Allow Route to FreeBSD client

[moserpjm]

I've created a quick and dirty FreeBSD port and an OPNSense plugin for the netbird client. This works quite well but I had to patch it.
To prevent netbird from messing with the routing table of the firewall I've set NB_DISABLE_CUSTOM_ROUTING to true.
Then I tried to enable a route to the network behind the firewall. This failed because the management service only allows routes to Linux clients. To fix this I made the client pretend to be running on linux. e.g. I've patched info_freebsd.go.
Now our firewall works as netbird gateway for our LAN.
Are there any plans to allow routes to FreeBSD clients?

[mlsmaycon]

Really Cool, @moserpjm. Would you share the port and the code changes you've done? We plan to add support to PFsense and OPNSense soon, but we are a bit short on capacity and any community help is welcome.

[moserpjm]

Due to the fact that we're a JVM shop I'm not an expert on BSD ports. :D
I have two repos on our Bitbucket server. One with a clone of the FreeBSD ports tree plus the folder security/netbird and a second with a clone of the OPNSense plugins GH repo plus the folder net/netbird.
The feature set of the plugin is service control and creation of a CARP hook script to execute netbird up/down on change of the master node.
What would be the best way to make this source accessible for you? Unfortuately I don't have the time to try to get it into the official ports / plugin trees.

[mlsmaycon]

@moserpjm you can give access to [email protected] and from there I can fork it.

[moserpjm]

I'll cleanup the code a little bit, push it to GitHub and then invite you.

[moserpjm]

I've forked the repos on GH and added my changes.
Build works for me on the newest OPNSense version.
Netbird has to be configured manually via the CLI. In case the CARP feature should be used auto connect must be disabled. Without CARP it has to be enabled.

Netbird port
https://github.com/moserpjm/freebsd-ports

Build instruction:
cd net/netbird
make makesum
make package

OPNSense plugin
https://github.com/moserpjm/opnsense-plugins

Build instruction:
cd net/netbird
make package

[IanMoroney]

Great to see the community getting involved and being able to contribute towards this!
Well done @moserpjm :)
This is a feature that a lot of us are waiting for (reduces infrastructure requirements for self-hosting netbird and lets us re-use existing equipment)

[robdeweese]

@moserpjm thanks for this, built and tested on pfsense arm and opnsense x86-64, works on both, including egress.

[moserpjm]

@robdeweese great to hear.
I'm currently reworking the CARP support. The current implementation regenerates the hook script every time the settings are saved. Unfortunately the execute flag of the script gets lost in this process. After digging through other plugins I'm now reimplementing it as a PHP script which dynamically fetches the settings. Looks like that's the preferred way.

[hongkongkiwi]

Is there an OPNSense repo I can use to install these? I'd love to test them out.

[robdeweese]

Is there an OPNSense repo I can use to install these? I'd love to test them out.

I've put the packages ive built here https://nhd.cx/w6we3 but I only build the client, not the web interface. They will run on pfsense and opnsense

but they are very easy to build yourself as well, @moserpjm provided instructions above

[moserpjm]

Just some quick updates:

I found out hat OPNSense is maintaining a fork of the freebsd-ports repo with tags of all releases in it. So I've rebased on that.
https://github.com/moserpjm/opnsense-ports -> Current branch is 24.1.10-netbird-develop.

There are new patches included:

• sets the host manager to noop. This prevents netbird from even trying to update the resolv.conf file.
• stets the reveived routes proto to nil to avoid the warning that it received a route but shouldnt as it's FreeBSD. This should alsow avoid any routing table incidents when nebird starts supporting FreeBSD routes in the future.

It would be really nice to have environment variables for those settings in netbird to get rid of the patches.

The plugin now has some new features:

• New status page with filter/sortable host table
• Manual netbird up/down control on the status page.
• Form to do the initial netbird up -k .... (only -k -m and -n available via GUI atm)
• New php based CARP syshook
• Checkboxes to enable rosenpass / rosenpass permissive
• Ability to set the wireguard port.

My current working branch is "new-status".

We're currently testing it with our firewalls at the office. A repo for internal use is already in place. I'll try to get a cheap VPS to let you try my builds.

[moserpjm]

Is there an OPNSense repo I can use to install these? I'd love to test them out.

If you're brave enough you can try the build in my RC repo.

