diff --git a/source/manual/how-tos/netbird.rst b/source/manual/how-tos/netbird.rst new file mode 100644 index 00000000..04582371 --- /dev/null +++ b/source/manual/how-tos/netbird.rst @@ -0,0 +1,143 @@ +==================================== +Netbird Plugin Setup Guide +==================================== + +Introduction +============ + +This guide explains how to install and configure the **Netbird** plugin on OPNsense. +Netbird is a peer-to-peer VPN that simplifies secure networking between devices. +The plugin allows OPNsense to join a Netbird network, providing routing, DNS resolution, +and firewalling capabilities. + +Limitations +=========== + +- **Netbird Policies Do Not Create Firewall Rules on OPNsense** + - The policies set in the Netbird management console **do not** automatically create firewall rules on OPNsense. + - You need to manually configure the required firewall rules on the assigned ``wt0`` interface in OPNsense to allow or restrict traffic as needed. + +Installation +============ + +The Netbird plugin can be installed directly from the official OPNsense repository. + +Installing via Web UI +--------------------- + +1. Navigate to **System** → **Firmware** → **Plugins**. +2. Locate ``os-netbird`` in the list. +3. Click the **+** button to install the plugin. + +Configuration +============= + +After installation, navigate to **VPN** → **Netbird** to configure the plugin. + +Required Settings +----------------- + +- **Management Server URL** + - The URL of the Netbird management server (self-hosted or Netbird Cloud). + - Example: ``https://netbird.example.com``. + +- **Setup Key** + - Generated in the Netbird management server. + - Used to register OPNsense as a Netbird peer. + +- **Optional Hostname** + - Defines how OPNsense appears in the Netbird management console. + - Example: ``opnsense-router``. + +General Settings +---------------- + +- **Port (Default: 51820)** + - The default WireGuard port. + - Change this if another WireGuard server is already using the port. + - Ensure this port is open on the **WAN interface** (Firewall rules required), otherwise only a relayed connection will be possible. + +- **Disable Server Routes** + - When enabled, OPNsense **will not act as a routing peer**, preventing other Netbird peers from accessing networks behind OPNsense. + +- **Disable Client Routes** + - When enabled, OPNsense **will not use Netbird routes** to reach remote networks. + +- **Disable Netbird DNS Lookups** + - When enabled, OPNsense **will not resolve Netbird hostnames** (e.g., ``demo.netbird.selfhosted``) to IP addresses. + +- **Enable Rosenpass** + - Enables **post-quantum encryption** using Rosenpass on top of WireGuard for enhanced security. + - When enabled, this OPNsense peer will attempt to use Rosenpass for encrypted connections. + +- **Rosenpass Permissive Mode** + - When enabled, this peer will **prefer** Rosenpass for connections to other Rosenpass-enabled peers but will also allow connections to peers **without** Rosenpass. + - When disabled, this peer will **only** connect to other peers that support Rosenpass, rejecting connections from non-Rosenpass peers. + +- **CARP Interface** + - Defines how Netbird behaves in a high-availability (HA) setup using CARP. + - **None**: If set to "None", Netbird will execute ``netbird up`` automatically and enable auto-connect. + - **Specific Interface**: If an interface is selected, auto-connect is **disabled**, and Netbird must be manually started on the **MASTER** node by triggering a CARP event or executing ``netbird up`` manually. + +- **CARP VHID** + - Sets the **Virtual Host ID (VHID)** for CARP when using Netbird in a high-availability (HA) setup. + - This ID helps distinguish multiple CARP instances on the same network. + - It should match the **VHID** used in the OPNsense HA configuration for proper failover behavior. + +After configuring the required settings, click **Save** and restart the Netbird service. + +Assigning the Interface +======================= + +To enable firewalling, NAT, or routing, you need to assign the **wt0** interface. + +1. Go to **Interfaces** → **Assignments**. +2. Locate the unassigned ``wt0`` interface. +3. Enter a name in the description field (e.g., **Netbird**). +4. Click **Add** to assign it. +5. Click on the **Netbird** interface to configure it. +6. Check "Enable Interface" +7. optionally but recommended: Check "Prevent interface removal" +8. don't set any IP address or gateway +9. Click **Save** +10. Click on **Apply changes** + +Why Assign ``wt0``? +------------------- + +- Allows **incoming traffic from Netbird peers** (e.g., access to the OPNsense Web UI). +- Required for **firewalling, NAT, or advanced routing**. + +Network Address Translation (NAT) +================================= + +If you want OPNsense to act as an **exit node** for Netbird peers: + +1. Go to **Firewall** → **NAT** → **Outbound**. +2. Set the mode to **Hybrid NAT**. +3. Add a rule to **translate traffic from Netbird (``wt0``) to the WAN interface**. +4. Save and apply changes. + +Firewall Rules +============== + +Firewall rules depend on your use case. +However, some considerations: + +- If **Rosenpass** is enabled, you may need to allow **incoming UDP traffic** on high ports (30,000–65,535). +- Define rules on the ``wt0`` interface to control peer access. + +Accessing Logs +============== + +Netbird logs can be accessed via the Web UI: + +1. Navigate to **VPN** → **Netbird** → **Log File**. +2. Use logs to troubleshoot connection or routing issues. + +Conclusion +========== + +The Netbird plugin for OPNsense provides a powerful way to integrate Netbird’s VPN capabilities. +By assigning ``wt0``, setting up NAT, and configuring firewall rules, OPNsense can serve as a routing peer +or an exit node for Netbird networks.