Netbird doesn't work with GitHub Actions and setup-key

[RomanKrasavtsev]

Describe the problem
Netbird doesn't work with GitHub Actions and setup-key, but it worked until 29.10.2024.

Now we are getting the error:
ssh: connect to host x.x.x.x port 22: No route to host

GitHub Action Workflow:

jobs:
  deploy:
    runs-on: ubuntu-22.04

$ sudo cat /var/log/netbird/client.log
2024-10-31T14:24:28Z INFO client/cmd/service_controller.go:24: starting Netbird service
2024-10-31T14:24:28Z INFO client/internal/config.go:162: generating new config /etc/netbird/config.json
2024-10-31T14:24:28Z INFO client/internal/config.go:228: using default Management URL [https://api.netbird.io:443](https://api.netbird.io/)
2024-10-31T14:24:28Z INFO client/internal/config.go:252: using default Admin URL [https://api.netbird.io:443](https://api.netbird.io/)
2024-10-31T14:24:28Z INFO client/internal/config.go:270: generated new Wireguard key
2024-10-31T14:24:28Z INFO client/internal/config.go:276: generated new SSH key
2024-10-31T14:24:28Z INFO client/internal/config.go:292: using default Wireguard port 51820
2024-10-31T14:24:28Z INFO client/internal/config.go:303: using default Wireguard interface wt0
2024-10-31T14:24:28Z INFO client/internal/config.go:356: filling in interface blacklist with defaults: [ wt0 wt utun tun0 zt ZeroTier wg ts Tailscale tailscale docker veth br- lo ]
2024-10-31T14:24:28Z INFO client/internal/config.go:402: using default DNS route interval 1m0s
2024-10-31T14:24:28Z INFO client/cmd/service_controller.go:66: started daemon server: /var/run/netbird.sock
2024-10-31T14:24:38Z INFO client/server/server.go:639: service is down
2024-10-31T14:24:38Z INFO client/cmd/root.go:191: shutdown signal received
2024-10-31T14:24:40Z INFO client/cmd/service_controller.go:90: stopped Netbird service
2024-10-31T14:24:40Z INFO client/cmd/service_controller.go:24: starting Netbird service
2024-10-31T14:24:40Z INFO client/cmd/service_controller.go:66: started daemon server: /var/run/netbird.sock
2024-10-31T14:24:40Z INFO client/internal/connect.go:111: starting NetBird client version 0.30.3 on linux/amd64
2024-10-31T14:24:41Z ERRO management/client/grpc.go:278: failed while getting Management Service public key: rpc error: code = Canceled desc = context canceled
2024-10-31T14:24:41Z ERRO management/client/grpc.go:350: failed to login to Management Service: rpc error: code = PermissionDenied desc = no peer auth method provided, please use a setup key or interactive SSO login
2024-10-31T14:24:41Z WARN client/server/server.go:274: failed login: rpc error: code = InvalidArgument desc = invalid setup-key or no sso information provided, err: invalid UUID length: 0
2024-10-31T14:24:42Z ERRO management/client/grpc.go:350: failed to login to Management Service: rpc error: code = PermissionDenied desc = no peer auth method provided, please use a setup key or interactive SSO login
2024-10-31T14:24:42Z INFO client/internal/login.go:130: peer has been successfully registered on Management Service
2024-10-31T14:24:42Z INFO client/internal/connect.go:111: starting NetBird client version 0.30.3 on linux/amd64
2024-10-31T14:24:42Z INFO client/internal/connect.go:240: connecting to the Relay service(s): rels://relay.netbird.io:443
2024-10-31T14:24:42Z INFO relay/client/picker.go:66: try to connecting to relay server: rels://relay.netbird.io:443
2024-10-31T14:24:42Z INFO [relay: rels://relay.netbird.io:443] relay/client/client.go:166: create new relay connection: local peerID: xxxxx=, local peer hashedID: sha-xxxx=
2024-10-31T14:24:42Z INFO [relay: rels://relay.netbird.io:443] relay/client/client.go:172: connecting to relay server
2024-10-31T14:24:43Z INFO [relay: rels://streamline-us-sjo1-2.relay.netbird.io:443] relay/client/client.go:189: relay connection established
2024-10-31T14:24:43Z INFO relay/client/picker.go:84: connected to Relay server: rels://relay.netbird.io:443
2024-10-31T14:24:43Z INFO relay/client/picker.go:58: chosen home Relay server: rels://relay.netbird.io:443
2024-10-31T14:24:43Z INFO client/iface/wgproxy/ebpf/proxy.go:91: local wg proxy listening on: 3128
2024-10-31T14:24:43Z INFO client/iface/wgproxy/factory_kernel.go:29: WireGuard Proxy Factory will produce eBPF proxy
2024-10-31T14:24:43Z INFO client/internal/routemanager/manager.go:144: Routing setup complete
2024-10-31T14:24:43Z INFO client/firewall/create_linux.go:77: creating an nftables firewall manager
2024-10-31T14:24:43Z INFO client/internal/dns/host_unix.go:54: System DNS manager discovered: systemd
2024-10-31T14:24:43Z INFO client/internal/peer/guard/sr_watcher.go:106: reconnected to Signal or Relay server
2024-10-31T14:24:43Z INFO signal/client/grpc.go:149: connected to the Signal Service stream
2024-10-31T14:24:43Z INFO client/internal/engine.go:1415: Network monitor is disabled, not starting
2024-10-31T14:24:43Z INFO client/internal/connect.go:268: Netbird engine started, the IP is: x.x.x.x/16
2024-10-31T14:24:43Z INFO management/client/grpc.go:155: connected to the Management Service stream
2024-10-31T14:24:43Z WARN client/internal/engine.go:597: running SSH server is not permitted
2024-10-31T14:24:43Z INFO client/internal/acl/manager.go:56: ACL rules processed in: 965.351µs, total rules count: 2
2024-10-31T14:24:43Z INFO client/internal/dns/systemd_linux.go:149: adding 1 search domains and 0 match domains. Search list: [netbird.cloud] , Match list: []
2024-10-31T14:24:44Z INFO [peer: xxx=] client/internal/peer/guard/guard.go:138: start listen for reconnect events...
2024-10-31T14:24:47Z INFO [peer: xxx=] client/internal/peer/guard/guard.go:84: start reconnect loop...
2024-10-31T14:24:47Z INFO [peer: xxx=] client/internal/peer/guard/guard.go:84: start reconnect loop...
2024-10-31T14:24:47Z INFO [peer: xxx=] client/internal/peer/guard/guard.go:84: start reconnect loop... 