• fetch -o /usr/local/etc/pkg/repos/netbird-rc-241.conf https://os-pkg.pjm.co.at/netbird-rc-241.conf
• pkg update
• Install os-netbird (It should show up under VPN)
• Add a firewall rule to open the desired WG port
• Change the settings to your liking and enable it.
• Use the setup function on the settings page or do manual netbird up with the desired options.
• Assign the wt0 interface
• Enable the interface (Don't forget to check "Prevent interface removal")
• If you enable the CARP functionality you have to press the "Set UP" button on the connection status page of the MASTER otherwise both nodes are down until a CARP event happens.

[moserpjm]

I've uploaded 0.28.5 builds to the PR repo.
Please stop the service before installing the update.
This update fixes problem of netbird not stating if it crashed before and didn't delete it's wt0 tun device.
Also syslog output is now enabled.
The OS plugin now contains the appropriate syslog filter and a link to the log viewer.

I've also restructured the repos. There are now development branches for OS 24.1 and 24.7 in both repos. For future builds I'll tag them in GIT with the port/plugin version.

24.7 versions work fine on the latest R2.
My only problem is the maintainance nightmare of two versions. :D

[Hobby-Student]

@moserpjm
nice work! I compiled both packages from your github repos on 24.7_5 myself and it is up and running. I do see the opnsense online on netbird admin page. I can ping opnsense and the networks behind, but I don't get any traffic through. I assigned wt0 and added a firewall rule from any to any. Without this rule, pings are also not possible. The status page of the plugin shows all peers as connected.

Am I missing something?

I think I do have some glitches in my config. This plugin seems to work without any problem and the problems came (unexpected) out of my system.

[Hobby-Student]

Am I missing something?

I was not clear in my previous post. I only tried traffic to port 443 on several web services behind opnsense and opnsense. Also opnsense is configured as routing peer in netbird.
I now found 2 rules in NAT.

If I disable the 443 rule, traffic on 443 to clients behind opnsense is working.
Just opnsense itself is complaining about potential DNS rebind attack, if connecting through netbird DNS. This behaviour is fine and default to OPNsense.

Using e. g. LAN IP of opnsense, everything is working as expected.

I think I do have some glitches in my config. This plugin seems to work without any problem and the problems came (unexpected) out of my system.

[moserpjm]

@Hobby-Student nice to hear that it works for you.
Just created the RC repo for 24.7:
fetch -o /usr/local/etc/pkg/repos/netbird-rc-247.conf https://os-pkg.pjm.co.at/netbird-rc-247.conf

[Hobby-Student]

@moserpjm

To prevent netbird from messing with the routing table of the firewall I've set NB_DISABLE_CUSTOM_ROUTING to true.

with the netbird port wt0 is added to the system and we enable the netbird interface within opnsense. For me it looks like you then need to manage the firewall rules for the netbird interface. If netbird would add routes in the background, those routes wouldn't affect opnsense in a negative way?

As far as I can see, tailscale is doing it the same way. Just doing stuff in background and opnsense can handle this through firewall rules on the interface.

I'll do some tests.

[moserpjm]

Yes you have to manage the rules on your own. If you configure a network route via a node in Netbird firewall rules don't apply anyway. Don't get me wrong but no sane sysadmin would trust the firewall mechanism of some third party VPN tool on a firewall. Client maybe but not on a firewall.
Like I said I'm also no big fan of letting netbird change the routing table. Wrong entries, like overriding the standard gateway, could bring the whole firewall down.
But hey that's just my option. The beauty of open source is that you can change it however you like. 😉

[Hobby-Student]

[...] no sane sysadmin would trust the firewall mechanism of some third party VPN tool on a firewall.[...]

I agree, but I want to give the possibility a chance and take a look at how things are handled this way. I did try tailscale the other day and I think they use this approach.
Also the wireguard plugin of opnsense is adding the routes from the config file and I'm not experienced enough to see, if adding routes by netbird would act the same way. If so, a sane admin could whitelist the needed netbird IPs without relying on the netbird created peers (and routes) as a whole 😉

Of course, I could be totally wrong 😄

[Hobby-Student]

little Update:
I compiled the ports version of @moserpjm with some modifications to patch-opnsense. I removed everything except the changes for operating system and dns. I then added a static route to opnsense with route -n add -inet 10.0.0.16/28 -interface wt0. netbird routing is configured with a linux machine providing the route to 10.0.0.16/28 (masquerade) and opnsense is allowed to use it. But it's not working. For other peers, the route is working as expected.

Is netbird client not able to use the routes because it's not implemented for FreeBSD and therefore static routes are not working?

[moserpjm]

Pro tip #1: Don't mess around with the shell. OPNsense has it's own configuration system. If you fiddle around with the CLI it will end in some undefined state. I'd reboot it first before you do anything else.

