Describe the problem
When two peers both running NetBird 0.70.4 with kernel WireGuard establish a P2P connection, the WireGuard sent counter for that peer immediately shows an impossibly large value (200–300 GiB) within seconds of the first handshake, despite negligible real traffic. This causes multiple wg-crypt-wt0 kernel workers to spin at high CPU (10–20% each, 40–60% aggregate) continuously. The receiving peer's counter shows a normal value (MiB range), confirming the sent counter on the initiating side is corrupted, not reflecting real transmitted data. SSH to the affected peer becomes degraded. All other peers (relayed connections, different OS) are unaffected and show normal counters.
The bug triggers immediately on the first handshake after NetBird starts — not gradually over time. Removing the affected peer from the WireGuard interface stops the kworker spinning. With the peer absent, all other peers function normally with zero wg-crypt workers spinning.
To Reproduce
- Set up two machines both running NetBird 0.70.4 with kernel WireGuard (Interface type: Kernel)
- Ensure both machines are on the same LAN so NetBird negotiates a direct P2P connection
- Start NetBird on both machines
- Run
sudo wg show wt0 transfer on machine 1 within seconds of the handshake completing
- Observe the sent counter for the P2P peer showing hundreds of GiB despite no real traffic
- Observe multiple wg-crypt-wt0 kworkers spinning at high CPU in
ps aux --sort=-%cpu
Expected behavior
The sent counter should reflect actual transmitted bytes (KiB range for keepalive-only traffic). wg-crypt kworkers should be idle between packet bursts.
Are you using NetBird Cloud?
Self-hosted. Management server running on a Proxmox VM.
NetBird version
Both affected peers: 0.70.4 (installed via official install script)
Unaffected peers (relayed): Ubuntu VM running NetBird (various versions), iOS, Windows
Is any other VPN software installed?
No.
Debug output
➜ ~ netbird status -dA
Peers detail:
iphone-admin.netbird.selfhosted:
NetBird IP: 100.91.39.53/32
Public key: yKnbMvcGmovw1c4TdQV/xBsvF1xuKgeoQS2K/mvGhDs=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
ipad-amit.netbird.selfhosted:
NetBird IP: 100.91.113.69/32
Public key: tI4aKnfgOXjazPBG/OIa3tQjMwrpwB/DO8J+tYhicCo=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
ipad-amit-154-47.netbird.selfhosted:
NetBird IP: 100.91.154.47/32
Public key: YwZSOs2mD2Kns111g/FDl7x9E+JueD6h2Kpahm8QQG4=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
iphone-amit.netbird.selfhosted:
NetBird IP: 100.91.34.16/32
Public key: iz87x9HBFhdUzDbd9iwnfhl+1Tp1aGgwZkBHgHYrmDM=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
iphone-amit-149-23.netbird.selfhosted:
NetBird IP: 100.91.149.23/32
Public key: N+qmyyLYj2Raro5kHW2qgKsjf2kLh2j3rom7CvbwBDs=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
ipad-admin.netbird.selfhosted:
NetBird IP: 100.91.50.110/32
Public key: 3H0Xn4eqkQPk1Rp1QYzZLS9r5X+YjxQ+GIvNqpwUOms=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
mohith-p-a-ideapad-gaming-3.netbird.selfhosted:
NetBird IP: 100.91.216.212/32
Public key: WKmqfbPMfVRBGUFd+ENGO4aYOzSG7Tls7X/z6lzCtwE=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
karan-kinariwala-desktop.netbird.selfhosted:
NetBird IP: 100.91.156.254/32
Public key: 2sBJD81HZbd0/hL3fkEYs1DfIaPwJHZtf+D1ffIC62c=
Status: Idle
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
amitkinariwala.netbird.selfhosted:
NetBird IP: 100.91.42.142
Public key: l3Hl/giX2D4iF9CTush8xhROsZdyIrsiVwUMwP2F5xY=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
pve.netbird.selfhosted:
NetBird IP: 100.91.72.224
Public key: b3b4cg3CwqtcVwkaujMdVW5qLFOVRPdkCsuREmRZE34=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): srflx/prflx
ICE candidate endpoints (Local/Remote): 198.51.100.0:20432/198.51.100.1:51820
Relay server address: rels://netbird.anon-BLDRm.domain:443
Last connection update: 6 minutes, 15 seconds ago
Last WireGuard handshake: 1 minute, 16 seconds ago
Transfer status (received/sent) 400 B/1.3 KiB
Quantum resistance: false
Networks: -
Latency: 9.565646ms
solidworks.netbird.selfhosted:
NetBird IP: 100.91.94.175
Public key: 0LOjmZl2OVJW5KpBnp1krvLek8cwVEg9Tpu0Exq6+0U=
Status: Connected
-- detail --
Connection type: Relayed
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address: rels://netbird.anon-BLDRm.domain:443
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: 1 minute, 42 seconds ago
Transfer status (received/sent) 884 B/572 B
Quantum resistance: false
Networks: -
Latency: 0s
karan-kinariwala-arch-desktop.netbird.selfhosted:
NetBird IP: 100.91.136.142