However, we can connect to the server from our laptops and we can see other peers.

$ netbird status 
OS: darwin/amd64
Daemon version: 0.27.10
CLI version: 0.27.10
Management: Connected
Signal: Connected
Relays: 2/2 Available
Nameservers: 0/0 Available
FQDN: laptop-xxx.netbird.cloud
NetBird IP: x.x.x.x/16
Interface type: Userspace
Quantum resistance: false
Routes: -
Peers count: 4/6 Connected

Netbird status output on the server:

$ netbird status
Daemon version: 0.27.0
CLI version: 0.27.0
Management: Connected
Signal: Connected
Relays: 2/2 Available
Nameservers: 0/0 Available
FQDN: server-xxxx.netbird.cloud
NetBird IP: x.x.x.x/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 4/6 Connected

To Reproduce

1. Install Netbird:

$ curl -L -o /tmp/netbird_0.30.3.tar.gz https://github.com/netbirdio/netbird/releases/download/v0.30.3/netbird_0.30.3_linux_amd64.tar.gz
$ tar -xvf /tmp/netbird_0.30.3.tar.gz -C /tmp
$ sudo cp /tmp/netbird /usr/bin/netbird
$ sudo chown root:root /usr/bin/netbird
$ sudo chmod +x /usr/bin/netbird
$ export PATH=$PATH:/usr/bin
$ sudo netbird service install
$ sudo netbird service start
$ sudo netbird up --setup-key $SETUP_KEY_NETBIRD_VPN

2. Connect to the server:

$ ssh -l root -W x.x.x.x

Expected behavior
The connection to the server should be established.

Are you using NetBird Cloud?
Yes, we are using NetBird Cloud.

NetBird version

$ netbird version
0.30.3

NetBird status -dA output:

$ netbird status -dA
Peers detail:
 latop-xxxx.netbird.cloud:
  NetBird IP: x.x.x.x/32
  Public key: xxxxI=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: 15 seconds ago
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 laptop-xxxx.netbird.cloud:
  NetBird IP: x.x.x.x/32
  Public key: xxxxg=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: 15 seconds ago
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 staging-server-xxxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxg=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 prod-server-xxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxx=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 lapton-xxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxxA=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 laption-xxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxc=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 fv-az1920-579.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxxo=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
 server-xxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxx0=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s
OS: linux/amd64
Daemon version: 0.30.3
CLI version: 0.30.3
Management: Connected to [https://api.netbird.io:443](https://api.netbird.io/)
Signal: Connected to [https://signal.netbird.io:443](https://signal.netbird.io/)
Relays: 
  [stun:stun.netbird.io:5555] is Available
  [turns:turn.netbird.io:443?transport=tcp] is Available
  [rels://streamline-us-chi1-2.relay.netbird.io:443] is Available
Nameservers: 
FQDN: fv-az1690-324.netbird.cloud
NetBird IP: x.x.x.x/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 0/8 Connected

[mlsmaycon]

@RomanKrasavtsev It might be caused by an async attempt to connect between peers. Can you try using the following steps with the action:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Netbird Connect
        id: netbird
        uses: Alemiz112/netbird-connect@v1
        with:
          setup-key: ${{ secrets.NB_SETUP_KEY_PROD }}
          hostname: ${{ env.CONNECT_HOSTNAME }}
          management-url: ${{ env.CONNECT_MANAGEMENT_URL }}

      - name: print netbird logs
        run: sudo cat /var/log/netbird/client.log

      - name: Wait for Netbird to connect to management
        shell: bash
        timeout-minutes: 1
        run: |
          while [ -z "$(ping -c 1 ${{ env.SERVER }} | grep '64 bytes from')" ]; do
          echo "Waiting for Netbird to connect..."
          netbird status --filter-by-names ${{ env.SERVER }}
          sleep 1
          done

[RomanKrasavtsev]

Hi @mlsmaycon, thank you for your help.

Unfortunately, it still doesn't work, we tried to increase timeout up to 2 minutes.

- name: Netbird Connect
        id: netbird
        uses: Alemiz112/netbird-connect@v1
        with:
          setup-key: ${{ secrets.SETUP_KEY_NETBIRD_VPN }}

      - name: Wait for Netbird to connect to management
        shell: bash
        timeout-minutes: 2
        run: |
          SERVER=server-xxxx.netbird.cloud
          while [ -z "$(ping -c 1 $SERVER | grep '64 bytes from')" ]; do
          echo "Waiting for Netbird to connect..."
          netbird status --filter-by-names $SERVER
          sleep 30
          done

GitHub Action output:

...
ping: sendmsg: Required key not available
Waiting for Netbird to connect...
Peers detail:
 server-xxxx.netbird.cloud:
  NetBird IP: x.x.x.x
  Public key: xxxxx=
  Status: Disconnected
  -- detail --
  Connection type: 
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: 
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Latency: 0s

OS: linux/amd64
Daemon version: 0.30.3
CLI version: 0.30.3
Management: Connected to [https://api.wiretrustee.com:443](https://api.wiretrustee.com/)
Signal: Connected to [https://signal.netbird.io:443](https://signal.netbird.io/)
Relays: 
  [stun:stun.netbird.io:5555] is Available
  [turns:turn.netbird.io:443?transport=tcp] is Available
  [rels://streamline-us-chi1-0.relay.netbird.io:443] is Available
Nameservers: 
FQDN: github-fv-az1379-274.netbird.cloud
NetBird IP: x.x.x.x/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 0/1 Connected
Error: The action 'Wait for Netbird to connect to management' has timed out after 2 minutes.

What's interesting is I can see that it's online in the admin panel:

[mlsmaycon]

@RomanKrasavtsev can you run the test again, but this time please add the following environment variable to the workflow:

NB_LOG_LEVEL=trace

Then, share the output of the status command and the logs with us.