SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-10 10:11:44 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Stuck on loading screen on "/peers" (Authentik) #1486

New Issue
Open
opened 2025-11-20 05:31:29 -05:00 by saavagebueno · 27 comments
saavagebueno commented 2025-11-20 05:31:29 -05:00
Owner
Copy Link

Originally created by @azery12356 on GitHub (Dec 9, 2024).

Describe the problem

I'm trying to setup a Netbird selfhosted instance with Authentik as IDP. The client ID and the provider are correct as I see a connection on the service user in Authentik.

The problem is that I can't even reach the initial setup, the dashboard is stuck loading on "/peers" juste after the authentiation via Authentik.
The only error i see in the docker compose logs is this one: management-1 | 2024-12-09T19:19:48Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: invalid character ';' looking for beginning of value

I precise that both my Authentik and my Netbird are behind a Nginx reverse proxy. Ask me the configuration if needed.

Here is my setup.env: (sensitive data replaced)

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="nb.redacted.com"
TURN_MIN_PORT=49152
TURN_MAX_PORT=52000


# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="<My client ID>"
NETBIRD_AUTH_CLIENT_ID="<My client ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<My client ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=""
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Service account password>"

# -------------------------------------------
# Letsencrypt
# -------------------------------------------
NETBIRD_DISABLE_LETSENCRYPT=true
NETBIRD_LETSENCRYPT_EMAIL="<my email>"
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.vpn.localdomain

# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN=""

# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT=""

My management.json:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:nb.redacted.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:nb.redacted.com:3478",
                "Username": "self",
                "Password": "password"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rel://nb.redacted.com:33080"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "password"
    },
    "Signal": {
        "Proto": "https",
        "URI": "nb.redacted.com:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "password",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "<My client ID>",
        "AuthIssuer": "https://authentik.redacted.com/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://authentik.redacted.com/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://authentik.redacted.com/application/o/netbird",
            "TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
            "ClientID": "<My client ID>",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "password",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "<My client ID>",
            "ClientSecret": "",
            "Domain": "authentik.redacted.com",
            "Audience": "<My client ID>",
            "TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
            "DeviceAuthEndpoint": "https://authentik.redacted.com/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "<My client ID>",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "<My client ID>",
            "TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://authentik.redacted.com/application/o/authorize/",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

To Reproduce

Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error
Expected behavior

A clear and concise description of what you expected to happen.

Are you using NetBird Cloud?

No
NetBird version

v0.34.1

NetBird status -dA output:

If applicable, add the `netbird status -dA' command output.

Do you face any client issues on desktop?

Please provide the file created by netbird debug for 1m -AS.
We advise reviewing the anonymized files for any remaining PII.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Originally created by @azery12356 on GitHub (Dec 9, 2024). Describe the problem I'm trying to setup a Netbird selfhosted instance with Authentik as IDP. The client ID and the provider are correct as I see a connection on the service user in Authentik. The problem is that I can't even reach the initial setup, the dashboard is stuck loading on "/peers" juste after the authentiation via Authentik. The only error i see in the docker compose logs is this one: `management-1 | 2024-12-09T19:19:48Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: invalid character ';' looking for beginning of value` I precise that both my Authentik and my Netbird are behind a Nginx reverse proxy. Ask me the configuration if needed. Here is my` setup.env`: (sensitive data replaced) ```env ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="nb.redacted.com" TURN_MIN_PORT=49152 TURN_MAX_PORT=52000 # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration" NETBIRD_AUTH_AUDIENCE="<My client ID>" NETBIRD_AUTH_CLIENT_ID="<My client ID>" NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" NETBIRD_USE_AUTH0="false" NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<My client ID>" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="authentik" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="" NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Service account password>" # ------------------------------------------- # Letsencrypt # ------------------------------------------- NETBIRD_DISABLE_LETSENCRYPT=true NETBIRD_LETSENCRYPT_EMAIL="<my email>" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.vpn.localdomain # ------------------------------------------- # Relay settings # ------------------------------------------- # Relay server domain. e.g. relay.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_RELAY_DOMAIN="" # Relay server connection port. If none is supplied # it will default to 33080 NETBIRD_RELAY_PORT="" ``` My `management.json`: ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:nb.redacted.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:nb.redacted.com:3478", "Username": "self", "Password": "password" } ] }, "Relay": { "Addresses": [ "rel://nb.redacted.com:33080" ], "CredentialsTTL": "24h0m0s", "Secret": "password" }, "Signal": { "Proto": "https", "URI": "nb.redacted.com:10000", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "password", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "<My client ID>", "AuthIssuer": "https://authentik.redacted.com/application/o/netbird/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://authentik.redacted.com/application/o/netbird/jwks/", "OIDCConfigEndpoint": "https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://authentik.redacted.com/application/o/netbird", "TokenEndpoint": "https://authentik.redacted.com/application/o/token/", "ClientID": "<My client ID>", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "password", "Username": "Netbird" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "<My client ID>", "ClientSecret": "", "Domain": "authentik.redacted.com", "Audience": "<My client ID>", "TokenEndpoint": "https://authentik.redacted.com/application/o/token/", "DeviceAuthEndpoint": "https://authentik.redacted.com/application/o/device/", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "<My client ID>", "ClientSecret": "", "Domain": "", "Audience": "<My client ID>", "TokenEndpoint": "https://authentik.redacted.com/application/o/token/", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://authentik.redacted.com/application/o/authorize/", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ``` To Reproduce Steps to reproduce the behavior: Go to '...' Click on '....' Scroll down to '....' See error Expected behavior A clear and concise description of what you expected to happen. Are you using NetBird Cloud? No NetBird version v0.34.1 NetBird status -dA output: If applicable, add the `netbird status -dA' command output. Do you face any client issues on desktop? Please provide the file created by netbird debug for 1m -AS. We advise reviewing the anonymized files for any remaining PII. Screenshots If applicable, add screenshots to help explain your problem. Additional context Add any other context about the problem here.
saavagebueno added the triage-needed label 2025-11-20 05:31:29 -05:00
saavagebueno commented 2025-11-20 05:31:29 -05:00
Author
Owner
Copy Link

@markcst commented on GitHub (Dec 22, 2024):

It happens to me as well when I enter my netbird.my-domain.tld page.

I'm using Zitadel selfhosted. I wondered if it was the setting of NETBIRD_AUTH_REDIRECT_URI="/auth" (I did this while following the guide, and I tried to change that in the docker-compose.yml back to the commented one versione (which was #NETBIRD_AUTH_REDIRECT_URI="/peers") but then I got a
{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."} after reloading the page.

So i reverted to the /auth version suggested by the guide - which btw was filled by the ./configure.sh script that gets all the variables from the setup.env and put them in the various netbird config files (docker-compose.yml, management.json, etc.)