Public key: VtUPpCUgOxnCe9DSLvJlUPe+WXNLel58cou8g+lrBRc=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
netbird-ubuntu-vm.netbird.selfhosted:
NetBird IP: 100.91.152.102
Public key: dlmoCQNkqwVRoPQJGMT1e+INQu1m+7BdEEmvOlc4FSk=
Status: Connected
-- detail --
Connection type: Relayed
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address: rels://netbird.anon-BLDRm.domain:443
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: 1 minute, 17 seconds ago
Transfer status (received/sent) 752 B/1.5 KiB
Quantum resistance: false
Networks: -
Latency: 0s
monitoring.netbird.selfhosted:
NetBird IP: 100.91.192.35
Public key: VsRvcCFkEyDkLYzSEqDRlanPp/GVmnyom9+0fZSZ52E=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
amits-macbook-pro.netbird.selfhosted:
NetBird IP: 100.91.207.198
Public key: T9vqYbT1rrRxZEhMTanwMsTs5p6swTik3Ov1QkJLGzc=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 7 minutes, 32 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
Events:
[INFO] SYSTEM (08dd210e-3b2f-41ef-9eff-95a91c821735)
Message: Network map updated
Time: 7 minutes, 32 seconds ago
[WARNING] DNS (7496aaf3-a47d-47ce-b3ff-188963a0c620)
Message: All upstream servers failed (probe failed)
Time: 7 minutes, 32 seconds ago
Metadata: upstreams: 100.91.152.102:5353
OS: linux/amd64
Daemon version: 0.70.4
CLI version: 0.70.4
Profile: default
Management: Connected to https://netbird.anon-BLDRm.domain:443
Signal: Connected to https://netbird.anon-BLDRm.domain:443
Relays:
[stun:netbird.anon-BLDRm.domain:3478] is Available
[rels://netbird.anon-BLDRm.domain:443] is Available
Nameservers:
[100.91.152.102:5353] for [anon-BLDRm.domain] is Available
FQDN: karan-kinariwala-arch-victus.netbird.selfhosted
NetBird IP: 100.91.55.249/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
SSH Server: Disabled
Networks: -
Peers count: 3/15 Connected
➜ ~
Screenshots
N/A
Additional context
- The bug did not occur when one peer was on NetBird 0.70.0 and the other on 0.70.4 — it appeared only after both peers were upgraded to 0.70.4
- The counter mismatch is confirmed: machine 1 shows 290 GiB sent to the desktop peer; the desktop peer shows only ~116 MiB received from machine 1. The router confirms negligible real traffic for the entire day
- Raw bytes from
sudo wg show wt0 transfer for the affected peer: received 40,669,424 (38.8 MiB), sent 311,703,622,928 (290 GiB) — sent value exceeds 2^32, suggesting a possible integer overflow in per-peer counter handling
- Relayed peers (endpoint 127.0.0.1:x) are completely unaffected
- Removing the P2P peer with
sudo wg set wt0 peer <pubkey> remove immediately stops kworker spinning
- Both machines run Arch Linux with kernel 7.0.3-arch1-1/arch1-2 and kernel WireGuard
Have you tried these troubleshooting steps?
Describe the problem
When two peers both running NetBird 0.70.4 with kernel WireGuard establish a P2P connection, the WireGuard sent counter for that peer immediately shows an impossibly large value (200–300 GiB) within seconds of the first handshake, despite negligible real traffic. This causes multiple wg-crypt-wt0 kernel workers to spin at high CPU (10–20% each, 40–60% aggregate) continuously. The receiving peer's counter shows a normal value (MiB range), confirming the sent counter on the initiating side is corrupted, not reflecting real transmitted data. SSH to the affected peer becomes degraded. All other peers (relayed connections, different OS) are unaffected and show normal counters.
The bug triggers immediately on the first handshake after NetBird starts — not gradually over time. Removing the affected peer from the WireGuard interface stops the kworker spinning. With the peer absent, all other peers function normally with zero wg-crypt workers spinning.
To Reproduce
sudo wg show wt0 transferon machine 1 within seconds of the handshake completingps aux --sort=-%cpuExpected behavior
The sent counter should reflect actual transmitted bytes (KiB range for keepalive-only traffic). wg-crypt kworkers should be idle between packet bursts.
Are you using NetBird Cloud?
Self-hosted. Management server running on a Proxmox VM.
NetBird version
Both affected peers: 0.70.4 (installed via official install script)
Unaffected peers (relayed): Ubuntu VM running NetBird (various versions), iOS, Windows
Is any other VPN software installed?
No.
Debug output
Screenshots
N/A
Additional context
sudo wg show wt0 transferfor the affected peer: received 40,669,424 (38.8 MiB), sent 311,703,622,928 (290 GiB) — sent value exceeds 2^32, suggesting a possible integer overflow in per-peer counter handlingsudo wg set wt0 peer <pubkey> removeimmediately stops kworker spinningHave you tried these troubleshooting steps?