SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-12 03:02:36 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Client failed to connect to Self-Hosted NetBird server: failed while getting Management Service public key #1518

New Issue
Closed
opened 2025-11-20 05:32:04 -05:00 by saavagebueno · 17 comments
saavagebueno commented 2025-11-20 05:32:04 -05:00
Owner
Copy Link

Originally created by @GeorgeDaGreatt on GitHub (Dec 24, 2024).

Describe the problem

I have a NetBird instance running locally behind Nginx Proxy Manager, with the IdP being Authentik. (Also behind NPM), the dashboard logs in fine through Authentik, and is able to operate just fine. But getting any client to work is near impossible because of the error. The ports that are needed for the server to communicate with clients have been forwarded and tested to work fine. NPM should be forwarding everything for it to work (Otherwise, the dashboard wouldn't load).

I tried using this solution, but I still encountered the same error. The error shows up regardless.

To Reproduce

Steps to reproduce the behavior:

  1. Host NetBird locally
  2. Connect the NetBird instance to Authentik
  3. Configure Nginx Proxy Manager to work with both NetBird and Authentik
  4. Install and Launch any NetBird client (I used Windows)
  5. Enter the Management and Admin URL (From the Dashboard)
  6. Press "Connect" in the right-click menu on the NetBird icon in taskbar
  7. See error pop up in this screen:
    image

Expected behavior

All clients were expected to work when connecting to the Self-Hosted NetBird Server, using the server URL provided in the dashboard.

Are you using NetBird Cloud?

No, Self-Hosted. And not in the cloud either.

NetBird version

netbird version 0.34.1

NetBird status -dA output:

Daemon status: LoginFailed

Run UP command to log in with SSO (interactive login):

 netbird up

If you are running a self-hosted version and no SSO provider has been configured in your Management Server,
you can use a setup-key:

 netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>

More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys

Additional context

Here is some of the configuration of the NetBird server, be aware that some details have been modified to ensure privacy.

Management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:(domain here):3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:(domain here):3478",
                "Username": "self",
                "Password": "ugQ9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rel://(domain here):33080"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "BYbXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "Signal": {
        "Proto": "https",
        "URI": "(domain here):10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "6Rarxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "AuthIssuer": "https://(domain here)/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://(domain here)/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://(domain here)/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://(domain here)/application/o/netbird",
            "TokenEndpoint": "https://(domain here)/application/o/token/",
            "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "6TFxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "ClientSecret": "",
            "Domain": "(domain here",
            "Audience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "TokenEndpoint": "https://(domain here)/application/o/token/",
            "DeviceAuthEndpoint": "https://(domain here)/if/flow/default-device-code-flow/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "TokenEndpoint": "https://(domain here)/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://(domain here)/application/o/authorize/",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

docker-compose.yml

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://(domain here)
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://(domain here)
      # OIDC
      - AUTH_AUDIENCE=kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - AUTH_CLIENT_ID=kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://(domain here)/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:8080
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=(domain here):33080
    - NB_EXPOSED_ADDRESS=(domain here):33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=BYbXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.truenasg.net",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      
  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: (domain here) # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

setup.env (Copied example file and modified it)


## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="(domain here)"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="(domain here)t"

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="(IP here)"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://(domain here)/application/o/netbird/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
# NETBIRD_AUTH_REDIRECT_URI="/peers"
# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_SECRET="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN="(domain here)"

# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT=""
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="6TFSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

I can provide further Information when requested, I hope all of this helps.