No matter what I do, I always end up to the netbird.my-domain.tld/peers page when Netbird seems to do an endless search for peers or something like that.
image

I'm using Traefik as my reverse proxy

@markcst commented on GitHub (Dec 22, 2024): It happens to me as well when I enter my `netbird.my-domain.tld` page. I'm using Zitadel selfhosted. I wondered if it was the setting of `NETBIRD_AUTH_REDIRECT_URI="/auth"` (I did this while following the [guide](https://docs.netbird.io/selfhosted/identity-providers#zitadel), and I tried to change that in the `docker-compose.yml` back to the commented one versione (which was `#NETBIRD_AUTH_REDIRECT_URI="/peers"`) but then I got a `{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."}` after reloading the page. So i reverted to the `/auth` version suggested by the guide - which btw was filled by the `./configure.sh` script that gets all the variables from the `setup.env` and put them in the various netbird config files (`docker-compose.yml`, `management.json`, etc.) No matter what I do, I always end up to the `netbird.my-domain.tld/peers` page when Netbird seems to do an endless search for peers or something like that. ![image](https://github.com/user-attachments/assets/061e0c78-2606-464d-832e-e99776efe63d) I'm using Traefik as my reverse proxy
saavagebueno commented 2025-11-20 05:31:29 -05:00
Author
Owner
Copy Link

@joshuademarco commented on GitHub (Dec 24, 2024):

I think my issue is related to yours. At least i was experiencing the same behaviour. In my case I was using google as my IDP and i had to comment out any configuration in setup.env related to NETBIRD_MGMT_<...> and NETBIRD_IDP_MGMT_<...>. Does this solve something for you?

@joshuademarco commented on GitHub (Dec 24, 2024): I think my issue is related to yours. At least i was experiencing the same behaviour. In my case I was using google as my IDP and i had to comment out any configuration in `setup.env` related to `NETBIRD_MGMT_<...>` and `NETBIRD_IDP_MGMT_<...>`. Does this solve something for you?
saavagebueno commented 2025-11-20 05:31:29 -05:00
Author
Owner
Copy Link

@markcst commented on GitHub (Dec 25, 2024):

It happens to me as well when I enter my netbird.my-domain.tld page.

I'm using Zitadel selfhosted. I wondered if it was the setting of NETBIRD_AUTH_REDIRECT_URI="/auth" (I did this while following the guide, and I tried to change that in the docker-compose.yml back to the commented one versione (which was #NETBIRD_AUTH_REDIRECT_URI="/peers") but then I got a {"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."} after reloading the page.

So i reverted to the /auth version suggested by the guide - which btw was filled by the ./configure.sh script that gets all the variables from the setup.env and put them in the various netbird config files (docker-compose.yml, management.json, etc.)

No matter what I do, I always end up to the netbird.my-domain.tld/peers page when Netbird seems to do an endless search for peers or something like that. image

I'm using Traefik as my reverse proxy

I think I've solved by doing a few things (but I'm not sure if they were what fixed it)

  1. adding the NETBIRD_MGMT_API_PORT=443, NETBIRD_SIGNAL_PORT=443 vars to the setup.env, then re-run the configure.sh script
  2. generating a new client client secret in Zitadel to put in place of the previous one at NETBIRD_IDP_MGMT_CLIENT_SECRET (again, in setup.env)
  3. composing down then up with --force-recreate Traefik and Netbird containers
@markcst commented on GitHub (Dec 25, 2024): > It happens to me as well when I enter my `netbird.my-domain.tld` page. > > I'm using Zitadel selfhosted. I wondered if it was the setting of `NETBIRD_AUTH_REDIRECT_URI="/auth"` (I did this while following the [guide](https://docs.netbird.io/selfhosted/identity-providers#zitadel), and I tried to change that in the `docker-compose.yml` back to the commented one versione (which was `#NETBIRD_AUTH_REDIRECT_URI="/peers"`) but then I got a `{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."}` after reloading the page. > > So i reverted to the `/auth` version suggested by the guide - which btw was filled by the `./configure.sh` script that gets all the variables from the `setup.env` and put them in the various netbird config files (`docker-compose.yml`, `management.json`, etc.) > > No matter what I do, I always end up to the `netbird.my-domain.tld/peers` page when Netbird seems to do an endless search for peers or something like that. ![image](https://private-user-images.githubusercontent.com/83904681/398013844-061e0c78-2606-464d-832e-e99776efe63d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzUxMTgxNjEsIm5iZiI6MTczNTExNzg2MSwicGF0aCI6Ii84MzkwNDY4MS8zOTgwMTM4NDQtMDYxZTBjNzgtMjYwNi00NjRkLTgzMmUtZTk5Nzc2ZWZlNjNkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDEyMjUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMjI1VDA5MTEwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTViNDU4OTUwYTJiNWFmMzUxMWUzMzRhMGU1Y2RiZjJhMGU4ZWNjZDIyYWM3ZGE2ODEyZTIwOTFiYjZhOGQzMGQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.bSdw3HyDpJbzUyXTCSr-bjPwcJzUz3ce8fTL2BtbsQo) > > I'm using Traefik as my reverse proxy I think I've solved by doing a few things (but I'm not sure if they were what fixed it) 1. adding the `NETBIRD_MGMT_API_PORT=443`, `NETBIRD_SIGNAL_PORT=443` vars to the `setup.env`, then re-run the `configure.sh` script 2. generating a new client client secret in Zitadel to put in place of the previous one at `NETBIRD_IDP_MGMT_CLIENT_SECRET` (again, in `setup.env`) 3. composing down then up with `--force-recreate` Traefik and Netbird containers
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@wakawakaaa commented on GitHub (Dec 25, 2024):

Some one solved the issue when using Authentik and nginx?

@wakawakaaa commented on GitHub (Dec 25, 2024): Some one solved the issue when using Authentik and nginx?
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Dec 27, 2024):

ScreenShot

I've tried every suggested solution in every post I could find. So far none have worked for me. NGNX PM, self hosted using authentic...

I also found this, is this an issue running on the same port?
dashboard-1 | NetBird latest version: management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:322: running gRPC backward compatibility server: [::]:33073 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:354: management server version 0.35.1 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:355: running HTTP server and gRPC server on the same port: [::]:443

@nmincone commented on GitHub (Dec 27, 2024): ![ScreenShot](https://github.com/user-attachments/assets/85f23d09-85a7-42e5-8551-b3adadfbfc41) I've tried every suggested solution in every post I could find. So far none have worked for me. NGNX PM, self hosted using authentic... I also found this, is this an issue running on the same port? `dashboard-1 | NetBird latest version: management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:322: running gRPC backward compatibility server: [::]:33073 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:354: management server version 0.35.1 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:355: running HTTP server and gRPC server on the same port: [::]:443 `
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@wakawakaaa commented on GitHub (Dec 28, 2024):

I found there is an issue with latest version of netbird management netbirdio/management:latest.
even doing curl manually inside docker container from nginx curl dont work: curl https://netbird-management:443/api/users or curl http://netbird-management:443/api/users

@wakawakaaa commented on GitHub (Dec 28, 2024): I found there is an issue with latest version of netbird management `netbirdio/management:latest`. even doing curl manually inside docker container from nginx curl dont work: `curl https://netbird-management:443/api/users` or `curl http://netbird-management:443/api/users`
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@markcst commented on GitHub (Dec 29, 2024):

Some one solved the issue when using Authentik and nginx?

The solution for me was abandon Authentik and use Zitadel. I know it's not a solution if you wanna use Authentik, but at least (for me) works. It was an easy choice cause I didn't have any IdP configured yet and nothing around it, but I imagine that's not always the case

@markcst commented on GitHub (Dec 29, 2024): > Some one solved the issue when using Authentik and nginx? The solution for me was abandon Authentik and use Zitadel. I know it's not a solution if you wanna use Authentik, but at least (for me) works. It was an easy choice cause I didn't have any IdP configured yet and nothing around it, but I imagine that's not always the case
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Dec 29, 2024):

I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install.

@nmincone commented on GitHub (Dec 29, 2024): I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install.
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@markcst commented on GitHub (Dec 29, 2024):

I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install.

