Skip to content

[client] Add support for retain existing AllowedIPs when no alternative paths are available #4245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[client] Add support for retain existing AllowedIPs when no alternative paths are available #4245

wants to merge 1 commit into from

Conversation

gamerslouis
Copy link
Contributor

We are using Netbird to manage our WireGuard network (without relay nodes). Our topology is relatively stable and does not change frequently.

We have analyzed potential network instability issues that may occur when either the ICE connection drops or the management API becomes temporarily unavailable. As noted in this comment, in such cases, network routes (e.g., 10.0.0.0/24) are removed from AllowedIPs, effectively cutting off connectivity.

In our scenario, we prefer:
• When ICE fails or the management service is temporarily down, the existing network connectivity should remain unaffected. The system should not proactively remove AllowedIPs, especially when no alternative paths are available.
• Even if the management service remains operational, the temporary unavailability of routes during ICE reconnection is still unacceptable, as it causes unnecessary and avoidable disruptions.

We propose adding an option to enable a failsafe routing mode, where:
• Route manager only updates AllowedIPs when a valid, reachable path is available.
• If no valid path is detected, the current AllowedIPs are kept unchanged.

This behavior would help prevent unnecessary network disconnections caused by transient ICE or management issues.

Example environment variable:

NB_ROUTE_STICKY_ON_FAILURE=true

Issue ticket number and link

Stack

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@gamerslouis
Copy link
Contributor Author

#4228 might broke our changes.

Currently, ICE disconnection does not remove the endpoint, so we only retain the routes.
If #4228 is merged, we should also disable endpoint removal.

@gamerslouis gamerslouis mentioned this pull request Aug 25, 2025
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gamerslouis