Originally created by @GeorgeDaGreatt on GitHub (Dec 24, 2024). **Describe the problem** I have a **NetBird** instance running **locally** behind **Nginx Proxy Manager**, with the **IdP** being **Authentik**. (Also behind NPM), the **dashboard _logs in fine_** through **Authentik**, and is able to **operate just fine**. But getting **any client** to work is **near impossible** _because_ of the **error**. The **ports** that are **needed** for the **server** to **communicate** with **clients** have been **forwarded and tested** to **work fine**. **NPM** should be **forwarding everything** for it to work (Otherwise, the dashboard wouldn't load). I tried using [this](https://github.com/netbirdio/netbird/issues/3072) solution, but I **_still_ encountered the same error**. The error shows up **regardless**. **To Reproduce** Steps to reproduce the behavior: 1. Host NetBird locally 2. Connect the NetBird instance to Authentik 3. Configure Nginx Proxy Manager to work with both NetBird and Authentik 4. Install and Launch any NetBird client (I used Windows) 5. Enter the Management and Admin URL (From the Dashboard) 6. Press "Connect" in the right-click menu on the NetBird icon in taskbar 7. See error pop up in this screen: ![image](https://github.com/user-attachments/assets/071ee1bb-7eb0-4451-afc6-b719ec99bc89) **Expected behavior** All clients were **expected to work** when **connecting** to the Self-Hosted NetBird Server, using the **server URL** provided in the **dashboard**. **Are you using NetBird Cloud?** **No**, Self-Hosted. And **not in the cloud** either. **NetBird version** `netbird version 0.34.1` **NetBird status -dA output:** ``` Daemon status: LoginFailed Run UP command to log in with SSO (interactive login): netbird up If you are running a self-hosted version and no SSO provider has been configured in your Management Server, you can use a setup-key: netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY> More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys ``` **Additional context** Here is some of the configuration of the NetBird server, be aware that some details have been modified to ensure privacy. **Management.json** ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:(domain here):3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:(domain here):3478", "Username": "self", "Password": "ugQ9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } ] }, "Relay": { "Addresses": [ "rel://(domain here):33080" ], "CredentialsTTL": "24h0m0s", "Secret": "BYbXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "Signal": { "Proto": "https", "URI": "(domain here):10000", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "6Rarxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "AuthIssuer": "https://(domain here)/application/o/netbird/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://(domain here)/application/o/netbird/jwks/", "OIDCConfigEndpoint": "https://(domain here)/application/o/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://(domain here)/application/o/netbird", "TokenEndpoint": "https://(domain here)/application/o/token/", "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "6TFxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Username": "Netbird" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientSecret": "", "Domain": "(domain here", "Audience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "TokenEndpoint": "https://(domain here)/application/o/token/", "DeviceAuthEndpoint": "https://(domain here)/if/flow/default-device-code-flow/", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientSecret": "", "Domain": "", "Audience": "kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "TokenEndpoint": "https://(domain here)/application/o/token/", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://(domain here)/application/o/authorize/", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ``` **docker-compose.yml** ``` version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 80:80 - 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://(domain here) - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://(domain here) # OIDC - AUTH_AUDIENCE=kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - AUTH_CLIENT_ID=kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://(domain here)/application/o/netbird/ - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:8080 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=(domain here):33080 - NB_EXPOSED_ADDRESS=(domain here):33080 # todo: change to a secure secret - NB_AUTH_SECRET=BYbXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 33073:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.truenasg.net", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: (domain here) # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` **setup.env** (Copied example file and modified it) ``` ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="(domain here)" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="(domain here)t" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="(IP here)" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://(domain here)/application/o/netbird/.well-known/openid-configuration" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here # NETBIRD_AUTH_USER_ID_CLAIM="" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. # NETBIRD_AUTH_REDIRECT_URI="/peers" # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers" # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- # OIDC Device Authorization Flow # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="authentik" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_SECRET="kNJuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire # NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=true # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted # ------------------------------------------- # Relay settings # ------------------------------------------- # Relay server domain. e.g. relay.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_RELAY_DOMAIN="(domain here)" # Relay server connection port. If none is supplied # it will default to 33080 NETBIRD_RELAY_PORT="" NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="6TFSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ``` I can provide further Information when requested, I hope all of this helps.
saavagebueno added the triage-needed label 2025-11-20 05:32:04 -05:00
saavagebueno commented 2025-11-20 05:32:05 -05:00
Author
Owner
Copy Link

@creeram commented on GitHub (Dec 26, 2024):

@GeorgeDaGreatt Did you find the solution? I'm also getting the same issue.

@creeram commented on GitHub (Dec 26, 2024): @GeorgeDaGreatt Did you find the solution? I'm also getting the same issue.
saavagebueno commented 2025-11-20 05:32:05 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Dec 27, 2024):

I'm glad to see that I'm not the only one with this error. But sadly, no.

@GeorgeDaGreatt commented on GitHub (Dec 27, 2024): I'm glad to see that I'm not the only one with this error. But sadly, no.
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@farewarr commented on GitHub (Jan 1, 2025):

I'm getting the same issue and I opened a ticket on here too

@farewarr commented on GitHub (Jan 1, 2025): I'm getting the same issue and I opened a ticket on here too
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 1, 2025):

I'm getting the same issue and I opened a ticket on here too

Could you share the issue's link with us? (in case I may need to reference it too)

@GeorgeDaGreatt commented on GitHub (Jan 1, 2025): > I'm getting the same issue and I opened a ticket on here too Could you share the issue's link with us? (in case I may need to reference it too)
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@farewarr commented on GitHub (Jan 2, 2025):

I'm getting the same issue and I opened a ticket on here too

Could you share the issue's link with us? (in case I may need to reference it too)

I resolved my issue myself:

Issue was resolved by adding the following in the setup.env file:

NETBIRD_MGMT_API_PORT to your reverse-proxy TLS-port (default: 443)
NETBIRD_SIGNAL_PORT to your reverse-proxy TLS-port

running ./configure.sh

then modifying docker-compose.yml to map ports 33073 for management to 443 and 10000 for signal to 443.

after running docker compose up -d I was able to add peers.

for the issue in this thread, make sure also your nginx configuration in the advanced tab as following:

# This is necessary so that grpc connections do not get closed early
# see https://stackoverflow.com/a/67805465
client_header_timeout 1d;
client_body_timeout 1d;

proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Scheme $scheme;
proxy_set_header        X-Forwarded-Proto https;
proxy_set_header        X-Forwarded-Host $host;
grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header       Authorization $http_authorization;
grpc_set_header         Authorization $http_authorization;

# Proxy dashboard
location / {
    proxy_pass http://ip-to-your-netbird-server:80;
}
# Proxy Signal
location /signalexchange.SignalExchange/ {
    grpc_pass grpc://ip-to-your-netbird-server:10000;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}
# Proxy Management http endpoint
location /api {
    proxy_pass http://ip-to-your-netbird-server:33073;
}
# Proxy Management grpc endpoint
location /management.ManagementService/ {
    grpc_pass grpc://ip-to-your-netbird-server:33073;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}

make sure the custom locations tab is blank. Let me know if you have any questions. Thanks.