I haven't tried what you try to accomplish myself so this is just a lucky guess.
Try adding a gatway with the netbird ip of your linux machine on the netbird interface. Then add a route via the gateway to 10.0.0.16/28.
Yes all via the webui. ;)
This is what netbird would do automatically if it would know how on BSD.

[Hobby-Student]

Pro tip #1: Don't mess around with the shell. OPNsense has it's own configuration system. If you fiddle around with the CLI it will end in some undefined state. I'd reboot it first before you do anything else.

I haven't tried what you try to accomplish myself so this is just a lucky guess. Try adding a gatway with the netbird ip of your linux machine on the netbird interface. Then add a route via the gateway to 10.0.0.16/28. Yes all via the webui. ;) This is what netbird would do automatically if it would know how on BSD.

I tried it first through the web UI. It failed. Then I did what wireguard does (or how I think it does), just add the route on the interface without a gateway. Perhaps I missed something and I will try again as soon as possible.

[Hobby-Student]

Mystery solved (perhaps): netbird routes list -> No routes available

@mlsmaycon
Am I right, that routing is not working because it's not implemented yet for FreeBSD? Or should routing work if I add it manually as a static route - with or without the routing peer as gateway?

[Hobby-Student]

removed netbird from opnsense, rebooted, deleted the peer in netbird management, compiled netbird v0.28.7 and just used the mod by @moserpjm to identify the FreeBSD as linux -> It works!
Don't know exactly why it wasn't before, but I think there was something wrong on my side. Also the rules of opnsense are working with the netbird routing.

I'll test this some more and report back.

[Hobby-Student]

Deployed it on 3 opnsense boxes and configured routes via netbird management. Every firewall rule inside OPNsense is respected and withtout any rule on netbird interface, traffic is blocked (default).
So far I can't see any showstoppers in this small test environment. Routing between the OPNsense boxes and access to all networks (with configured firewall and outbound NAT rules) are working as intended.

[ditronicos]

It seems to be some progress with the latest version.

https://github.com/netbirdio/netbird/releases/tag/v0.36.4

[Gauss23]

@ditronicos the limitation on the management server regarding the Network routes seems to be still there. Let' s hope for 0.37.0
I'll build the new package for 0.36.4 in the next days

[td007]

A quick message from me.
I have been using the plugin for about a week and it works very well.
Thank you for your effort and the work you do.

A Netbird integration in OPNsense is incredibly useful :-)

[ditronicos]

For the record: opnsense 25.1 has been released. 24.7 can be easily upgraded from the UI. https://opnsense.org/about/road-map/

The plugin still working fine. Just after the last upgrade reboot, the ping to the rest of the netbird network was a bit large, it connects relayed. Shutting down the VM (i have installed opnsense in proxmox) and it connects p2p again.

Some minors aesthetics issues in the connection status page related with the search button, not a big deal (cicada theme).

[Gauss23]

Hey everyone,

I created 2 pull requests for OPNsense:

• Ports: Netbird port for OPNsense  opnsense/ports#218
• Plugins: Added a plugin for Netbird opnsense/plugins#4531

Fingers crossed, that the OPNsense team is happy with it.

[ditronicos]

Yep, all the fingers.

[td007]

You are simply the best.
Thank you very much for your work.

They are clever people at Opnsense, they give their ok

[Hobby-Student]

@Gauss23 thanks for your work. I use my own compiled version on several opnsense boxes. I would have waited with the pull requests until netbird merged all changes for FreeBSD. Now it's "netbird with custom patches, which make it work, but there could be unwanted side effects in regards of routing security and netbird will soon merge changes in routing for FreeBSD".

[Gauss23]

@Hobby-Student the only part of the patch which is left, is the reporting as FakeBSD. DNS and Routing patches were removed replaced by the built-in functions. So, yes, as soon as the Netbird Management server accepts all peers as routing peers, this patch can also be removed.

[Hobby-Student]

the only part of the patch which is left, is the reporting as FakeBSD

just my 2 cents. OPNsense is trying to keep everything secure to not damage its reputation. New VPN plugin with workarounds seems not to be the best idea.
My point of view. Perhaps they accept your pull requests right away.

[moserpjm]

I hope they accept the PR.
Just took a look at the source of the new official tailscale plugin . Looks like we didn't do a lot of "non best practice" stuff in os-netbird. :D
Fingers crossed for the code review.

[IceFlom]

Hi, I've installed netbird on my OPNSense with this repo: https://os-pkg.sun-ri.se/netbird-rc-247.conf
After upgrading from 24.7.12 to 25.1.1 the plugin is shown as "misconfigured", which seems to be a known problem according to the history in this issue. But I also get "duplicate dependency" messages when checking for updates. The plugin still seems to work normally.

