Description
Update May, 4 2025:
I found that while tailscale uses UPnP, PCP and NAT-PMP to try to open ports, NetBird doesn't. This means that in my network below, testserver isn't able to directly access the host laptop that is under the NAT of the router openwrt. I guess this is the main reason why it uses public IP to communicate.
Describe the problem
Recently I have switched my VPN software from tailscale to netbird. I am amazed by the Networks and powerful web panel Netbird is producing. However, I found that when using Netbird, two peers with different VLANs might build P2P connections through public Internet instead of connecting directly in LAN address, while this won't happen in tailscale.
Expected behavior
Two peers would create P2P connections using LAN IP.
Are you using NetBird Cloud?
No, I'm using self-hosted NetBird service.
NetBird version
0.43.1
Is any other VPN software installed?
Yes, Tailscale. But they aren't running when testing netbird.
Debug output
Peers detail:
aws.anon-szr8O.domain:
NetBird IP: 100.75.62.188
Public key: R9k1i3+mhdiXvJBGWD0cMxh1U8NVAVCxUjxFH3+Ezm4=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): srflx/srflx
ICE candidate endpoints (Local/Remote): 198.51.100.0:2503/198.51.100.1:51820
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 28 seconds ago
Last WireGuard handshake: 1 minute, 29 seconds ago
Transfer status (received/sent) 92 B/276 B
Quantum resistance: false
Networks: -
Latency: 34.3508ms
openwrt.anon-szr8O.domain:
NetBird IP: 100.75.71.12
Public key: gzFExSImZUjbZiiQEeRTm8NfamuZTpAjokEeiLMit2k=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): host/srflx
ICE candidate endpoints (Local/Remote): 127.0.0.1:51820/198.51.100.0:2586
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 27 seconds ago
Last WireGuard handshake: 1 minute, 29 seconds ago
Transfer status (received/sent) 156 B/244 B
Quantum resistance: false
Networks: -
Latency: 8.0082ms
kirakira.anon-szr8O.domain:
NetBird IP: 100.75.74.196
Public key: +8UMb8RWhTYpv23jTOGgN+CsbN9OOTOgOk1h9OkGAi0=
Status: Connected
-- detail --
Connection type: Relayed
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 29 seconds ago
Last WireGuard handshake: 1 minute, 29 seconds ago
Transfer status (received/sent) 188 B/276 B
Quantum resistance: false
Networks: -
Latency: 0s
mobile.anon-szr8O.domain:
NetBird IP: 100.75.93.92
Public key: I2d+YhyLIDJ039d2m2K5nHt8pb+UE637A+CnzeqFQWo=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): host/host
ICE candidate endpoints (Local/Remote): 169.254.226.220:51820/192.168.10.39:51820
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 27 seconds ago
Last WireGuard handshake: 1 minute, 28 seconds ago
Transfer status (received/sent) 92 B/276 B
Quantum resistance: false
Networks: -
Latency: 82.0498ms
debiannet.anon-szr8O.domain:
NetBird IP: 100.75.99.152
Public key: U5ovfyRBXMf3LDwpneDUwIDyHWFSJFzOgL+aNgzl8hM=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): srflx/srflx
ICE candidate endpoints (Local/Remote): 198.51.100.0:2503/198.51.100.2:36243
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 27 seconds ago
Last WireGuard handshake: 1 minute, 29 seconds ago
Transfer status (received/sent) 252 B/372 B
Quantum resistance: false
Networks: 192.168.9.0/24
Latency: 42.8368ms
testserver.anon-szr8O.domain:
NetBird IP: 100.75.140.14
Public key: LBonNnujgCfjIsCcDCwdVbnCubzPxZ49lThlkaXI5iM=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): host/srflx
ICE candidate endpoints (Local/Remote): 192.168.10.205:51820/198.51.100.3:11865
Relay server address: rel://vpn.anon-wQzkR.domain:33080
Last connection update: 1 minute, 27 seconds ago
Last WireGuard handshake: 1 minute, 29 seconds ago
