netbird: update to 0.66.2 (breaking change)

[wehagy]

📦 Package Details

Maintainer: me
_{(You can find this by checking the history of the package Makefile.)}

Description:

Important

Self‑hosted deployments must update both management and dashboard

I usually prefer to upgrade netbird to the latest release (currently 0.65.1), but netbird moves fast and a newly added Reverse Proxy feature will likely require several follow-up fixes, so I’m holding off on upgrading immediately.
The time has passed and netbird seems calmer than in recent weeks, so I will update to the latest release (0.66.2) available now.

Update netbird to 0.64.6 0.66.2, for detailed info please read the commits. Notable changes:

• Move the netbird state file to /var/lib/netbird/state.json by setting NB_DNS_STATE_FILE in the init environment to reduce storage wear:

  • The previous state file /root/.config/netbird/state.json can be removed.
    • Note to self: add this info to commit message before merge.
  • I discussed this (and resolv.conf) privately with @egc112. Only resolv.conf now needs to be moved, I will likely remove the resolv.conf entirely.

• 0.61.2:

  • Second release that includes a breaking change, a backport will be provided for OpenWrt 25.12 (not for OpenWrt 24.10).
  • Introduces fine‑grained SSH access control.
  • Self‑hosted deployments must update both management and dashboard.

• 0.62.3:

  • Upstream minimum Go requirement raised from 1.24.x to 1.25.x (see go.mod): https://github.com/netbirdio/netbird/blob/v0.62.3/go.mod#L3-L5
    • Note to self: the commit message is ambiguous, fix the wording before merge.

• 0.63.0:

  • Add support for private DNS zones.

• 0.65.x:

  • NetBird v0.65.x now includes a built-in reverse proxy.
  • Important: pre-shared keys or Rosenpass are currently incompatible with
    the reverse proxy feature.

• 0.66.x:

  • NetBird v0.66.x adds support for exposing a local HTTP service
    from the CLI.

• Add patch to fix build with Go 1.26.x

Out of scope for this PR but related:
Fixed with a patch:

Waiting CI build fail, I will update this comment with details.

@egc112 alerted me by email (thanks) that the newer netbird fails to build in OpenWrt after the Go package was updated to 1.26.x and 1.25.x removed. The CI shows a similar error:

[...]
# gvisor.dev/gvisor/pkg/sync
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:22:2: WaitReasonSelect redeclared in this block
	/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:22:2: other declaration of WaitReasonSelect
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:23:2: WaitReasonChanReceive redeclared in this block
	/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:23:2: other declaration of WaitReasonChanReceive
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:24:2: WaitReasonSemacquire redeclared in this block
	/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:24:2: other declaration of WaitReasonSemacquire
[...]

It seems that netbird versions 0.62.2 and later are affected. I tested using containers (not OpenWrt), and the errors I see are the same. The build works with Go 1.25.x.

@GeorgeSapkin, you recently added a way to have multiple Go versions in parallel on OpenWrt. I don't know the plans, but can we reintroduce Go 1.25.x? That makes sense to me, since both 1.25.x and 1.26.x are supported.

Also, I prefer to use the same dependency versions declared by upstream, if possible.

---

🧪 Run Testing Details

Tested by @egc112. #28589 (comment)

---

✅ Formalities

• I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

If your PR contains a patch:

• It can be applied using git am
• It has been refreshed to avoid offsets, fuzzes, etc., using

  make package/<your-package>/refresh V=s

• It is structured in a way that it is potentially upstreamable
  _{(e.g., subject line, commit description, etc.)
  We must try to upstream patches to reduce maintenance burden.}

[GeorgeSapkin]

I don't think it make sense to go backwards with go versions. Adding an older version i.e. a new package, implies to me it needs to be supported for the duration of the release. All the other packages seem to build with 1.26, so it's up to netbird to fix their issues. And it looks like they just need to update their dependencies:

• Does not build with Go 1.26rc3 netbirdio/netbird#5290

I think you can temporarily patch go.mod to replace gvisor with a newer version and see if it builds. Something like:

go mod edit -replace gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c=gvisor.dev/gvisor@v0.0.0-20260208121942-9fb1260a5885
go mod tidy

[wehagy]

I agree with you. It's not worth keeping an older version of Go for a single package, although that may happen eventually.

Thanks for "show me the way". Unfortunately, the version you proposed introduced another bug (and some other versions did too), so I shamelessly grabbed the version from the Chaotic-AUR repo: https://gitlab.com/chaotic-aur/pkgbuilds/-/blame/bf25fdfdeb67463d3bc91fd7a2c025a93d05617c/netbird/PKGBUILD#L33

In the meantime, I opened a PR upstream to see if it will be accepted:

• [client] update gvisor to build with Go 1.26.x netbirdio/netbird#5447

I will wait a little before backporting, maintaining patches is always a pain.

[GeorgeSapkin]

Also, I think all the bump commits should be squashed.

[wehagy]

Yeah, you are probably right.

[wehagy]

I'll mark this as Draft because I need to test and update the top description/title, with the changes.

[egc112]

I have successfully running 0.66.2 but just by using Go 1.25, do you want me to test and review this patch?

[egc112]

I just compiled with the go-mod patch and it compiles with go 1.26.

Uploaded to my MT6000 running 25.12 Snapshot from today and it is working:

root@MT-6000:~# netbird status
OS: linux/arm64
Daemon version: 0.66.2
CLI version: 0.66.2
Profile: default
Management: Connected
Signal: Connected
Relays: 4/4 Available
Nameservers: 1/1 Available
FQDN: mt-6000.netbird.cloud
NetBird IP: 100.120.37.09/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
SSH Server: Enabled
Networks: -
Peers count: 1/8 Connected

Thanks @wehagy and @GeorgeSapkin !

[wehagy]

@egc112 thanks for testing 👍.

I updated the title/description of the PR. The only missing part is getting CI to be happy, the last run failed with Dirty patches detected. I think @GeorgeSapkin updated the patch and force-pushed it, so it should pass now.

[GeorgeSapkin]

Since the latest version is not going to work without a patch, I think the last two commits should be squashed.

[wehagy]

Squashed the last 2 commits and sorted the commit message. Let's wait for the world to be green.

[wehagy]

Merged. Thanks for the help.