Updating netbird-247 repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: . done
Processing entries: . done
netbird-247 repository update completed. 5 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (3 candidates): .
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
pkg: os-netbird: duplicate dependency listing: netbird
Checking for upgrades (3 candidates).... done
Processing candidates (3 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

[Gauss23]

Hi @IceFlom, thanks for bringing that up. It seems that I missed to clean up the repo. There were multiple versions and there therefore it complained. Now it's fixed. The repo is 24.7. I need to create one for 25.1. Hope to do this this weekend.

The misconfigured seems to be normal for all 3rd party plugins. At least that's what I understood in the answer of the OPNsense team:
https://forum.opnsense.org/index.php?topic=45288.0

It was noted as misconfigured also in 24.7.x

[ditronicos]

Hi guys, 0.37.0 is finally here.

https://github.com/netbirdio/netbird/releases/tag/v0.37.0

[Gauss23]

Thank you for the heads up. From reading the release notes I can't see that the limitation for Linux a routing peer was removed. Maybe someone else can comment on that.

[Gauss23]

@Gauss23

do you think this PR (to disable router restriction) is making it into production anytime in the near future?

Hopefully v0.37.0

@lixmal do you know when the limitation will be gone? It doesn't seem to be included in 0.37.x yet. Any plans?

[lixmal]

It was released with v0.36.6

[Gauss23]

Thank you. Are there any plans to remove the management UI restriction?

[lixmal]

There's never been one, only a dashboard limitation. It has been lifted as well

[Gauss23]

Perfect, turns out I just pulled the new docker images but forgot to restart the containers. Now it works as expected. That's great! Thank you!
Now we just wait for the FreeBSD port to be accepted: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284877

And then the OPNsense plugin can be released.

[scroguard]

Perfect, turns out I just pulled the new docker images but forgot to restart the containers. Now it works as expected. That's great! Thank you! Now we just wait for the FreeBSD port to be accepted: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284877

And then the OPNsense plugin can be released.

this is excellent news! i look forward to the plugin being released.

[xromansx]

It there any workaround to assignee it as routing peer mine still has empty Linux version. Thanks

[mlsmaycon]

Hey Folks,

As you know, we've submitted our FreeBSD port for NetBird but haven’t received any response from the FreeBSD team yet. We’d really appreciate it if you could leave a comment on the issue. Your support can help bring more attention to the submission and speed up the review process.

Here’s the link to the issue: Bugzilla

Thanks for your support! Every comment helps!

[Gauss23]

Waiting for the creation of my account there to be able to add a comment.

[ditronicos]

Waiting for the creation of my account there to be able to add a comment.

+1

[ditronicos]

It does not looks like this is going forward form the FreeBSD side.

Any alternative solution?

[Gauss23]

I‘m also frustrated about the whole process. It’s seems to be very erratic. No queue where we would see how long it might take. OPNsense folks say that the port is needed for the plugin.

[ditronicos]

May be it will be easiest to try with pfsense ? Nahh, forget it, it is freebs too.

[stalane]

guys.... there hasn't been any real attempt to explain why they should spend time on this. i had the same a couple years ago with zerotier and last year with tailscale. they consider this edge case and frankly it is. looking at the PR history it's very (how can i say it) homelab. i don't want to be mean but maybe phone them up instead?

…

On Sat, 22 Mar 2025 at 22:03, ditronicos ***@***.***> wrote: May be it will be easiest to try with pfsense ? — Reply to this email directly, view it on GitHub <#2200 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABBSQK56T3JARSBZ2QWUTP32VVUTRAVCNFSM6AAAAABJ5JPST6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBVGI4DCMRZGE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> [image: ditronicos]*ditronicos* left a comment (netbirdio/netbird#2200) <#2200 (comment)> May be it will be easiest to try with pfsense ? — Reply to this email directly, view it on GitHub <#2200 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABBSQK56T3JARSBZ2QWUTP32VVUTRAVCNFSM6AAAAABJ5JPST6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONBVGI4DCMRZGE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[joBr99]

Waiting on account creation too now.

I'm looking for something to replace a ton of Site2Site OpenVPN Tunnels with a simpler and more "agile" solution like netbird. (That also easily works with dynamic IPs and Grade Carrier Nat on Backup Internet Connections.)

It would be possible to do the same with zerotier, but only with netbird it's possible to easily self host everything.

So definitly not a Homelab Topic for myself.