Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore tailscale and zerotier interfaces when collecting endpoints #349

Closed
wwqgtxx opened this issue Jun 3, 2022 · 7 comments · Fixed by #351 or #352
Closed

Ignore tailscale and zerotier interfaces when collecting endpoints #349

wwqgtxx opened this issue Jun 3, 2022 · 7 comments · Fixed by #351 or #352
Assignees

Comments

@wwqgtxx
Copy link

wwqgtxx commented Jun 3, 2022

Like tailscale/tailscale#1208
Maybe we need ignore tailscale and zerotier interfaces when collecting endpoints to avoid DoS each other by doing traffic amplification.
The zerotier interfaces name like:
https://github.com/tailscale/tailscale/blob/55095df6445f15be35d64dc36c23b719be62be5e/net/interfaces/interfaces.go#L72-L82

strings.HasPrefix(name, "zt") || (runtime.GOOS == "windows" && strings.Contains(name, "ZeroTier"))

The tailscale interfaces name like:
https://github.com/tailscale/tailscale/blob/55095df6445f15be35d64dc36c23b719be62be5e/net/interfaces/interfaces.go#L59-L67

s == "Tailscale" || strings.HasPrefix(s, "wg") || strings.HasPrefix(s, "ts") || strings.HasPrefix(s, "tailscale") || strings.HasPrefix(s, "utun")
@braginini
Copy link
Contributor

braginini commented Jun 3, 2022

Good points @wwqgtxx !
We already support interface black listing. You can add these to you local netbird config /etc/netbird/config.json

IFaceBlackList []string

Right now we ignore just the tun0 by default.

config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}

I will add the ones from Tailscale and Zero Tier so that they are added automatically to the IFaceBlacklist

I will also modify the code to use prefixes.

@braginini braginini self-assigned this Jun 4, 2022
@braginini braginini linked a pull request Jun 4, 2022 that will close this issue
@wwqgtxx
Copy link
Author

wwqgtxx commented Jun 5, 2022

After upgrade to v0.6.3, I can still found that traffic goes through zerotier ports.
image
It can be seen from the figure that the network traffic of the zerotier port and the wg0 port are basically the same.
And I seen that the config.json has the IFaceBlackList item, so maybe the installer forget to update this file?

{
    "PrivateKey": "<ignored>",
    "PreSharedKey": "",
    "ManagementURL": {
        "Scheme": "https",
        "Opaque": "",
        "User": null,
        "Host": "api.wiretrustee.com:33073",
        "Path": "",
        "RawPath": "",
        "ForceQuery": false,
        "RawQuery": "",
        "Fragment": "",
        "RawFragment": ""
    },
    "AdminURL": {
        "Scheme": "https",
        "Opaque": "",
        "User": null,
        "Host": "app.netbird.io",
        "Path": "",
        "RawPath": "",
        "ForceQuery": false,
        "RawQuery": "",
        "Fragment": "",
        "RawFragment": ""
    },
    "WgIface": "wt0",
    "IFaceBlackList": [
        "wt0",
        "tun0"
    ]
}

Addition 1:
I had modify the config.json to and restart the netbird service via services.msc (and also via netbird-ui)

    "IFaceBlackList": [
        "wt0",
        "tun0",
        "zt",
        "ZeroTier",
        "utun",
        "wg",
        "ts",
        "Tailscale",
        "tailscale"
    ]

And the traffic goes through zerotier ports.

@braginini braginini reopened this Jun 5, 2022
@braginini
Copy link
Contributor

@wwqgtxx for the older version manual config change is required.
For newer ones not.
Could you please list your interfaces from the power shell?
ipconfig /all

@wwqgtxx
Copy link
Author

wwqgtxx commented Jun 5, 2022

@wwqgtxx for the older version manual config change is required. For newer ones not. Could you please list your interfaces from the power shell? ipconfig /all

C:\Users\Administrator>ipconfig /all

Windows IP 配置

   主机名  . . . . . . . . . . . . . : <ignored>
   主 DNS 后缀 . . . . . . . . . . . :
   节点类型  . . . . . . . . . . . . : 混合
   IP 路由已启用 . . . . . . . . . . : 否
   WINS 代理已启用 . . . . . . . . . : 否

未知适配器 Tailscale:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : Tailscale Tunnel
   物理地址. . . . . . . . . . . . . :
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv6 地址 . . . . . . . . . . . . : fd7a:115c:a1e0:ab12:4843:cd96:626e:a40(首选)
   本地链接 IPv6 地址. . . . . . . . : fe80::99d0:ec2d:b2e7:536b%6(首选)
   IPv4 地址 . . . . . . . . . . . . : 100.110.10.64(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.255
   默认网关. . . . . . . . . . . . . :
   DNS 服务器  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