At the moment I'm not home, but I can say, for what I remember, that even for me changing NETBIRD_MGMT_API_PORT and NETBIRD_SIGNAL_PORT to 443 (as @kocey131 did) fix the issue. Or I should say adding, instead of changing, cause strangely those vars weren't in the setup.env.example at all when I gitlcloned the repo. Idk why that was a thing, but if they are needed, this must be fixed

@markcst commented on GitHub (Dec 29, 2024): > I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install. At the moment I'm not home, but I can say, for what I remember, that even for me changing `NETBIRD_MGMT_API_PORT` and `NETBIRD_SIGNAL_PORT` to `443` (as @kocey131 did) fix the issue. Or I should say adding, instead of changing, cause strangely those vars weren't in the `setup.env.example` at all when I gitlcloned the repo. Idk why that was a thing, but if they are needed, this must be fixed
saavagebueno commented 2025-11-20 05:31:30 -05:00
Author
Owner
Copy Link

@kocey131 commented on GitHub (Dec 29, 2024):

Hello after struggling for some time I finally fixed mine and was able to get pass the /peers screen.
What did the trick was changing NETBIRD_MGMT_API_PORT and NETBIRD_SIGNAL_PORT to both 443.

Then somehow running ./configure.sh for me did not change it to 443 in my docker compose file so I did it while assigning different host ports to the containers.

Here is my setup.env for reference:

NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""


NETBIRD_DOMAIN="YOUR_DOMAIN_HERE"
NETBIRD_DISABLE_LETSENCRYPT=true
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443

NETBIRD_TURN_DOMAIN=""


NETBIRD_TURN_EXTERNAL_IP="192.168.20.20"


NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.home.yourdomain.com/application/o/netbird/.well-known/openid-configuration"

NETBIRD_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"

NETBIRD_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"

NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"

NETBIRD_USE_AUTH0="false"

NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false

NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"

NETBIRD_MGMT_IDP="authentik"

NETBIRD_IDP_MGMT_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="kLIAf9Gy6WvQBApbkajLqzSLfpZDrySYbm1VahFcmCUt0twOufiINcs9H0Qd"
#NETBIRD_IDP_MGMT_CLIENT_SECRET=""

My docker-compose.yml file:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://YOUR_DOMAIN_HERE:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=YOUR_DOMAIN_HERE443
      # OIDC
      - AUTH_AUDIENCE=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO
      - AUTH_CLIENT_ID=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://authentik.YOUR_DOMAIN_HERE/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 4433:443
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=YOUR_DOMAIN_HERE:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=AIXKqao2mSAq7WuoNR1plgdpjsO3NdimirrVk7RwSO4
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 4430:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=YOUR_DOMAIN_HERE",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: YOUR_DOMAIN_HERE # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

I got this to run behind nginx proxy manager by adding the following configuration under Advanced then Custom nginx configuration:


 location /api {
                proxy_pass http://192.168.20.20:4430;
                proxy_set_header Connection $http_connection;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
}

 location /management.ManagementService/ {
                grpc_pass grpcs://192.168.20.20:4430;
}

location /signalexchange.SignalExchange/ {
                grpc_pass grpcs://192.168.20.20:4433;
 }

For nginx I found this and it works too : https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230

However I am met with another error when trying to set up a peer : error: failed while getting Management Service public key so i'll probably try to look into this again tomorrow...

@kocey131 commented on GitHub (Dec 29, 2024): Hello after struggling for some time I finally fixed mine and was able to get pass the /peers screen. What did the trick was changing NETBIRD_MGMT_API_PORT and NETBIRD_SIGNAL_PORT to both 443. Then somehow running ./configure.sh for me did not change it to 443 in my docker compose file so I did it while assigning different host ports to the containers. Here is my setup.env for reference: ``` NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG="" NETBIRD_DOMAIN="YOUR_DOMAIN_HERE" NETBIRD_DISABLE_LETSENCRYPT=true NETBIRD_MGMT_API_PORT=443 NETBIRD_SIGNAL_PORT=443 NETBIRD_TURN_DOMAIN="" NETBIRD_TURN_EXTERNAL_IP="192.168.20.20" NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.home.yourdomain.com/application/o/netbird/.well-known/openid-configuration" NETBIRD_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO" NETBIRD_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO" NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" NETBIRD_USE_AUTH0="false" NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO" NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" NETBIRD_MGMT_IDP="authentik" NETBIRD_IDP_MGMT_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO" NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="kLIAf9Gy6WvQBApbkajLqzSLfpZDrySYbm1VahFcmCUt0twOufiINcs9H0Qd" #NETBIRD_IDP_MGMT_CLIENT_SECRET="" ``` My docker-compose.yml file: ``` version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 80:80 - 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://YOUR_DOMAIN_HERE:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=YOUR_DOMAIN_HERE443 # OIDC - AUTH_AUDIENCE=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO - AUTH_CLIENT_ID=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://authentik.YOUR_DOMAIN_HERE/application/o/netbird/ - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 4433:443 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=YOUR_DOMAIN_HERE:33080 # todo: change to a secure secret - NB_AUTH_SECRET=AIXKqao2mSAq7WuoNR1plgdpjsO3NdimirrVk7RwSO4 ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 4430:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=YOUR_DOMAIN_HERE", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: YOUR_DOMAIN_HERE # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` I got this to run behind nginx proxy manager by adding the following configuration under Advanced then Custom nginx configuration: ``` location /api { proxy_pass http://192.168.20.20:4430; proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /management.ManagementService/ { grpc_pass grpcs://192.168.20.20:4430; } location /signalexchange.SignalExchange/ { grpc_pass grpcs://192.168.20.20:4433; } ``` For nginx I found this and it works too : https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230 However I am met with another error when trying to set up a peer : error: failed while getting Management Service public key so i'll probably try to look into this again tomorrow...
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Dec 29, 2024):

Hi and thank you.
Hmmmm, I've tried to mirror your config with my values... no change.
Your setup looks like you are running it in a dedicated VM, I am to but I'm running it on my Docker host VM so I had to change the initial ports of 80 & 443 to 1280 & 12443 respectively. I tried with and without the NGNX PM Advanced setting you provided. I'll dig deeper more next week.

@nmincone commented on GitHub (Dec 29, 2024): Hi and thank you. Hmmmm, I've tried to mirror your config with my values... no change. Your setup looks like you are running it in a dedicated VM, I am to but I'm running it on my Docker host VM so I had to change the initial ports of 80 & 443 to 1280 & 12443 respectively. I tried with and without the NGNX PM Advanced setting you provided. I'll dig deeper more next week.
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Dec 29, 2024):

I seem to have the same CORS issue listed here

@nmincone commented on GitHub (Dec 29, 2024): I seem to have the same CORS issue [listed here](https://github.com/netbirdio/netbird/issues/1590)
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@haldi4803 commented on GitHub (Jan 2, 2025):

i used debian 12 in a VM, used the script:
export NETBIRD_DOMAIN=netbird.REDACTED.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash

And now am stuck in the exact same position....

Edit: Seems to be an Issue with Firewall/Ports!
Even though i have:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
33073/tcp                  ALLOW       Anywhere
10000/tcp                  ALLOW       Anywhere
33080/tcp                  ALLOW       Anywhere
3478/udp                   ALLOW       Anywhere
49152:65535/udp            ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
33073/tcp (v6)             ALLOW       Anywhere (v6)
10000/tcp (v6)             ALLOW       Anywhere (v6)
33080/tcp (v6)             ALLOW       Anywhere (v6)
3478/udp (v6)              ALLOW       Anywhere (v6)
49152:65535/udp (v6)       ALLOW       Anywhere (v6)

when i use ufw disable it just works.