@farewarr commented on GitHub (Jan 2, 2025): > > I'm getting the same issue and I opened a ticket on here too > > Could you share the issue's link with us? (in case I may need to reference it too) I resolved my issue myself: Issue was resolved by adding the following in the setup.env file: NETBIRD_MGMT_API_PORT to your reverse-proxy TLS-port (default: 443) NETBIRD_SIGNAL_PORT to your reverse-proxy TLS-port running ./configure.sh then modifying docker-compose.yml to map ports 33073 for management to 443 and 10000 for signal to 443. after running docker compose up -d I was able to add peers. for the issue in this thread, make sure also your nginx configuration in the advanced tab as following: # This is necessary so that grpc connections do not get closed early # see https://stackoverflow.com/a/67805465 client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Authorization $http_authorization; grpc_set_header Authorization $http_authorization; # Proxy dashboard location / { proxy_pass http://ip-to-your-netbird-server:80; } # Proxy Signal location /signalexchange.SignalExchange/ { grpc_pass grpc://ip-to-your-netbird-server:10000; grpc_set_header Authorization $http_authorization; grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://ip-to-your-netbird-server:33073; } # Proxy Management grpc endpoint location /management.ManagementService/ { grpc_pass grpc://ip-to-your-netbird-server:33073; grpc_set_header Authorization $http_authorization; grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } make sure the custom locations tab is blank. Let me know if you have any questions. Thanks.
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 2, 2025):

After adding the configuration on both NetBird and Nginx Proxy Manager, the dashboard refused to load after authenticating with Authentik. To diagnose the issue, I opened my browser's console to see this error:

Screenshot 2025-01-02 123802

I made sure that there were no locations configured in Nginx Proxy Manager and that it was forwarding the correct host and ports and the formatting in the advanced section should be correct, because when it isn't Nginx Proxy Manager marks the Proxy Host as disabled and refuses to connect any clients to it.

That was before I looked at this message at the bottom of the advanced configuration which states:

image_2025-01-02_125044023

According to that message, I should be able to modify the configuration so that Nginx accepts gRPC and forwards everything perfectly fine.

My question is.. How?

And if I can't, is there another solution?

@GeorgeDaGreatt commented on GitHub (Jan 2, 2025): After adding the configuration on both **NetBird** and **Nginx Proxy Manager**, the dashboard **refused to load** after authenticating with **Authentik**. To diagnose the issue, I opened my browser's console to see this error: ![Screenshot 2025-01-02 123802](https://github.com/user-attachments/assets/485b41ae-6e85-4a9d-b74e-031a6246640f) I made sure that there were **no locations configured** in **Nginx Proxy Manager** and that it was **forwarding the correct host** and **ports** and the **formatting** in the **advanced** section **should be correct**, because when it isn't **Nginx Proxy Manager marks the Proxy Host as disabled** and _refuses_ to connect any clients to it. That was **before** I looked at this message at the **bottom** of the **advanced configuration** which states: ![image_2025-01-02_125044023](https://github.com/user-attachments/assets/1721ab98-6919-410b-957e-cdb7caf10539) **According to that message**, I should be able to **modify** the **configuration** so that Nginx **accepts gRPC** and forwards everything perfectly fine. My question is.. How? And if I can't, is there another solution?
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@farewarr commented on GitHub (Jan 2, 2025):

@GeorgeDaGreatt I would ignore that message in the advanced tab, what that message is saying, which is misleading and kind of confusing, is that you cannot use the set_header or add_header simply by itself without also including code for the location blocks. But since we are including the location blocks in the advanced tab we are fine. What I have come to learn is that proxy manager itself is just a UI kid friendly verison of NGINX itself. So if you do not want to use any nginx code at all, you can use UI and the custom locations tab. If you do want to use standard nginx code you can do that in the advanced tab. I know how frustrating this is, as I spent days on this. So I am commited to helping you resolve this. if you want, you can post screenshots of all the tabs (execpt the advanced tab) and a copy of the code you have in the avanced tab and I will review it for you. Alternatively if you want to direct message me we can try to find time to hop on a zoom or webex or something.

@farewarr commented on GitHub (Jan 2, 2025): @GeorgeDaGreatt I would ignore that message in the advanced tab, what that message is saying, which is misleading and kind of confusing, is that you cannot use the set_header or add_header simply by itself without also including code for the location blocks. But since we are including the location blocks in the advanced tab we are fine. What I have come to learn is that proxy manager itself is just a UI kid friendly verison of NGINX itself. So if you do not want to use any nginx code at all, you can use UI and the custom locations tab. If you do want to use standard nginx code you can do that in the advanced tab. I know how frustrating this is, as I spent days on this. So I am commited to helping you resolve this. if you want, you can post screenshots of all the tabs (execpt the advanced tab) and a copy of the code you have in the avanced tab and I will review it for you. Alternatively if you want to direct message me we can try to find time to hop on a zoom or webex or something.
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 3, 2025):

Thanks for the clarification. I honestly think that they should really add more context about what they are talking about in the advanced tab, it confuses everyone that didn't spend days trying to figure it out.

