NetBird v0.69 is out - CrowdSec IP reputation, macOS P2P fixes, PCP support
v0.69 is out, and the big one is CrowdSec IP reputation in the reverse proxy (self-hosted only for now, Cloud is coming).
If you're exposing services through the proxy, you can now have it check every incoming request against a local CrowdSec LAPI and drop connections from flagged IPs before they ever hit your backend.
How it works:
- LAPI container runs alongside your stack and syncs the community blocklist
- Proxy embeds a stream bouncer that pulls decisions into an in-memory cache
- Lookups happen per-connection with no network round trip on the hot path
- Enforce mode fails closed during initial sync, so connections are denied until the cache is populated
Three modes per service:
- Off (default)
- Observe: logs what would've been blocked, lets traffic through. Verdicts show up in the proxy event log with an observe-mode badge
- Enforce: blocks flagged IPs
Restriction order is CIDR, then country, then CrowdSec, so your existing allow/deny rules still take precedence.
Deny reasons in access logs are tagged crowdsec_ban, crowdsec_captcha, or crowdsec_throttle depending on the underlying decision type (the proxy treats all three as denials, no captcha or rate limiting at the proxy layer).
Fresh self-hosted installs get the LAPI container out of the box via the quickstart script. If you're already running the reverse proxy, there's a new Step 7 in the migration guide.
Also shipped in v0.69:
- macOS P2P connectivity reworked (scoped default route + IP_BOUND_IF instead of /32 exclusion routes per remote candidate, so tunnel access to a remote peer's local addresses works properly now)
- PCP added to the NAT traversal stack alongside NAT-PMP and UPnP
- --disable-networks flag to pin a client to specific networks
- Direct SSO redirect on proxy services (skips the intermediate page)
- Container DNAT bypass guard in iptables
- iOS posture checks now populate NetworkAddresses
- conntrack netlink listener auto-reconnects on error
Links:
- Release writeup: https://netbird.io/knowledge-hub/crowdsec-ip-reputation
- CrowdSec reference: https://docs.netbird.io/selfhosted/maintenance/crowdsec
- Migration step 7: https://docs.netbird.io/selfhosted/migration/enable-reverse-proxy#step-7-optional-enable-crowd-sec-ip-reputation