@haldi4803 commented on GitHub (Jan 2, 2025): i used debian 12 in a VM, used the script: `export NETBIRD_DOMAIN=netbird.REDACTED.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash` And now am stuck in the exact same position.... Edit: Seems to be an Issue with Firewall/Ports! Even though i have: ```root@Netbird:~# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 33073/tcp ALLOW Anywhere 10000/tcp ALLOW Anywhere 33080/tcp ALLOW Anywhere 3478/udp ALLOW Anywhere 49152:65535/udp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 33073/tcp (v6) ALLOW Anywhere (v6) 10000/tcp (v6) ALLOW Anywhere (v6) 33080/tcp (v6) ALLOW Anywhere (v6) 3478/udp (v6) ALLOW Anywhere (v6) 49152:65535/udp (v6) ALLOW Anywhere (v6) ``` when i use `ufw disable` it just works.
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@JoyceBabu commented on GitHub (Jan 2, 2025):

I am also getting the same error with Google Idp. I have tried disabling the firewall as suggested by @haldi4803, but it did not fix the issue.

@JoyceBabu commented on GitHub (Jan 2, 2025): I am also getting the same error with Google Idp. I have tried disabling the firewall as suggested by @haldi4803, but it did not fix the issue.
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Jan 20, 2025):

@haldi4803 where did you use ufw disable, in Docker compose or did you pass it into the install script? I had to drop this for a few weeks after burning myself out trying to find a solution. Thinking about trying again this weekend...

@nmincone commented on GitHub (Jan 20, 2025): @haldi4803 where did you use `ufw disable`, in Docker compose or did you pass it into the install script? I had to drop this for a few weeks after burning myself out trying to find a solution. Thinking about trying again this weekend...
saavagebueno commented 2025-11-20 05:31:31 -05:00
Author
Owner
Copy Link

@haldi4803 commented on GitHub (Jan 21, 2025):

@nmincone in the Debian VM.

@haldi4803 commented on GitHub (Jan 21, 2025): @nmincone in the Debian VM.
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Jan 21, 2025):

hmmm I'm running Debian, don't think this applies to my installation.

@nmincone commented on GitHub (Jan 21, 2025): hmmm I'm running Debian, don't think this applies to my installation.
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@twoleftankles commented on GitHub (Jan 29, 2025):

Im not sure if you were able to solve this or not, but here are my configs that are working with Traefik, Authentik, Crowdsec, and Netbird on the same host. Only exposing 80 and 443 on TCP

I think its important to note that the peers page failing to load is usually a sign that the management service is having some problems. I would start by checking the logs for that container.

https://github.com/twoleftankles/Single-Stack/tree/63930c292decf9c7049245d6342c2cae82677928/docker-compose/netbird/infrastructure_files

@twoleftankles commented on GitHub (Jan 29, 2025): Im not sure if you were able to solve this or not, but here are my configs that are working with Traefik, Authentik, Crowdsec, and Netbird on the same host. Only exposing 80 and 443 on TCP I think its important to note that the peers page failing to load is usually a sign that the management service is having some problems. I would start by checking the logs for that container. [https://github.com/twoleftankles/Single-Stack/tree/63930c292decf9c7049245d6342c2cae82677928/docker-compose/netbird/infrastructure_files](url)
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@MichaelUray commented on GitHub (Jan 30, 2025):

In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly.
The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue.

It looks to containers communicate internally via the public DNS name/IP address.
It would be better to communicate internally directly via docker names, otherwise the traffic might have to go via external routers/firewalls.
Maybe is this just a matter of the getting-started-with-zitadel.sh script which I used to setup my server.

@MichaelUray commented on GitHub (Jan 30, 2025): In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly. The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue. It looks to containers communicate internally via the public DNS name/IP address. It would be better to communicate internally directly via docker names, otherwise the traffic might have to go via external routers/firewalls. Maybe is this just a matter of the `getting-started-with-zitadel.sh` script which I used to setup my server.
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@mad73923 commented on GitHub (Mar 11, 2025):

I'm using traefik as forward proxy and solved this issue by setting the Content-Security-Policy of authentik:

traefik.http.middlewares.contentsec.headers.contentsecuritypolicy=frame-ancestors 'self' https://<URL to netbird>;

Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

@mad73923 commented on GitHub (Mar 11, 2025): I'm using traefik as forward proxy and solved this issue by setting the Content-Security-Policy of authentik: ``` traefik.http.middlewares.contentsec.headers.contentsecuritypolicy=frame-ancestors 'self' https://<URL to netbird>; ``` Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@Oriann commented on GitHub (Mar 12, 2025):

In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly. The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue.

Just to clarify...with theese kind of services consider using Split Brain DNS, hairpin is not ideal solution because of the loop you make WAN>LAN>WAN.

@Oriann commented on GitHub (Mar 12, 2025): > In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly. The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue. Just to clarify...with theese kind of services consider using Split Brain DNS, hairpin is not ideal solution because of the loop you make WAN>LAN>WAN.
saavagebueno commented 2025-11-20 05:31:32 -05:00
Author
Owner
Copy Link

@e1ke commented on GitHub (Mar 26, 2025):

I am going crazy, i cant get netbird + authentik + nginx-proxymanager working.
Here are my settings and configs:

setup.env

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.MYDOMAIN.de"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="hetzner-01.MYDOMAIN.de"

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="49.xxx.xxx.xxx"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="XygzTCj9........0K0EGkXR"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
# NETBIRD_AUTH_REDIRECT_URI="/peers"
# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
#NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=""
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
NETBIRD_IDP_MGMT_EXTRA_USERNAME="NetbirdServiceAcc"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="KcxH2RdJ.....(app-password, not api-token).......baRHpvv"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN=""

# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT=""


NETBIRD_MGMT_API_PORT=3448
NETBIRD_SIGNAL_PORT=3449
  • https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration is accessible without issues
  • run ./configure.sh

artifacts/docker-compose.yml

I changed some exposed ports in the template and added the NginxReverseproxymanager Docker-Network at the bottom and on every service, so that i can access the containers by their hostname:

services:
  # UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    container_name: nb-dashboard
    networks:
      - reverse-proxy-network
    ports:
      - 87:80
      - 447:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448
      # OIDC
      - AUTH_AUDIENCE=XygzTCj9........0K0EGkXR
      - AUTH_CLIENT_ID=XygzTCj9........0K0EGkXR
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://auth.MYDOMAIN.de/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    container_name: nb-signal
    networks:
      - reverse-proxy-network
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 3449:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    container_name: nb-relay
    networks:
      - reverse-proxy-network
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=netbird.MYDOMAIN.de:33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=97tiTvQAEy6................02wRk5n8
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    container_name: nb-management
    networks:
      - reverse-proxy-network
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 3448:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.MYDOMAIN.de",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      - NETBIRD_STORE_ENGINE_MYSQL_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    container_name: nb-coturn
    #domainname: hetzner-01.MYDOMAIN.de # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

networks:
  reverse-proxy-network:
    name: npm_default
    external: true
    driver: bridge

artifacts/management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:hetzner-01.MYDOMAIN.de:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:hetzner-01.MYDOMAIN.de:3478",
                "Username": "self",
                "Password": "EaX8AM.......337k"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rel://netbird.MYDOMAIN.de:33080"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "97tiT..........5n8"
    },
    "Signal": {
        "Proto": "https",
        "URI": "netbird.MYDOMAIN.de:3449",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "G8kw...................oIhM=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "XygzTCj9........0K0EGkXR",
        "AuthIssuer": "https://auth.MYDOMAIN.de/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://auth.MYDOMAIN.de/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://auth.MYDOMAIN.de/application/o/netbird",
            "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
            "ClientID": "XygzTCj9........0K0EGkXR",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "KcxH2Rd..............RHpvv",
            "Username": "NetbirdServiceAcc"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "XygzTCj9........0K0EGkXR",
            "ClientSecret": "",
            "Domain": "auth.MYDOMAIN.de",
            "Audience": "XygzTCj9........0K0EGkXR",
            "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
            "DeviceAuthEndpoint": "https://auth.MYDOMAIN.de/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "XygzTCj9........0K0EGkXR",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "XygzTCj9........0K0EGkXR",
            "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://auth.MYDOMAIN.de/application/o/authorize/",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }

NGINX Proxymanager config

Image

Image

Advanced:
(i also tried the docker exposed ports 3448 for mgmt and 3449 for signal)

Image

 location /api {
                proxy_pass http://nb-management:443;
                proxy_set_header Connection $http_connection;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
}

 location /management.ManagementService/ {
                grpc_pass grpcs://nb-management:443;
}

location /signalexchange.SignalExchange/ {
                grpc_pass grpcs://nb-signal:80;
 }

Authentik

Image

Image

Image

Image

Image

Image

Image

Logs

docker nb-management

2025-03-26T16:43:14Z INFO [context: SYSTEM] management/cmd/management.go:510: loading OIDC configuration from the provided IDP configuration endpoint https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:515: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:517: overriding HttpConfig.AuthIssuer with a new value https://auth.MYDOMAIN.de/application/o/netbird/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:521: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.MYDOMAIN.de/application/o/netbird/jwks/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/jwks/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:526: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:529: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/device/, previously configured value: https://auth.MYDOMAIN.de/application/o/device/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:537: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.MYDOMAIN.de, previously configured value: 
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:547: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:550: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/authorize/, previously configured value: https://auth.MYDOMAIN.de/application/o/authorize/
2025-03-26T16:43:16Z INFO management/cmd/management.go:557: Relay addresses: [rel://netbird.MYDOMAIN.de:33080]
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/store.go:258: using SQLite store engine
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/sql_store.go:89: Set max open db connections to 1
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:257: No plain setup keys found in table setup_keys, no migration needed
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:295: Migration of plain setup key to hashed setup key completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_resources, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_resources completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_routers, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_routers completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:184: update config with activity store key
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:196: geolocation service has been initialized from /var/lib/netbird/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account_request_buffer.go:45: set account request buffer interval to 100ms
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account.go:196: single account mode enabled, accounts number 0
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:318: running gRPC backward compatibility server: [::]:33073
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:350: management server version 0.39.1
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:351: running HTTP server and gRPC server on the same port: [::]:443
2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:462: 1 entries received from IdP management
2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:493: warmed up IDP cache with 0 entries for 0 accounts

I read (and I think tried, at least most of them) the following netbird gh issues:

https://github.com/netbirdio/netbird/issues/3007 Stuck on loading screen on "/peers" (Authentik)
https://github.com/netbirdio/netbird/issues/3007#issuecomment-2564843380
https://github.com/netbirdio/netbird/issues/2941 Request failed with status code 401 (Authentik)
https://github.com/netbirdio/netbird/issues/2515 Unable to authenticate with Authentik SSO
https://github.com/netbirdio/netbird/issues/2510 Netbird with NGiNX Proxy Manager and Authentik
https://github.com/netbirdio/netbird/issues/2338 Can't access dashboard - Token Invalid, Authentik
https://github.com/netbirdio/netbird/issues/2043 error: failed while getting Management Service public key
https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230
https://github.com/netbirdio/netbird/issues/1962 netbird dashboard does not open properly
https://github.com/netbirdio/netbird/issues/1742 NGINX reverse proxy question
https://github.com/netbirdio/netbird/issues/1250 Authentik login not working: Login Error: User state: Unauthenticated
https://github.com/netbirdio/netbird/issues/536 Run netbird behind reverse proxy

Please help, I am totally clueless anymore. What can I try next? Can i provide more information?

@e1ke commented on GitHub (Mar 26, 2025): I am going crazy, i cant get netbird + authentik + nginx-proxymanager working. Here are my settings and configs: ### setup.env ```shell ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="netbird.MYDOMAIN.de" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="hetzner-01.MYDOMAIN.de" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="49.xxx.xxx.xxx" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="XygzTCj9........0K0EGkXR" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here # NETBIRD_AUTH_USER_ID_CLAIM="" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. # NETBIRD_AUTH_REDIRECT_URI="/peers" # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers" # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- # OIDC Device Authorization Flow # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" #NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="authentik" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire # NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. NETBIRD_IDP_MGMT_EXTRA_USERNAME="NetbirdServiceAcc" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="KcxH2RdJ.....(app-password, not api-token).......baRHpvv" # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=true # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted # ------------------------------------------- # Relay settings # ------------------------------------------- # Relay server domain. e.g. relay.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_RELAY_DOMAIN="" # Relay server connection port. If none is supplied # it will default to 33080 NETBIRD_RELAY_PORT="" NETBIRD_MGMT_API_PORT=3448 NETBIRD_SIGNAL_PORT=3449 ``` - `https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration` is accessible without issues - run `./configure.sh` ### artifacts/docker-compose.yml I changed some exposed ports in the template and added the NginxReverseproxymanager Docker-Network at the bottom and on every service, so that i can access the containers by their hostname: ```yaml services: # UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped container_name: nb-dashboard networks: - reverse-proxy-network ports: - 87:80 - 447:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448 # OIDC - AUTH_AUDIENCE=XygzTCj9........0K0EGkXR - AUTH_CLIENT_ID=XygzTCj9........0K0EGkXR - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://auth.MYDOMAIN.de/application/o/netbird/ - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped container_name: nb-signal networks: - reverse-proxy-network volumes: - netbird-signal:/var/lib/netbird ports: - 3449:80 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped container_name: nb-relay networks: - reverse-proxy-network environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=netbird.MYDOMAIN.de:33080 # todo: change to a secure secret - NB_AUTH_SECRET=97tiTvQAEy6................02wRk5n8 ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped container_name: nb-management networks: - reverse-proxy-network depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 3448:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.MYDOMAIN.de", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= - NETBIRD_STORE_ENGINE_MYSQL_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped container_name: nb-coturn #domainname: hetzner-01.MYDOMAIN.de # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: networks: reverse-proxy-network: name: npm_default external: true driver: bridge ``` ### artifacts/management.json ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:hetzner-01.MYDOMAIN.de:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:hetzner-01.MYDOMAIN.de:3478", "Username": "self", "Password": "EaX8AM.......337k" } ] }, "Relay": { "Addresses": [ "rel://netbird.MYDOMAIN.de:33080" ], "CredentialsTTL": "24h0m0s", "Secret": "97tiT..........5n8" }, "Signal": { "Proto": "https", "URI": "netbird.MYDOMAIN.de:3449", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "G8kw...................oIhM=", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "XygzTCj9........0K0EGkXR", "AuthIssuer": "https://auth.MYDOMAIN.de/application/o/netbird/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://auth.MYDOMAIN.de/application/o/netbird/jwks/", "OIDCConfigEndpoint": "https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://auth.MYDOMAIN.de/application/o/netbird", "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/", "ClientID": "XygzTCj9........0K0EGkXR", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "KcxH2Rd..............RHpvv", "Username": "NetbirdServiceAcc" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "XygzTCj9........0K0EGkXR", "ClientSecret": "", "Domain": "auth.MYDOMAIN.de", "Audience": "XygzTCj9........0K0EGkXR", "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/", "DeviceAuthEndpoint": "https://auth.MYDOMAIN.de/application/o/device/", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "XygzTCj9........0K0EGkXR", "ClientSecret": "", "Domain": "", "Audience": "XygzTCj9........0K0EGkXR", "TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://auth.MYDOMAIN.de/application/o/authorize/", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } ``` ### NGINX Proxymanager config ![Image](https://github.com/user-attachments/assets/19f10c7a-e64e-40ef-b7e2-ab16d9416c91) ![Image](https://github.com/user-attachments/assets/6bcdaa72-058a-4cb7-9c9b-9ee755e55071) Advanced: (i also tried the docker exposed ports 3448 for mgmt and 3449 for signal) ![Image](https://github.com/user-attachments/assets/156976f8-b444-4d75-ba0b-5c13a6cbc736) ``` location /api { proxy_pass http://nb-management:443; proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /management.ManagementService/ { grpc_pass grpcs://nb-management:443; } location /signalexchange.SignalExchange/ { grpc_pass grpcs://nb-signal:80; } ``` ### Authentik ![Image](https://github.com/user-attachments/assets/c6c907d5-45ed-4705-897f-5cc25021d2d6) ![Image](https://github.com/user-attachments/assets/234ef710-da10-46b2-8616-929e49c2fb03) ![Image](https://github.com/user-attachments/assets/df1eef4c-9da5-4a24-8e99-9ed95bc1aba9) ![Image](https://github.com/user-attachments/assets/6e7cbe9c-80a1-4e25-be86-d5e36149c792) ![Image](https://github.com/user-attachments/assets/876393cb-f250-4bfb-81e2-7ab745aa7f8c) ![Image](https://github.com/user-attachments/assets/9e5eda4b-ef70-419e-910b-0248dfff6e8c) ![Image](https://github.com/user-attachments/assets/4f8855c0-a5f1-4dbb-ab73-db7d08193994) ### Logs docker nb-management ``` 2025-03-26T16:43:14Z INFO [context: SYSTEM] management/cmd/management.go:510: loading OIDC configuration from the provided IDP configuration endpoint https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:515: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:517: overriding HttpConfig.AuthIssuer with a new value https://auth.MYDOMAIN.de/application/o/netbird/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:521: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.MYDOMAIN.de/application/o/netbird/jwks/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/jwks/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:526: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:529: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/device/, previously configured value: https://auth.MYDOMAIN.de/application/o/device/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:537: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.MYDOMAIN.de, previously configured value: 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:547: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:550: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/authorize/, previously configured value: https://auth.MYDOMAIN.de/application/o/authorize/ 2025-03-26T16:43:16Z INFO management/cmd/management.go:557: Relay addresses: [rel://netbird.MYDOMAIN.de:33080] 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/store.go:258: using SQLite store engine 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/sql_store.go:89: Set max open db connections to 1 2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed 2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:257: No plain setup keys found in table setup_keys, no migration needed 2025-03-26T16:43:16Z INFO management/server/migration/migration.go:295: Migration of plain setup key to hashed setup key completed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_resources, no migration needed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_resources completed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_routers, no migration needed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_routers completed 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:184: update config with activity store key 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:196: geolocation service has been initialized from /var/lib/netbird/ 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account_request_buffer.go:45: set account request buffer interval to 100ms 2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account.go:196: single account mode enabled, accounts number 0 2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:318: running gRPC backward compatibility server: [::]:33073 2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:350: management server version 0.39.1 2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:351: running HTTP server and gRPC server on the same port: [::]:443 2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:462: 1 entries received from IdP management 2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:493: warmed up IDP cache with 0 entries for 0 accounts ``` I read (and I think tried, at least most of them) the following netbird gh issues: https://github.com/netbirdio/netbird/issues/3007 Stuck on loading screen on "/peers" (Authentik) https://github.com/netbirdio/netbird/issues/3007#issuecomment-2564843380 https://github.com/netbirdio/netbird/issues/2941 Request failed with status code 401 (Authentik) https://github.com/netbirdio/netbird/issues/2515 Unable to authenticate with Authentik SSO https://github.com/netbirdio/netbird/issues/2510 Netbird with NGiNX Proxy Manager and Authentik https://github.com/netbirdio/netbird/issues/2338 Can't access dashboard - Token Invalid, Authentik https://github.com/netbirdio/netbird/issues/2043 error: failed while getting Management Service public key https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230 https://github.com/netbirdio/netbird/issues/1962 netbird dashboard does not open properly https://github.com/netbirdio/netbird/issues/1742 NGINX reverse proxy question https://github.com/netbirdio/netbird/issues/1250 Authentik login not working: Login Error: User state: Unauthenticated https://github.com/netbirdio/netbird/issues/536 Run netbird behind reverse proxy Please help, I am totally clueless anymore. What can I try next? Can i provide more information?
saavagebueno commented 2025-11-20 05:31:33 -05:00
Author
Owner
Copy Link

@nmincone commented on GitHub (Mar 26, 2025):

Yea... I tried again last weekend and ran into the same issue. May try again this weekend using Zitadel instead. I think I'd rather the 2FA provider be hosted externally anyway...

@nmincone commented on GitHub (Mar 26, 2025): Yea... I tried again last weekend and ran into the same issue. May try again this weekend using Zitadel instead. I think I'd rather the 2FA provider be hosted externally anyway...
saavagebueno commented 2025-11-20 05:31:33 -05:00
Author
Owner
Copy Link

@Cheekie25 commented on GitHub (Mar 29, 2025):

Made it work by modifying as follow:

In docker-compose.yml (dashboard), changed the ports from 33073 to 443

# - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:33073
- NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.example.com:443
# - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:33073
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.example.com:443

In management.json, changed the port from 10000 to 443

"Signal": {
        "Proto": "https",
        "URI": "netbird.example.com:443",
        "Username": "",
        "Password": ""
    },

Hope that helps !

@Cheekie25 commented on GitHub (Mar 29, 2025): Made it work by modifying as follow: In docker-compose.yml (dashboard), changed the ports from 33073 to 443 ``` # - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:33073 - NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.example.com:443 # - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:33073 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.example.com:443 ``` In management.json, changed the port from 10000 to 443 ``` "Signal": { "Proto": "https", "URI": "netbird.example.com:443", "Username": "", "Password": "" }, ``` Hope that helps !
saavagebueno commented 2025-11-20 05:31:33 -05:00
Author
Owner
Copy Link

@TheDoDoo commented on GitHub (Jul 18, 2025):

Hi @Cheekie25 and @e1ke,

I'm experiencing the same issue with a new instance of Netbird and Authentik.

Changing the port to 443 unfortunately didn't help in my case.

I'm not sure whether it's just a coincidence or actually a problem with Netbird, but I noticed that you, @e1ke, used different names for the provider and the service user during setup (Service User: NetbirdServiceAcc, Provider Name: Netbird).
I had the same setup, and once I named both exactly the same(netbird), it suddenly started working.

Maybe try giving the service user and the provider the same name, @e1ke that might help.

It's best to recreate the provider in Authentik so that the new name also appears in the URL ( .../0/xxx/.well-known/...).
In my case, I named both the service user and the provider netbird, and the resulting URL looked like this:
https://auth.xxx.de/application/o/netbird/.well-known/openid-configuration

I could imagine that if this really is the issue, there might be a bug where the wrong variable is used during the Authentik integration for example, where the user variable is expected, but the provider variable is mistakenly used instead.

@TheDoDoo commented on GitHub (Jul 18, 2025): Hi @Cheekie25 and @e1ke, I'm experiencing the same issue with a new instance of Netbird and Authentik. Changing the port to 443 unfortunately didn't help in my case. I'm not sure whether it's just a coincidence or actually a problem with Netbird, but I noticed that you, @e1ke, used different names for the provider and the service user during setup (Service User: `NetbirdServiceAcc`, Provider Name: `Netbird`). I had the same setup, and once I named both exactly the same(`netbird`), it suddenly started working. Maybe try giving the service user and the provider the same name, @e1ke that might help. It's best to recreate the provider in Authentik so that the new name also appears in the URL ( `.../0/xxx/.well-known/...`). In my case, I named both the service user and the provider `netbird`, and the resulting URL looked like this: `https://auth.xxx.de/application/o/netbird/.well-known/openid-configuration` I could imagine that if this really is the issue, there might be a bug where the wrong variable is used during the Authentik integration for example, where the user variable is expected, but the provider variable is mistakenly used instead.
saavagebueno commented 2025-11-20 05:31:33 -05:00
Author
Owner
Copy Link

@berberman commented on GitHub (Sep 17, 2025):

I chose authentik Self-signed Certificate as both Signing Key and Encryption Key in the provider in Authentik. Removing it from encryption key solved the issue.

Original issue:

I'm having the same issue with Authentik & Nginx setup. Got stuck at /peers after logging through Authentik. I tried all solutions mentioned above, but unfortunately they didn't work. Here are my config files:

Nginx config 
server {
    listen 0.0.0.0:443 ssl ;
    listen [::0]:443 ssl ;
    server_name <netbird.domain.name> ;
    http2 on;
    ssl_certificate /var/lib/acme/<netbird.domain.name>/fullchain.pem;
    ssl_certificate_key /var/lib/acme/<netbird.domain.name>/key.pem;
    ssl_trusted_certificate /var/lib/acme/<netbird.domain.name>/chain.pem;
    location ^~ /.well-known/acme-challenge/ {
        root /var/lib/acme/acme-challenge;
        auth_basic off;
        auth_request off;
    }
    location / {
        proxy_pass http://127.0.0.1:8011;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
    }
    location /api {
        proxy_pass http://127.0.0.1:33073;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
    }
    location /management.ManagementService/ {
        grpc_pass grpc://127.0.0.1:33073;
        # grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
        grpc_set_header Host $host;
        grpc_set_header X-Real-IP $remote_addr;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        grpc_set_header X-Forwarded-Proto $scheme;
    }
    location /relay {
        proxy_pass http://127.0.0.1:33080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
    }
    location /signalexchange.SignalExchange/ {
        grpc_pass grpc://127.0.0.1:10000;
        # grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
        grpc_set_header Host $host;
        grpc_set_header X-Real-IP $remote_addr;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        grpc_set_header X-Forwarded-Proto $scheme;
    }
    client_header_timeout 1d;
    client_body_timeout 1d;
}
management.json 
{
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:<netbird.domain.name>:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:<netbird.domain.name>:3478",
        "Username": "self",
        "Password": "nXwAKkpqLpmRxNle2bBv5cpeOxePjAlC5fW2l0fCtAA"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Relay": {
    "Addresses": [
      "rels://<netbird.domain.name>:443/relay"
    ],
    "CredentialsTTL": "24h",
    "Secret": "<redacted>"
  },
  "Signal": {
    "Proto": "https",
    "URI": "<netbird.domain.name>:443",
    "Username": "",
    "Password": null
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "DisableDefaultPolicy": false,
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "HttpConfig": {
    "Address": "0.0.0.0:33073",
    "AuthIssuer": "https://<sso.domain.name>/application/o/netbird/",
    "AuthAudience": "<redacted>",
    "AuthKeysLocation": "https://<sso.domain.name>/application/o/netbird/jwks/",
    "AuthUserIDClaim": "",
    "IdpSignKeyRefreshEnabled": false,
    "OIDCConfigEndpoint": "https://<sso.domain.name>/application/o/netbird/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "ManagerType": "authentik",
    "ClientConfig": {
      "Issuer": "https://<sso.domain.name>/application/o/netbird/",
      "TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
      "ClientID": "<redacted>",
      "ClientSecret": "",
      "GrantType": "client_credentials"
    },
    "ExtraConfig": {
      "Password": "<redacted>",
      "Username": "Netbird"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
      "Audience": "<redacted>",
      "AuthorizationEndpoint": "",
      "Domain": "",
      "ClientID": "<redacted>",
      "ClientSecret": "",
      "TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
      "DeviceAuthEndpoint": "https://<sso.domain.name>/application/o/device/",
      "Scope": "openid",
      "UseIDToken": false,
      "RedirectURLs": null
    }
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "<redacted>",
      "ClientID": "<redacted>",
      "ClientSecret": "",
      "Domain": "",
      "AuthorizationEndpoint": "https://<sso.domain.name>/application/o/authorize/",
      "TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": false,
      "DisablePromptLogin": true,
      "LoginFlag": 0
    }
  }
}
Env vars used in docker-compose 
AUTH_AUDIENCE=<redacted>
AUTH_AUTHORITY=https://<sso.domain.name>/application/o/netbird/
AUTH_CLIENT_ID=<redacted>
AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
NETBIRD_MGMT_API_ENDPOINT=https://<netbird.domain.name>:443
NETBIRD_MGMT_GRPC_API_ENDPOINT=https://<netbird.domain.name>:443
NETBIRD_TOKEN_SOURCE=accessToken
USE_AUTH0=false
NB_AUTH_SECRET=<redacted>
NB_EXPOSED_ADDRESS=rels://<netbird.domain.name>:443/relay
NB_LISTEN_ADDRESS=:33080
NB_LOG_LEVEL=debug
NETBIRD_STORE_ENGINE_MYSQL_DSN=
NETBIRD_STORE_ENGINE_POSTGRES_DSN=
NGINX_SSL_PORT=443
AUTH_REDIRECT_URI=/auth
AUTH_SILENT_REDIRECT_URI=/silent-auth
docker-compose 
x-default: &default
  restart: 'unless-stopped'
  logging:
    driver: 'json-file'
    options:
      max-size: '500m'
      max-file: '2'
name: netbird
services:
  # UI dashboard
  dashboard:
    <<: *default
    image: netbirdio/dashboard:latest
    ports:
      - 8011:80

  # Signal
  signal:
    <<: *default
    image: netbirdio/signal:latest
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80

  # Relay
  relay:
    <<: *default
    image: netbirdio/relay:latest
    ports:
      - 33080:33080

  # Management
  management:
    <<: *default
    image: netbirdio/management:latest
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:33073
    command: [
      "--port", "33073",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=<netbird.domain.name>",
      "--dns-domain=netbird.selfhosted"
      ]
      
  # Coturn
  coturn:
    <<: *default
    image: coturn/coturn:latest
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird-signal:
@berberman commented on GitHub (Sep 17, 2025): I chose `authentik Self-signed Certificate` as both _Signing Key_ and _Encryption Key_ in the provider in Authentik. Removing it from encryption key solved the issue. **Original issue:** I'm having the same issue with Authentik & Nginx setup. Got stuck at `/peers` after logging through Authentik. I tried all solutions mentioned above, but unfortunately they didn't work. Here are my config files: <details> <summary>Nginx config</summary> ```nginx server { listen 0.0.0.0:443 ssl ; listen [::0]:443 ssl ; server_name <netbird.domain.name> ; http2 on; ssl_certificate /var/lib/acme/<netbird.domain.name>/fullchain.pem; ssl_certificate_key /var/lib/acme/<netbird.domain.name>/key.pem; ssl_trusted_certificate /var/lib/acme/<netbird.domain.name>/chain.pem; location ^~ /.well-known/acme-challenge/ { root /var/lib/acme/acme-challenge; auth_basic off; auth_request off; } location / { proxy_pass http://127.0.0.1:8011; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; } location /api { proxy_pass http://127.0.0.1:33073; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; } location /management.ManagementService/ { grpc_pass grpc://127.0.0.1:33073; # grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; grpc_set_header Host $host; grpc_set_header X-Real-IP $remote_addr; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; grpc_set_header X-Forwarded-Proto $scheme; } location /relay { proxy_pass http://127.0.0.1:33080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; } location /signalexchange.SignalExchange/ { grpc_pass grpc://127.0.0.1:10000; # grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; grpc_set_header Host $host; grpc_set_header X-Real-IP $remote_addr; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; grpc_set_header X-Forwarded-Proto $scheme; } client_header_timeout 1d; client_body_timeout 1d; } ``` </details> <details> <summary>management.json</summary> ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:<netbird.domain.name>:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:<netbird.domain.name>:3478", "Username": "self", "Password": "nXwAKkpqLpmRxNle2bBv5cpeOxePjAlC5fW2l0fCtAA" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Relay": { "Addresses": [ "rels://<netbird.domain.name>:443/relay" ], "CredentialsTTL": "24h", "Secret": "<redacted>" }, "Signal": { "Proto": "https", "URI": "<netbird.domain.name>:443", "Username": "", "Password": null }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] }, "DisableDefaultPolicy": false, "Datadir": "", "DataStoreEncryptionKey": "", "StoreConfig": { "Engine": "sqlite" }, "HttpConfig": { "Address": "0.0.0.0:33073", "AuthIssuer": "https://<sso.domain.name>/application/o/netbird/", "AuthAudience": "<redacted>", "AuthKeysLocation": "https://<sso.domain.name>/application/o/netbird/jwks/", "AuthUserIDClaim": "", "IdpSignKeyRefreshEnabled": false, "OIDCConfigEndpoint": "https://<sso.domain.name>/application/o/netbird/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://<sso.domain.name>/application/o/netbird/", "TokenEndpoint": "https://<sso.domain.name>/application/o/token/", "ClientID": "<redacted>", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "<redacted>", "Username": "Netbird" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "<redacted>", "AuthorizationEndpoint": "", "Domain": "", "ClientID": "<redacted>", "ClientSecret": "", "TokenEndpoint": "https://<sso.domain.name>/application/o/token/", "DeviceAuthEndpoint": "https://<sso.domain.name>/application/o/device/", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "Audience": "<redacted>", "ClientID": "<redacted>", "ClientSecret": "", "Domain": "", "AuthorizationEndpoint": "https://<sso.domain.name>/application/o/authorize/", "TokenEndpoint": "https://<sso.domain.name>/application/o/token/", "Scope": "openid profile email offline_access api", "RedirectURLs": [ "http://localhost:53000" ], "UseIDToken": false, "DisablePromptLogin": true, "LoginFlag": 0 } } } ``` </details> <details> <summary>Env vars used in docker-compose</summary> ```env AUTH_AUDIENCE=<redacted> AUTH_AUTHORITY=https://<sso.domain.name>/application/o/netbird/ AUTH_CLIENT_ID=<redacted> AUTH_SUPPORTED_SCOPES=openid profile email offline_access api NETBIRD_MGMT_API_ENDPOINT=https://<netbird.domain.name>:443 NETBIRD_MGMT_GRPC_API_ENDPOINT=https://<netbird.domain.name>:443 NETBIRD_TOKEN_SOURCE=accessToken USE_AUTH0=false NB_AUTH_SECRET=<redacted> NB_EXPOSED_ADDRESS=rels://<netbird.domain.name>:443/relay NB_LISTEN_ADDRESS=:33080 NB_LOG_LEVEL=debug NETBIRD_STORE_ENGINE_MYSQL_DSN= NETBIRD_STORE_ENGINE_POSTGRES_DSN= NGINX_SSL_PORT=443 AUTH_REDIRECT_URI=/auth AUTH_SILENT_REDIRECT_URI=/silent-auth ``` </details> <details> <summary>docker-compose</summary> ```yaml x-default: &default restart: 'unless-stopped' logging: driver: 'json-file' options: max-size: '500m' max-file: '2' name: netbird services: # UI dashboard dashboard: <<: *default image: netbirdio/dashboard:latest ports: - 8011:80 # Signal signal: <<: *default image: netbirdio/signal:latest volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 # Relay relay: <<: *default image: netbirdio/relay:latest ports: - 33080:33080 # Management management: <<: *default image: netbirdio/management:latest depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - ./management.json:/etc/netbird/management.json ports: - 33073:33073 command: [ "--port", "33073", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=<netbird.domain.name>", "--dns-domain=netbird.selfhosted" ] # Coturn coturn: <<: *default image: coturn/coturn:latest volumes: - ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host command: - -c /etc/turnserver.conf volumes: netbird-mgmt: netbird-signal: ``` </details>
saavagebueno commented 2025-11-20 05:31:33 -05:00
Author
Owner
Copy Link

@eseub commented on GitHub (Sep 28, 2025):

Hey everyone,

I ran into this issue while using the quickstart script. After a few hours (and a couple strands of hair less), I finally figured out what was causing it in my case. Just wanted to drop my two cents here in case it helps someone else.

What made me suspicious was this log message:

management-1  | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://example.com/.well-known/openid-configuration Get "https://example.com/.well-known/openid-configuration": dial tcp 127.0.1.1:443: connect: connection refused

Turned out the problem was using a FQDN as the hostname of my VPS, the same domain I was using to host NetBird, which caused the containers to try to connect to themselves.

@eseub commented on GitHub (Sep 28, 2025): Hey everyone, I ran into this issue while using the quickstart script. After a few hours (and a couple strands of hair less), I finally figured out what was causing it in my case. Just wanted to drop my two cents here in case it helps someone else. What made me suspicious was this log message: ``` management-1 | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://example.com/.well-known/openid-configuration Get "https://example.com/.well-known/openid-configuration": dial tcp 127.0.1.1:443: connect: connection refused ``` Turned out the problem was using a FQDN as the hostname of my VPS, the same domain I was using to host NetBird, which caused the containers to try to connect to themselves.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label triage-needed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1486
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?