers is really useful.
Also setup an exit node without any problem.

I have made some notes while setting this up maybe those are helpful, I will eventually try and make a wiki for it if I have been granted access.
See: OpenWRT Netbird setup

Now researching the cooperation with the PBR package

egc · November 9, 2025, 12:09pm

Just upgraded from 0.58.2 to 0.59.12 DL-WRX36 runing main/snapshot build:

root@DL-WRX36:~# netbird status
OS: linux/arm64
Daemon version: 0.59.12
CLI version: 0.59.12
Profile: default
Management: Connected
Signal: Connected
Relays: 4/4 Available
Nameservers: 0/0 Available
FQDN: dl-wrx36.netbird.cloud
NetBird IP: 100.105.224.116/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
Networks: -
Forwarding rules: 0
Peers count: 1/5 Connected
root@DL-WRX36:~#

Seems to run fine at first glance

My Free Oracle VPS running Ubuntu 24.04 LTS also got an upgrade to 0.59.12

wehagy · November 11, 2025, 1:13am

Sorry for the delay, my time's been tight the last few days. At the same time, updating netbird has been painful, every time I blink a new version is released .

I opened the PR today. I hope it doesn't become obsolete in a few hours. I’ve pinged you and added instructions for what I think is important to test, and listed the info you need to provide to me fill.

github.com/openwrt/packages

[24.10] netbird: update to 0.59.12

openwrt-24.10 ← wehagy:openwrt-24.10/netbird/update

opened 12:47AM - 11 Nov 25 UTC

wehagy

+3 -2

## 📦 Package Details **Maintainer:** Me <sub>(You can find this by checking …the history of the package `Makefile`.)</sub> **Description:** Nothing really interesting here, just the update to [`v0.59.12`](https://github.com/netbirdio/netbird/releases/tag/v0.59.12) and some fixes, more info in the commit messages. - Needs PR merge: https://github.com/openwrt/packages/pull/27827. > [!IMPORTANT] > I intentionally skipped the commit https://github.com/openwrt/packages/commit/95107af880cefc5f62fbed7745825e4daed24ec5, please read the commit message to see why. **Additional info:** This test will be performed by @egc112, who volunteered to help, welcome aboard! 🎉. You probably know this, but it's always good to remind, please make a backup. Don't screw yourself 😅. What I think is important to test and confirm: - Well, Verify that `netbird` is working as intended. - Not a blocker, but one reason for the update, check if the [**SSH access via browser**](https://docs.netbird.io/how-to/browser-client) feature works. - Perform a `sysupgrade` and confirm the config is retained in the `/etc/netbird` folder. Please provide the **Run Testing Details** below. If you want, you can also share your `Tested-By: Real Name <real email>` so I can give you credit. --- ## 🧪 Run Testing Details - **OpenWrt Version:** <change_me> - **OpenWrt Target/Subtarget:** <change_me> - **OpenWrt Device:** <change_me> --- ## ✅ Formalities - [x] I have reviewed the [CONTRIBUTING.md](https://github.com/openwrt/packages/blob/master/CONTRIBUTING.md) file for detailed contributing guidelines.

Your netbird config doc is great, wonderful. Is there any way I can contribute?

egc · November 11, 2025, 2:14pm

I have just tested the 24.10 snapshot with the PR added and everything works fine.

More details of the testing in the PR

Thanks!

wehagy · November 17, 2025, 12:51am

The new version 0.59.12 (not the newer 0.5.13) has been merged and is probably already in the stable release. Thanks @egc for testing.

Also, @egc I'm thinking of updating netbird once a month (or so), because trying to keep up with the latest version is always difficult. I don't want to ping you repeatedly to test new releases, I'll make exceptions for security fixes or critical bugs. Is that okay with you, or do you have any suggestions?

egc · November 17, 2025, 6:51am

That would be more than enough

Thanks!