未知适配器 wt0:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : WireGuard Tunnel
   物理地址. . . . . . . . . . . . . :
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv4 地址 . . . . . . . . . . . . : 100.64.0.3(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . :
   DNS 服务器  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 以太网:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   物理地址. . . . . . . . . . . . . : D8-BB-C1-11-AD-DE
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是
   IPv6 地址 . . . . . . . . . . . . : <ignored>
   获得租约的时间  . . . . . . . . . : 2022年5月24日 16:34:24
   租约过期的时间  . . . . . . . . . : 2022年6月5日 19:32:21
   IPv6 地址 . . . . . . . . . . . . : <ignored>
   本地链接 IPv6 地址. . . . . . . . : fe80::a907:16a2:38c7:c718%5(首选)
   IPv4 地址 . . . . . . . . . . . . : 192.168.50.9(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   获得租约的时间  . . . . . . . . . : 2022年5月16日 10:26:10
   租约过期的时间  . . . . . . . . . : 2022年6月6日 14:29:34
   默认网关. . . . . . . . . . . . . : fe80::beee:7bff:fe8e:e588%5
                                       192.168.50.1
   DHCP 服务器 . . . . . . . . . . . : 192.168.50.1
   DHCPv6 IAID . . . . . . . . . . . : 114867137
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-40-6C-80-D8-BB-C1-11-AD-DE
   DNS 服务器  . . . . . . . . . . . : <ignored>
                                       192.168.50.1
                                       <ignored>
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 VMware Network Adapter VMnet1:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
   物理地址. . . . . . . . . . . . . : 00-50-56-C0-00-01
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   本地链接 IPv6 地址. . . . . . . . : fe80::edba:1ca8:2e44:c5d1%14(首选)
   IPv4 地址 . . . . . . . . . . . . : 192.168.244.1(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 268456022
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-40-6C-80-D8-BB-C1-11-AD-DE
   DNS 服务器  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 VMware Network Adapter VMnet8:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
   物理地址. . . . . . . . . . . . . : 00-50-56-C0-00-08
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   本地链接 IPv6 地址. . . . . . . . : fe80::bc6a:10fc:e12b:308b%3(首选)
   IPv4 地址 . . . . . . . . . . . . : 192.168.157.1(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 285233238
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-40-6C-80-D8-BB-C1-11-AD-DE
   DNS 服务器  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

以太网适配器 以太网 2:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : ASIX AX88772C USB2.0 to Fast Ethernet Adapter
   物理地址. . . . . . . . . . . . . : 00-0E-C6-DC-53-88
   DHCP 已启用 . . . . . . . . . . . : 是
   自动配置已启用. . . . . . . . . . : 是

以太网适配器 ZeroTier One [17d709436c04d6bc]:

   连接特定的 DNS 后缀 . . . . . . . :
   描述. . . . . . . . . . . . . . . : ZeroTier Virtual Port
   物理地址. . . . . . . . . . . . . : BE-3E-79-08-A5-7C
   DHCP 已启用 . . . . . . . . . . . : 否
   自动配置已启用. . . . . . . . . . : 是
   IPv6 地址 . . . . . . . . . . . . : fd17:d709:436c:4d6:bc99:93e8:7d64:e675(首选)
   本地链接 IPv6 地址. . . . . . . . : fe80::61c3:9a1c:461e:4f72%10(首选)
   IPv4 地址 . . . . . . . . . . . . : 192.168.192.9(首选)
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 25.255.255.254
   DHCPv6 IAID . . . . . . . . . . . : 180239993
   DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-40-6C-80-D8-BB-C1-11-AD-DE
   DNS 服务器  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   TCPIP 上的 NetBIOS  . . . . . . . : 已启用

@braginini
Copy link
Contributor

braginini commented Jun 5, 2022

@wwqgtxx I found a bug. So weird.
When the ignore list is being built it takes only every other interface from the config.

To quickly fix it, you could exchange the position of ZeroTier with zt to be like that:

"IFaceBlackList": [ "wt0", "tun0", "ZeroTier", "zt", "utun", "wg", "ts", "Tailscale", "tailscale" ]

I will push the fix meanwhile. It is a very very stupid bug :) Sorry!

@braginini braginini linked a pull request Jun 5, 2022 that will close this issue
@braginini
Copy link
Contributor

@wwqgtxx Let me know how the speed is!

@wwqgtxx
Copy link
Author

wwqgtxx commented Jun 5, 2022

@wwqgtxx Let me know how the speed is!

After exchange the position, no traffic goes through zerotier and tailscale's ports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants