NovaCloud-Hosting Docs

Migration Wireguard -> Netbird

Overview

To ensure a stable, reliable, and future-proof service, we are moving from standard WireGuard to Managed WireGuard, based on the NetBird solution.

This change allows us to manage client configurations more dynamically, improve redundancy across our infrastructure, and respond faster to network changes or failures. It is an important step toward building a more resilient network that can provide a better overall service experience.

There is no change in pricing.

Why we are doing this (details):

  • Improved stability and reliability
    Client connections can be managed more dynamically, reducing the risk of service interruptions.

  • Automatic router selection
    Clients can automatically connect to the fastest available router on our side.

  • Better failover handling
    If a router or location becomes unavailable, routes can be adjusted automatically to maintain connectivity.

  • Remote configuration management
    Required client-side changes can be handled more efficiently without manual reconfiguration in many cases.

  • Preparation for future redundancy
    This migration is required for upcoming infrastructure improvements, including a planned Anycast network in Germany. During maintenance windows, we can also redirect clients without you noticing it in usage.

  • Reduced impact during outages
    The new setup helps compensate for failures of individual routers or even entire locations with minimal impact.

  • More scalable infrastructure
    Managed WireGuard allows us to operate and expand the network more efficiently in the future.

Other Protocols

Other protocols such as GRE, GRETAP, and VXLAN are not affected by this change, as they can already be implemented within a redundant infrastructure without changes to the user experience.

Important Notice

Standard WireGuard support will be phased out entirely (final date not yet defined).

In cases where NetBird cannot be deployed directly on a firewall or router we recommend running the configuration on a separate Linux machine.

Since we will no longer be offering WireGuard in the future, we unfortunately do not have an alternative solution for you in this case.

Implementation (Migration Instructions)

The following scenarios are supported:

  • Deployment in a virtualization environment on a virtualization host (e.g. Proxmox)
  • Deployment on a Linux host to assign IP addresses directly.
  • Deployment on a Linux host to provide IP addresses for other devices.

In other cases, you may proceed with the implementation at your own risk or request paid remote-hands support. Please contact our support team in this case.

Implementation steps

Be aware that your actions during setup can lead to your system(s) losing Internet access and traffic interruptions!

You should follow these steps to disable the existing standard WireGuard implementation so that the new one can be deployed. This will result in immediate downtime!

Frist: Please open a support ticket and coordinate with us so that we can complete the migration with as little downtime as possible & provide you the required setup-key.

Second: Follow the Instructions below to take your current service down. Perform only the actions applicable to your deployment type!

You may need to adapt the commands to your environment if you have a specific configuration. Please read through the entire manual to fully understand the configuration parameters.

Deployment on Linux Host

If you did setup your host using DA/Direct-Assignment of IPs to a Linux-Machine Instructions, follow this.

Take Down your Tunnel using bash /opt/novacloud-ipt-da.sh /opt/novacloud-ipt-da.env down.

Follow the Netbird-Linux Setup Guide to complete the setup.

Remove old configurations: rm -f /etc/cron.d/novacloud-ipt-da /opt/novacloud-ipt-da.sh /opt/novacloud-ipt-da.env.

Proxmox - Virtualization environment/Virtualization host

The following commands will take down Tunnel-Interface and Bridge on your host!:

ifdown tun10
ifdown vmbr10

Take a backup of your Network Configuration:

cp /etc/network/interfaces /etc/network/interfaces.bak

Remove the old Configuration of tun10 and vmbr10 from /etc/network/interfaces.

Add the following Configuration and adjust the parameters. Read through everything and replace variables! If you need more Information you may follow the Proxmox Guide.

auto wt10
iface wt10 inet manual

auto vmbr10
iface vmbr10 inet manual
# IP-Transit Bridge
  mtu 1500
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  post-up echo "1" > /proc/sys/net/ipv4/conf/vmbr10/forwarding
  post-up echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
  pre-down echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
  pre-down echo "0" > /proc/sys/net/ipv4/conf/vmbr10/forwarding
# Create a line for each IPAPI "Adresses" entry AND replace "<GATEWAY>" and "<CIDR>" using the advanced infromation of the subnet/info-button menu!
  post-up ip addr add <GATEWAY>/<CIDR>  dev vmbr10
# Create a line for each IPAPI "Adresses" entry and replace "<Subnet>" accordingly with its content! (Use copy button.) - required for local communication.
  post-up ip route add <Subnet> dev vmbr10 table 10
  post-up ip -4 rule add pref 10 from <Subnet> table 10 # Example for IPv4 ONLY!
  post-up ip -6 rule add pref 10 from <Subnet> table 10 # Example for IPv6 ONLY!
# Cleanup
  post-down sh -c 'while ip -4 rule del pref 10 2>/dev/null; do :; done'
  post-down sh -c 'while ip -6 rule del pref 10 2>/dev/null; do :; done'

Additionally you need to follow General Installation of Netbird on Linux and then come back here!

Bring up vmbr10 aigan:

ifup vmbr10

Now that everything is set up, you need to completely restart your VMs and containers on the vmbr10 bridge via the Proxmox interface (do not use reboot within the guest itself!).

Please contact support if anything isn't working.

On this page

OverviewWhy we are doing this (details):Other ProtocolsImportant NoticeImplementation (Migration Instructions)Implementation steps