Moving on..

After I found out that both types of configuration didn't work with NetBird (and Nginx didn't care where you placed configuration) I used the configuration @farewarr suggested earlier.

Here is the configuration I entered in the advanced tab:

client_header_timeout 1d;
client_body_timeout 1d;

proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Scheme $scheme;
proxy_set_header        X-Forwarded-Proto https;
proxy_set_header        X-Forwarded-Host $host;
grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header       Authorization $http_authorization;
grpc_set_header         Authorization $http_authorization;

# Proxy dashboard
location / {
    proxy_pass http://192.168.1.67:80;
}
# Proxy Signal
location /signalexchange.SignalExchange/ {
    grpc_pass grpc://192.168.1.67:10000;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}
# Proxy Management http endpoint
location /api {
    proxy_pass http://192.168.1.67:33073;
}
# Proxy Management grpc endpoint
location /management.ManagementService/ {
    grpc_pass grpc://192.168.1.67:33073;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}

And the base configuration:

image
(All other tabs were left blank except the advanced tab)

I made sure that all configuration was removed in the location tab, and that all ports were matching. However, the configuration still returns the same error when logging in. (Shown below) I only modified the IP address needed in the advanced configuration for the correct forwarding.

image

I can share more configuration if needed to solve this issue, and I really appreciate all the help given to solve it.

@GeorgeDaGreatt commented on GitHub (Jan 3, 2025): Thanks for the clarification. I honestly think that they should **really add more context** about **_what_** they are talking about in the **advanced tab**, it **confuses everyone** that _**didn't**_ **spend days** trying to **figure it out**. Moving on.. After I found out that **both types of configuration** _didn't_ work with **NetBird** (and **Nginx didn't care** _where_ you placed configuration) I used the **configuration** @farewarr **suggested** earlier. Here is the configuration I entered in the **advanced tab**: ``` client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Authorization $http_authorization; grpc_set_header Authorization $http_authorization; # Proxy dashboard location / { proxy_pass http://192.168.1.67:80; } # Proxy Signal location /signalexchange.SignalExchange/ { grpc_pass grpc://192.168.1.67:10000; grpc_set_header Authorization $http_authorization; grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://192.168.1.67:33073; } # Proxy Management grpc endpoint location /management.ManagementService/ { grpc_pass grpc://192.168.1.67:33073; grpc_set_header Authorization $http_authorization; grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } ``` And the **base configuration**: ![image](https://github.com/user-attachments/assets/f5e4119f-4302-40a0-b4b0-238bd2d57d76) (All other tabs were left blank except the advanced tab) I made sure that **all configuration** was **removed** in the **location tab**, and that **all ports were matching**. _However_, the configuration still returns the **same error** when logging in. (Shown below) I **only modified the IP address** needed in the advanced configuration for the correct forwarding. > ![image](https://github.com/user-attachments/assets/74e27ce5-df3b-4f74-8916-c105822e1472) > I can share more configuration if needed to solve this issue, and I really appreciate all the help given to solve it.
saavagebueno commented 2025-11-20 05:32:06 -05:00
Author
Owner
Copy Link

@farewarr commented on GitHub (Jan 3, 2025):

@GeorgeDaGreatt , whats handling your cert? Is Proxy Man terminating the SSL? Whether you are using a custom cert or a LetsEncrypt cert, you want to force SSL (enable that) and HTTP/2 (enable that). Also provide me your latest docker compose and management.json file. Thanks.

@farewarr commented on GitHub (Jan 3, 2025): @GeorgeDaGreatt , whats handling your cert? Is Proxy Man terminating the SSL? Whether you are using a custom cert or a LetsEncrypt cert, you want to force SSL (enable that) and HTTP/2 (enable that). Also provide me your latest docker compose and management.json file. Thanks.
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 4, 2025):

Edit: See next comment for an update

I use Cloudflare to manage my DNS and Certificates. and all my domains go to my Nginx Proxy Manager instance, where SSL is terminated.

I requested a LetsEncrypt Certificate in NPM and added it to the NPM configuration for NetBird, then turned on the settings I was suggested.

After saving those settings, my browser gave me this error:

image

After some trial and error, the error seemed to be caused by the "Force SSL" setting.

Moving on...

Here is the docker-compose.yml file and management.json file as requested:

docker-compose.yml

(some data has been redacted)

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://(domain here):443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://(domain here):443
      # OIDC
      - AUTH_AUDIENCE=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://(domain here)/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:443
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=(domain here):33080
    # todo: change to a secure secret
    - NB_AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=(domain here)",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      
  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname:  (domain here) # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

management.json

(some data has been redacted)

{
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:(domain here):3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:(domain here):3478",
        "Username": "self",
        "Password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Relay": {
    "Addresses": [
      "rel://(domain here):33080"
    ],
    "CredentialsTTL": "24h",
    "Secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  },
  "Signal": {
    "Proto": "https",
    "URI": "(domain here):443",
    "Username": "",
    "Password": null
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "HttpConfig": {
    "Address": "0.0.0.0:443",
    "AuthIssuer": "https://(domain here)/application/o/netbird/",
    "AuthAudience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "AuthKeysLocation": "https://(domain here)/application/o/netbird/jwks/",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": false,
    "OIDCConfigEndpoint": "https://(domain here)/application/o/netbird/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "ManagerType": "authentik",
    "ClientConfig": {
      "Issuer": "https://(domain here)/application/o/netbird/",
      "TokenEndpoint": "https://(domain here)/application/o/token/",
      "ClientID": "",
      "ClientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "GrantType": "client_credentials"
    },
    "ExtraConfig": {
      "Password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "Username": "Netbird"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
      "Audience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "AuthorizationEndpoint": "",
      "Domain": "",
      "ClientID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "ClientSecret": "",
      "TokenEndpoint": "https://(domain here)/application/o/token/",
      "DeviceAuthEndpoint": "https://(domain here)/application/o/device/",
      "Scope": "openid",
      "UseIDToken": false,
      "RedirectURLs": null
    }
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "ClientID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "ClientSecret": "",
      "Domain": "",
      "AuthorizationEndpoint": "https://(domain here)/application/o/authorize/",
      "TokenEndpoint": "https://(domain here)/application/o/token/",
      "Scope": "openid profile email offline_access api",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": false
    }
  }
}

If you need any more configuration or information, I will provide it on request. As always, thank you so much for your help on solving this issue.

@GeorgeDaGreatt commented on GitHub (Jan 4, 2025): ### Edit: See [next comment](https://github.com/netbirdio/netbird/issues/3110#issuecomment-2571366397) for an update I use **Cloudflare** to manage my **DNS** and **Certificates**. and **all my domains** go to my **Nginx Proxy Manager** instance, where **SSL is terminated**. I requested a **LetsEncrypt Certificate** in **NPM** and added it to the **NPM configuration** for NetBird, then **turned on** the **settings** I was suggested. **After saving** those settings, my **browser** gave me this **error**: ![image](https://github.com/user-attachments/assets/8a2421a9-dbf5-457e-af02-8d965f1d4418) After **some trial and error**, the **error** seemed to be **caused** by the "**Force SSL**" setting. Moving on... Here is the **docker-compose.yml** file and **management.json** file **as requested**: docker-compose.yml --- (some data has been redacted) ``` version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 80:80 - 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://(domain here):443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://(domain here):443 # OIDC - AUTH_AUDIENCE=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://(domain here)/application/o/netbird/ - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= volumes: - netbird-letsencrypt:/etc/letsencrypt/ logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:443 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=(domain here):33080 # todo: change to a secure secret - NB_AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 33073:443 #API port # # command for Let's Encrypt validation without dashboard container # command: ["--letsencrypt-domain", "", "--log-file", "console"] command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=(domain here)", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: (domain here) # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` management.json --- (some data has been redacted) ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:(domain here):3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:(domain here):3478", "Username": "self", "Password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Relay": { "Addresses": [ "rel://(domain here):33080" ], "CredentialsTTL": "24h", "Secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "Signal": { "Proto": "https", "URI": "(domain here):443", "Username": "", "Password": null }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] }, "Datadir": "", "DataStoreEncryptionKey": "", "StoreConfig": { "Engine": "sqlite" }, "HttpConfig": { "Address": "0.0.0.0:443", "AuthIssuer": "https://(domain here)/application/o/netbird/", "AuthAudience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "AuthKeysLocation": "https://(domain here)/application/o/netbird/jwks/", "AuthUserIDClaim": "", "CertFile": "", "CertKey": "", "IdpSignKeyRefreshEnabled": false, "OIDCConfigEndpoint": "https://(domain here)/application/o/netbird/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://(domain here)/application/o/netbird/", "TokenEndpoint": "https://(domain here)/application/o/token/", "ClientID": "", "ClientSecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "Username": "Netbird" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "AuthorizationEndpoint": "", "Domain": "", "ClientID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientSecret": "", "TokenEndpoint": "https://(domain here)/application/o/token/", "DeviceAuthEndpoint": "https://(domain here)/application/o/device/", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "Audience": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "ClientSecret": "", "Domain": "", "AuthorizationEndpoint": "https://(domain here)/application/o/authorize/", "TokenEndpoint": "https://(domain here)/application/o/token/", "Scope": "openid profile email offline_access api", "RedirectURLs": [ "http://localhost:53000" ], "UseIDToken": false } } } ``` If you need _any_ more **configuration** or **information**, I will **provide it on request**. As always, **thank you so much** for your **help** on **solving this issue**.
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 4, 2025):

UPDATE

Since that clearly didn't work, I tried downloading a Cloudflare Origin server certificate to replace the LetsEncrypt certificate, I also changed some Cloudflare settings (Setting the SSL settings to be "Full (Strict)") which fixed the "Too many redirects" error.

