NetBird Clients Stuck on Relay – Unable to Establish Direct P2P Connections
I have a NetBird server running inside Docker on an Ubuntu VM. Clients are unable to establish direct peer-to-peer (P2P) connections and are instead routing all traffic through relays. This is causing significant performance issues, especially when using an exit node, where clients experience only 20% of expected speed.
What I Have Checked So Far:
✅ UDP is open and working – Confirmed via tcpdump, showing UDP traffic on port 3478.
✅ Coturn is running inside Docker – It is configured via /home/netbird/turnserver.conf.
✅ Firewall rules allow UDP traffic – No DROP or REJECT rules exist for UDP 3478 or UDP 51820.
✅ Coturn is listening on UDP 3478 – But clients still don’t use direct P2P.
✅ Clients are still relaying all traffic – netbird status shows Relays: 3/3 Available.
✅ NetBird logs confirm all traffic is using relays instead of direct connections.
✅ Coturn’s STUN/TURN server is not discoverable –
nslookup -q=SRV _stun._udp.5.9.113.196 failed.
Clients are not registering with STUN/TURN.
docker logs netbird-coturn-1 shows no clear errors, but relays remain active.
What I Need Help With:
1️⃣ Why are NetBird clients unable to establish direct UDP connections, despite UDP being open?
2️⃣ Why is Coturn’s STUN/TURN server not being discovered by clients?
3️⃣ How can I force NetBird to prioritize direct P2P over relays?
4️⃣ Are there any additional Coturn or NetBird configuration changes needed?
Any insights or suggestions would be greatly appreciated!
13 Replies
Could you show us your
netbird status -dWhat OS are the clients?
sorry for the late reply, some reason notification didnt work. from which machine did you want the status from?
I have a host in a cloud provider which has 2 VM's, one is the netbird server (ubuntu) (lets calls it A), the other is the RDP server (lets call it B).
I then have another ubuntu VM on anogther cloud acting as the VPN (lets call it C)
Then i have clients lets call them X
C is connected and acting like an exit node for B
X have access to B
The issue that i am having is when i run a speed test on B i get only 200mbps instead of 1000.
The output is too long apparently and the option to upload as file is'nt working..
Check now?
Still fixing most of the permissions as this discord was made... uhhhh, 2 days ago
Here they are
From what I can guess based on the files?
If you are using an exit node, all traffic technicly has to go trough that node a relay to be reouted.
Could it be because of that?
I understood that netbird makes a p2p connection from client to client even if it's an exit node.
My previous wireguard solution got up to 98% speeds but this is only 20%
I think it's because one or both is using a relay but they aren't natted so I don't know why.
I've checked those outputs but too jew with netbird to understand the issue or where to look for the fix
@404 not found can you share more about your setup? where the peers are located? local, cloud, on-prem? what are the firewall in front of them?
The host which has the RDP server is on cloud in Germany, the ubuntu machine which acts like the VPN (with the exit node) is on cloud in the UK.
I don't really have a firewall for them externally, just all ports are closed and accessible only through the VPN.
The local PC's that connect are local machines, but those aren't the issue, the connection between the RDP (a hyper-v VM in the host) and the exit node (the UK VM) is for some reason relayed..
OK i fixed the relayed issue, and i now know the issue, ill say it in order in case anyone wants to know
1: The reason that the RDP server was relayed to the exit node is because the exit node did actually have an active firewall cloud level. i disabled it and use now only UFW, allowing netbird ports
2: the MTU from the RDP to the VPN was too high, fixed that but it didnt make a difference to the speed
3: the real reason is because the CPU isn't powerful enough, its at 100% when running a speed test, added an extra thread and speed jumped to 450 from 200
It's annoying because the last solution (mikrotik routers, direct connection) i had full speeds, and i had a measly 1CPU and 1GB ram.. Now i have 2 CPUs and 2GB ram. Oh well, i guess netbirs isnt super optimised
You can check the roles on people as a first indicator, I'll get something up so it autoposts the template later on
Interesting, can you elaborate on the MTU issue? Netbird uses it's own MTU (1280 iirc) so it's weird that it affected relay mode.
What did you set it to for P2P (direct) mode to start working
Also what ports did you open with ufw that changed relayed connexion, maybe I forgot one of them (my problem is relayed connexion with 4G routers, but only from specific locations and I'm trying to figure out why).
For the MTU for some reason, specifically for the wt0 interface, the MTU was set to 1500 so I had to reduce it until I saw it work well.
For the P2P to finally work properly, I just turned off the external firewall for my exit node VM that's on my cloud provider, rookie mistake. I am using UFW and it has the usual ports open for netbird. I just had to reconnect it and it worked.
Okay thanks