Configuring default routes for Internet traffic

NetBird introduces a way to redirect a peer's internet traffic through what is commonly known as exit nodes. This setup allows you to direct all internet-bound traffic from your devices through a specified routing peer.

This feature is available from Netbird version v0.27.0 onwards.

Concepts

Default Routes

A default route, specified with the network address 0.0.0.0/0 for IPv4 and ::/0 for IPv6, directs internet-bound traffic from your devices through a designated routing peer.

Currently, IPv6 traffic is not supported and is blocked to prevent unintentional traffic leakage.

Routing Peer

The routing peer functions as the exit node for the Internet traffic. Once configured, it automatically handles traffic it receives from connected peers, applying masquerading to ensure traffic appears to originate from the routing peer's public IP address.

Distribution Groups

Peers within the specified distribution group are configured to send their Internet traffic to the routing peer over the VPN. This setup is activated as soon as the routing peer is connected.

Exit Node Selection and Auto Apply Behavior

Administrators configure exit nodes from the dashboard, and can optionally mark the default route (0.0.0.0/0) as selected by default. Clients will then auto-apply the selected exit node if the route is configured with Auto Apply or the user has made a local choice on the device.

Auto Apply: when enabled on an exit node route, clients will auto-apply that exit node. Users can still manually disable it from the client if they choose to use that exit node.
Client override: if a user selects or deselects an exit node on their device, that local choice takes precedence over the management server’s preference. This includes the ability to deselect a forced/selected route sent by management.

Management can provide preferences for exit node selection, but the client user’s explicit selection or deselection is always respected on that device.

Exit node auto-apply feature requires NetBird client v0.55.0 or later.

Existing exit node routes

Exit node routes that existed before the Auto Apply feature are treated as if Auto Apply is enabled by default. This preserves previous behavior where exit nodes were applied automatically when distributed.

Clients running v0.55.0 or later will auto-apply these existing routes unless the user has explicitly selected/deselected an exit node on the device.
Administrators can edit any exit node route in the dashboard to change its Auto Apply setting at any time.

Configuration Steps

Access the Dashboard peers tab

Navigate to the NetBird dashboard to begin the configuration process.

dashboard-peers-view

Select the designated routing peer

routing-peer-view

Make the peer an exit node routing peer

Hit the Add Exit Node button to configure the peer as an exit node routing peer.

In the opened window, specify which peers should use the default route by assigning one or more distribution groups. These peers will automatically route their internet traffic through the routing peer upon its connection.

add-exit-node-view

If you want exit nodes to be available without being automatically enabled on clients, enable the Auto Apply option. When Auto Apply is on, clients will auto-apply the exit node, but users can manually disable it from the client.

exit-node-auto-apply

Then hit the Add Exit Node button to complete the configuration.

The routing peer is automatically set up to handle and route traffic it receives from connected peers. Masquerading remains enabled by default to mask the original source IP addresses.

Make sure to star us on GitHub
Follow us on X
Join our Slack Channel
NetBird latest release on GitHub

Peers

Access Control

Networks

Network Routes

DNS

Team

Activity

Settings

Integrations

Public API

For Partners