Transfer status (received/sent) 92 B/276 B
Quantum resistance: false
Networks: 192.168.0.0/24, 198.51.100.4/16
Latency: 26.5328ms
Events:
[INFO] SYSTEM (57004cb9-069a-46b1-95ed-d2925c7ca30f)
Message: Network map updated
Time: 10 minutes, 22 seconds ago
[INFO] SYSTEM (0d927b75-c71d-47e3-b4fb-3f5047e0cea3)
Message: Network map updated
Time: 9 minutes, 6 seconds ago
[INFO] SYSTEM (5088c485-5026-4ffb-a68a-0abad87cb633)
Message: Network map updated
Time: 7 minutes, 54 seconds ago
[INFO] SYSTEM (c966f37d-8a7d-45dc-b2d6-392614f8295e)
Message: Network map updated
Time: 6 minutes, 44 seconds ago
[INFO] SYSTEM (e7dcdb20-9b00-4758-a96d-c5c450fe1e21)
Message: Network map updated
Time: 5 minutes, 30 seconds ago
[INFO] SYSTEM (3adc1913-8678-4c22-a49d-6642c26a19ab)
Message: Network map updated
Time: 4 minutes, 14 seconds ago
[INFO] SYSTEM (d79a23fb-0508-4db8-b091-4a696c14b7a1)
Message: Network map updated
Time: 2 minutes, 58 seconds ago
[INFO] SYSTEM (3a2935ca-714e-4148-b677-d8834f67cc32)
Message: Network map updated
Time: 1 minute, 43 seconds ago
[INFO] SYSTEM (96b6e4af-1f17-44f3-9ec0-86e2d13001ed)
Message: Network map updated
Time: 1 minute, 29 seconds ago
[INFO] SYSTEM (f17ab421-466a-4383-bedf-cd2d7fc8b561)
Message: Network map updated
Time: 28 seconds ago
OS: windows/amd64
Daemon version: 0.43.1
CLI version: 0.43.1
Management: Connected to https://vpn.anon-wQzkR.domain:443
Signal: Connected to https://vpn.anon-wQzkR.domain:443
Relays:
[stun:turn.anon-wQzkR.domain:3478] is Available
[turn:turn.anon-wQzkR.domain:3478?transport=udp] is Available
[rel://vpn.anon-wQzkR.domain:33080] is Available
Nameservers:
[192.168.9.4:53] for [anon-88hTz.domain] is Available
FQDN: laptop.anon-szr8O.domain
NetBird IP: 100.75.11.17/16
Interface type: Userspace
Quantum resistance: false
Networks: -
Forwarding rules: 0
Peers count: 6/6 Connected
As well as the file created by
netbird debug for 1m -AS
Additional context
In the Debug output above,openwrt(LAN IP 192.168.10.1) is the router of a LAN, my device currently outputing these logs is also under this router, named laptop. The openwrt and the testserver have diffferent public IP address and ISP due to some network policy, but they can access each other directly using local IP. In this situation,host/srflx is causing unnecessary latency and bandwidth limit.
My local network might be a little complex, so I will provide a description generated by AI for you to better understand.
[ Local Network (192.168.10.0/24) ]
│
├── [phone] IP: 192.168.10.39
├── [laptop] IP: 192.168.10.205
└── [openwrt] LAN IP: 192.168.10.1 (Gateway)
WAN IP: 10.136.141.0
│
[ Connected via intermediate network infrastructure in a same building ]
│
[ Remote Network (10.20.72.0/24) ]
│
└── [testserver] IP: 10.20.72.25
Gateway: 10.20.72.1
Key Notes:
Local Network:
Devices phone and laptop connect to the router (192.168.10.1) via LAN.
The router's WAN interface is configured with 10.136.141.25 (gateway: 10.136.141.0).
Cross-Network Communication:
The router's WAN IP (10.136.141.25) and testserver (10.20.72.25) can directly communicate via intermediate infrastructure (e.g., routers, firewalls, or dedicated links) in the same building, they are in a larger LAN.
Mutual ping and service access confirm proper routing/NAT configuration.
IP Addressing:
Local network uses private IP range 192.168.10.0/24.
Remote network uses 10.20.72.0/24, distinct from the router's WAN subnet (10.136.141.0/24).
Have you tried these troubleshooting steps?
- [√] Checked for newer NetBird versions
- [√] Searched for similar issues on GitHub (including closed ones)
- [√] Restarted the NetBird client
- [√] Disabled other VPN software
- [√] Checked firewall settings