Hi everyone,
I’m running the official Netbird cloud service (app.netbird.io) with the os-netbird plugin on OPNsense and can’t get a direct P2P connection – every peer always connects via relay.
Setup: OPNsense 26.1, os-netbird 1.2, Netbird 0.66.3, using official Netbird cloud (api.netbird.io, signal.netbird.io, relay.netbird.io). WAN firewall rule UDP/51821 open to wanip is in place. Two peers tested: iPhone (iOS) and Linux laptop – both always relay.
Netbird Status on OPNsense shows “Interface type: Userspace” and for both peers “Connection type: Relayed”, “ICE candidate (Local/Remote): /” and “ICE candidate endpoints (Local/Remote): /”. ICE candidates are empty for every peer – OPNsense never produces any candidates.
Relevant log entries: “using userspace bind mode”, “WireGuard Proxy Factory will produce bind proxy”, “[peer] OnRemoteAnswer, priority: PriorityRelay, status ICE: Disconnected, status relay: Connected”, “[peer] Dump stat: RemoteCandidate: 0, P2PConnected: 0”.
All relay/STUN servers are reachable: stun.netbird.io:443, stun.netbird.io:5555, turns:turn.netbird.io:443 and rels://streamline-de-fra1-4.relay.netbird.io:443 are all Available.
The official OPNsense plugin documentation states: “Ensure this port is open on the WAN interface (Firewall rules required), otherwise only a relayed connection will be possible.” The port is open, yet I still only get relay.
I suspect the issue is that Netbird runs in Userspace mode on FreeBSD/OPNsense, which might prevent ICE candidate gathering entirely. Is P2P even possible with the os-netbird plugin, or is this a known limitation of the userspace WireGuard implementation on FreeBSD?
Already asked on reddit. Any help appreciated!
Hi everyone,
I’m running the official Netbird cloud service (app.netbird.io) with the os-netbird plugin on OPNsense and can’t get a direct P2P connection – every peer always connects via relay.
Setup: OPNsense 26.1, os-netbird 1.2, Netbird 0.66.3, using official Netbird cloud (api.netbird.io, signal.netbird.io, relay.netbird.io). WAN firewall rule UDP/51821 open to wanip is in place. Two peers tested: iPhone (iOS) and Linux laptop – both always relay.
Netbird Status on OPNsense shows “Interface type: Userspace” and for both peers “Connection type: Relayed”, “ICE candidate (Local/Remote): /” and “ICE candidate endpoints (Local/Remote): /”. ICE candidates are empty for every peer – OPNsense never produces any candidates.
Relevant log entries: “using userspace bind mode”, “WireGuard Proxy Factory will produce bind proxy”, “[peer] OnRemoteAnswer, priority: PriorityRelay, status ICE: Disconnected, status relay: Connected”, “[peer] Dump stat: RemoteCandidate: 0, P2PConnected: 0”.
All relay/STUN servers are reachable: stun.netbird.io:443, stun.netbird.io:5555, turns:turn.netbird.io:443 and rels://streamline-de-fra1-4.relay.netbird.io:443 are all Available.
The official OPNsense plugin documentation states: “Ensure this port is open on the WAN interface (Firewall rules required), otherwise only a relayed connection will be possible.” The port is open, yet I still only get relay.
I suspect the issue is that Netbird runs in Userspace mode on FreeBSD/OPNsense, which might prevent ICE candidate gathering entirely. Is P2P even possible with the os-netbird plugin, or is this a known limitation of the userspace WireGuard implementation on FreeBSD?
Already asked on reddit. Any help appreciated!