However, my browser still reported the same error found a little bit before:

image

@GeorgeDaGreatt commented on GitHub (Jan 4, 2025): UPDATE --- Since that **clearly didn't work**, I **tried downloading** a **Cloudflare Origin server certificate** to **replace** the **LetsEncrypt certificate**, I _also_ changed some **Cloudflare settings** (Setting the **SSL settings** to be **"Full (Strict)"**) which fixed the "Too many redirects" error. **_However_**, my **browser** _still_ **reported the same error** found **a little bit before**: ![image](https://github.com/user-attachments/assets/588c24a9-36aa-4670-8740-574f0cd0c064)
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@farewarr commented on GitHub (Jan 4, 2025):

@GeorgeDaGreatt,

ok in your docker compose file, signal port is set to 10000:443 and needs to be set to 10000:80

also, your relay domain (since its redacted, no worries) just make sure you have a separate domain for you relay pointing directly to the ip address of the nebird server, and not your reverse proxy. because we are not proxying the relay and if you have it pointing to the ip address of your proxy server it will try to access 33080 on the proxy server and not the netbird server.

as for cloudflare, not too familiar with it, are you using it as a tunnel? or does the cloudfalre itself terminate the SSL?

@farewarr commented on GitHub (Jan 4, 2025): @GeorgeDaGreatt, ok in your docker compose file, signal port is set to 10000:443 and needs to be set to 10000:80 also, your relay domain (since its redacted, no worries) just make sure you have a separate domain for you relay pointing directly to the ip address of the nebird server, and not your reverse proxy. because we are not proxying the relay and if you have it pointing to the ip address of your proxy server it will try to access 33080 on the proxy server and not the netbird server. as for cloudflare, not too familiar with it, are you using it as a tunnel? or does the cloudfalre itself terminate the SSL?
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 5, 2025):

I changed the value in the docker-compose.yml file from 10000:443 to 10000:80. That, sadly, didn't change anything.

My Relay domain is separate, strictly not forwarded through Nginx Proxy Manager and (In Cloudflare) DNS queries are not proxied for that domain specifically. Thanks for the reassurance on that.

Cloudflare does have cloudflared (Cloudflare Tunnels), which I used to use when I didn't have NPM running. But now It is used mainly for DNS and SSL (And its very effective Proxying).

Cloudflare (On its free plan), provides a free SSL certificate and Proxying for your DNS queries, among other things. As for how SSL on Cloudflare works here is a little breakdown:

Cloudflare by default provides a Universal Certificate for your zone (domain). How Cloudflare handles encrypted traffic is a choice you make. Cloudflare gives you these options for how SSL traffic is handled:

Strict

Enforces and ensures encryption between Cloudflare and your Origin Server. You would normally use this to make sure ALL traffic is encrypted, regardless of user choice.

Full (Strict) *

Basically End-To-End encryption using Cloudflare's Origin certificates on your server, which your server HAS to have in order to use. (This is what I now use)

Full

End-To End encryption but without the Certificate Cloudflare provides, people normally use this if they already have a certificate (Like LetsEncrypt).

Flexible

Cloudflare serves traffic with encryption enabled, but connections made from Cloudflare to the Origin Server are unencrypted.

Off

Plain HTTP, no encryption whatsoever. Your browser doesn't trust your website by default.

| *=Its important to mention that the Origin Certificate you download and import on your Servers, is only valid for encryption between Cloudflare and your origin server. You CANNOT use the certificate for traffic served outside Cloudflare.

I hope that this provides a helpful guide for how SSL works on Cloudflare. I still cannot thank you enough for the help provided to me.

@GeorgeDaGreatt commented on GitHub (Jan 5, 2025): I **changed the value** in the **docker-compose.yml** file from `10000:443` to `10000:80`. That, sadly, **didn't change anything**. My **Relay domain** is **separate**, _strictly_ _**not**_ forwarded through **Nginx Proxy Manager** and (_In Cloudflare_) **DNS queries** are **_not_ proxied** for that domain specifically. Thanks for the reassurance on that. **Cloudflare** does have **cloudflared** (Cloudflare Tunnels), which I used to use when I didn't have NPM running. But now It is used **mainly** for **DNS** and **SSL** (And its very effective Proxying). **Cloudflare** (On its free plan), **provides a free SSL certificate** and **Proxying** for your **DNS queries**, among other things. As for **_how_ SSL on Cloudflare works** here is a **little breakdown**: **Cloudflare** **_by default_** provides a **Universal Certificate** for your **zone** (domain). **_How_ Cloudflare** handles **encrypted traffic** is a choice _**you**_ make. Cloudflare gives you these options for how SSL traffic is handled: ### Strict **Enforces** and _**ensures**_ **encryption** between **Cloudflare** and your **Origin Server**. You would normally use this to make sure **ALL traffic is encrypted**, regardless of user choice. ### Full (Strict) * Basically **End-To-End encryption** using **Cloudflare's Origin certificates** on your server, which your server **HAS to have** in order to use. (This is what I now use) ### Full **End-To End encryption** but **without** the **Certificate Cloudflare provides**, people normally use this if they **already have a certificate** (Like **LetsEncrypt**). ### Flexible **Cloudflare** serves traffic with **encryption enabled**, but **connections** made from **_Cloudflare_** to the **Origin Server** are **unencrypted**. ### Off **Plain HTTP**, **no encryption** whatsoever. Your **browser** **doesn't trust** your website **_by default_**. | *=Its **important to mention** that the **Origin Certificate** you **download and import** on your Servers, is **only valid** for **encryption** between **Cloudflare and your origin server**. You **CANNOT** use the certificate for **traffic served _outside_ Cloudflare**. I hope that this **provides a helpful guide** for **how SSL works** on **Cloudflare**. I still **cannot thank you enough** for the help provided to me.
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@VanLampe commented on GitHub (Jan 9, 2025):

I'm getting the same issue and I opened a ticket on here too

Could you share the issue's link with us? (in case I may need to reference it too)

I resolved my issue myself:

Issue was resolved by adding the following in the setup.env file:

NETBIRD_MGMT_API_PORT to your reverse-proxy TLS-port (default: 443) NETBIRD_SIGNAL_PORT to your reverse-proxy TLS-port

running ./configure.sh

then modifying docker-compose.yml to map ports 33073 for management to 443 and 10000 for signal to 443.

after running docker compose up -d I was able to add peers.

for the issue in this thread, make sure also your nginx configuration in the advanced tab as following:

# This is necessary so that grpc connections do not get closed early
# see https://stackoverflow.com/a/67805465
client_header_timeout 1d;
client_body_timeout 1d;

proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Scheme $scheme;
proxy_set_header        X-Forwarded-Proto https;
proxy_set_header        X-Forwarded-Host $host;
grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header       Authorization $http_authorization;
grpc_set_header         Authorization $http_authorization;

# Proxy dashboard
location / {
    proxy_pass http://ip-to-your-netbird-server:80;
}
# Proxy Signal
location /signalexchange.SignalExchange/ {
    grpc_pass grpc://ip-to-your-netbird-server:10000;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}
# Proxy Management http endpoint
location /api {
    proxy_pass http://ip-to-your-netbird-server:33073;
}
# Proxy Management grpc endpoint
location /management.ManagementService/ {
    grpc_pass grpc://ip-to-your-netbird-server:33073;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}

make sure the custom locations tab is blank. Let me know if you have any questions. Thanks.

Thanks @farewarr, this solved my problems. Before I used custom locations and always had trouble wiht correct forwarding. After adding the content to the advanced tab and removing all custom locations, everything is working fine with NPM.

@GeorgeDaGreatt not sure if this is really your issue, but as far as I can see, you are using more or less the default compose file, that is running the containers in bridge network. Make sure to set the container/service names and not the server IP as proxy and grpc destinations. E.g. grpc_pass grpc://management:443. Also make sure to publish the ports correctly and update the environment variables to fit your reverse proxy port.

@VanLampe commented on GitHub (Jan 9, 2025): > > > I'm getting the same issue and I opened a ticket on here too > > > > > > Could you share the issue's link with us? (in case I may need to reference it too) > > I resolved my issue myself: > > Issue was resolved by adding the following in the setup.env file: > > NETBIRD_MGMT_API_PORT to your reverse-proxy TLS-port (default: 443) NETBIRD_SIGNAL_PORT to your reverse-proxy TLS-port > > running ./configure.sh > > then modifying docker-compose.yml to map ports 33073 for management to 443 and 10000 for signal to 443. > > after running docker compose up -d I was able to add peers. > > for the issue in this thread, make sure also your nginx configuration in the advanced tab as following: > > ``` > # This is necessary so that grpc connections do not get closed early > # see https://stackoverflow.com/a/67805465 > client_header_timeout 1d; > client_body_timeout 1d; > > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Scheme $scheme; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Forwarded-Host $host; > grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header Authorization $http_authorization; > grpc_set_header Authorization $http_authorization; > > # Proxy dashboard > location / { > proxy_pass http://ip-to-your-netbird-server:80; > } > # Proxy Signal > location /signalexchange.SignalExchange/ { > grpc_pass grpc://ip-to-your-netbird-server:10000; > grpc_set_header Authorization $http_authorization; > grpc_ssl_verify off; > grpc_read_timeout 1d; > grpc_send_timeout 1d; > grpc_socket_keepalive on; > } > # Proxy Management http endpoint > location /api { > proxy_pass http://ip-to-your-netbird-server:33073; > } > # Proxy Management grpc endpoint > location /management.ManagementService/ { > grpc_pass grpc://ip-to-your-netbird-server:33073; > grpc_set_header Authorization $http_authorization; > grpc_ssl_verify off; > grpc_read_timeout 1d; > grpc_send_timeout 1d; > grpc_socket_keepalive on; > } > ``` > > make sure the custom locations tab is blank. Let me know if you have any questions. Thanks. Thanks @farewarr, this solved my problems. Before I used custom locations and always had trouble wiht correct forwarding. After adding the content to the advanced tab and removing all custom locations, everything is working fine with NPM. @GeorgeDaGreatt not sure if this is really your issue, but as far as I can see, you are using more or less the default compose file, that is running the containers in bridge network. Make sure to set the container/service names and *not* the server IP as proxy and grpc destinations. E.g. `grpc_pass grpc://management:443`. Also make sure to publish the ports correctly and update the environment variables to fit your reverse proxy port.
saavagebueno commented 2025-11-20 05:32:07 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Jan 12, 2025):

@VanLampe

@GeorgeDaGreatt not sure if this is really your issue, but as far as I can see, you are using more or less the default compose file, that is running the containers in bridge network. Make sure to set the container/service names and not the server IP as proxy and grpc destinations. E.g. grpc_pass grpc://management:443. Also make sure to publish the ports correctly and update the environment variables to fit your reverse proxy port.

I failed to mention that Nginx Proxy Manager runs on a separate machine, not on the same one running NetBird. (Sorry about that..) And (To my knowledge), you can't reference containers in a bridge that aren't on the same machine.

I had it working perfectly fine with an IP address previously (Excluding client connection), and I'm not sure if Docker creating a Bridge network had/has any interference.

@GeorgeDaGreatt commented on GitHub (Jan 12, 2025): @VanLampe > @GeorgeDaGreatt not sure if this is really your issue, but as far as I can see, you are using more or less the default compose file, that is running the containers in bridge network. Make sure to set the container/service names and _not_ the server IP as proxy and grpc destinations. E.g. `grpc_pass grpc://management:443`. Also make sure to publish the ports correctly and update the environment variables to fit your reverse proxy port. I **failed to mention** that **Nginx Proxy Manager** runs on a **_separate_ machine**, **not** on the same one running NetBird. (Sorry about that..) And (**To my knowledge**), you **can't reference containers in a bridge** that _aren't_ on the **same machine**. I had it working **perfectly fine** with an **IP address** previously (**_Excluding_ client connection**), and **I'm not sure** if **Docker** creating a **Bridge network** had/has any interference.
saavagebueno commented 2025-11-20 05:32:08 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Feb 17, 2025):

UPDATE

After checking on Netbird with sudo docker ps, I found out that the management container kept restarting. After checking the logs, it seemed that this error kept appearing right before it restarted:

Error: failed retrieving a new idp manager with err: authentik IdP configuration is incomplete, clientID is missing

I checked my configuration once more, and well, I found out that I had accidentally put the client ID for authentication in the client Secret section in my management.json file.

After amending that, the container worked perfectly fine, and I was able to connect locally to it. But after trying it with my domain, I kept getting this error:

Image

With the management container now giving this error when authenticated with authentik:

management-1  | 2025-02-17T18:53:07Z ERRO [context: HTTP, requestID: 0a89bda3-f5c7-4621-98b9-a99afb9b785b] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400

Which is progress, especially from not being able to connect at all.

@GeorgeDaGreatt commented on GitHub (Feb 17, 2025): ## UPDATE After **checking** on **Netbird** with `sudo docker ps`, I found out that the **management container** **_kept_ restarting**. After **checking the logs**, it **seemed** that this **error** kept **appearing** **_right_ before** it **restarted**: `Error: failed retrieving a new idp manager with err: authentik IdP configuration is incomplete, clientID is missing` I **checked** my **configuration** _once more_, and well, I found out that I had **accidentally** put the **client ID** for **authentication** in the **client _Secret_ section** in my `management.json` file. After **amending** that, the **container worked perfectly fine**, and I was able to **connect** locally to it. But after **trying** it with my **domain**, I kept getting this **error**: ![Image](https://github.com/user-attachments/assets/08f506d6-d24e-4df8-8acb-13a4f3dd213a) With the **management container** now giving this error when **authenticated** with **authentik**: ``` management-1 | 2025-02-17T18:53:07Z ERRO [context: HTTP, requestID: 0a89bda3-f5c7-4621-98b9-a99afb9b785b] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 ``` Which is **progress**, especially from **not being able to connect _at all_**.
saavagebueno commented 2025-11-20 05:32:08 -05:00
Author
Owner
Copy Link

@GeorgeDaGreatt commented on GitHub (Mar 29, 2025):

I was able to resolve the issue by following and checking all contributions to this issue: #3373.

But if you want more detail, what I did was making sure all information needed for the Netbird authentication process was vaild and URLs were accessible by checking all relevant files, e.g management.json and docker-compose.yml.

I hope that whoever has the same problem, can look into this issue (including the others linked) and find ways to troubleshoot, control and maintain Netbird for their own self-hosted environment.

And as always, I thank everyone who did chime in and help me with this issue.

@GeorgeDaGreatt commented on GitHub (Mar 29, 2025): I was able to **resolve** the **issue** by **following** and **checking** all **contributions** to this **issue**: [#3373](https://github.com/netbirdio/netbird/issues/3373). But if you want **_more_ detail**, what I did was making sure **all information needed** for the **Netbird authentication process** was **vaild** and **URLs were accessible** by checking **all relevant files**, e.g `management.json` and `docker-compose.yml`. I hope that whoever has the same problem, can look into this issue (including the others linked) and find ways to **troubleshoot, control and maintain** Netbird for their own **self-hosted** environment. And as always, I thank everyone who did chime in and help me with this issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label triage-needed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1518
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?