Run netbird behind reverse proxy #220

New Issue

Closed

opened 2025-11-20 05:08:12 -05:00 by saavagebueno · 28 comments

saavagebueno commented 2025-11-20 05:08:12 -05:00

Owner

Copy Link

Originally created by @TheEdgeOfRage on GitHub (Nov 2, 2022).

I'm looking into setting up netbird on a server where I have several other services already running, with nginx acting as a reverse proxy.
I see in the documentation and docker-compose that netbird tries to expose ports 80 and 443 on the host machine and get letsencrypt certs by itself, but is there a way to have it run in http-only mode and have my host nginx handle all the letsencrypt and tls stuff?

I also see that the management service in the docker-compose file also requires access to the letsencrypt certs, but I could just mount those from my host system, right?

Originally created by @TheEdgeOfRage on GitHub (Nov 2, 2022). I'm looking into setting up netbird on a server where I have several other services already running, with nginx acting as a reverse proxy. I see in the documentation and docker-compose that netbird tries to expose ports 80 and 443 on the host machine and get letsencrypt certs by itself, but is there a way to have it run in http-only mode and have my host nginx handle all the letsencrypt and tls stuff? I also see that the management service in the docker-compose file also requires access to the letsencrypt certs, but I could just mount those from my host system, right?

saavagebueno closed this issue 2025-11-20 05:08:12 -05:00

saavagebueno commented 2025-11-20 05:08:13 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 4, 2022):

Hi @TheEdgeOfRage, Andi_bz did an awesome job summarizing the steps to run behind a Traefik proxy:

https://www.reddit.com/r/selfhosted/comments/xpju6p/comment/iu85hqy/?context=1

For Nginx, you can map the configuration and use something like:

upstream signal {
   server 192.168.3.83:310000;
}
server {
  listen 443 ssl http2;

  ssl_certificate /tmp/server.crt;  #Enter you certificate location 
  ssl_certificate_key /tmp/server.key;
 
  location /signalexchange {
     grpc_pass grpcs://signal;
  }
}

@mlsmaycon commented on GitHub (Nov 4, 2022): Hi @TheEdgeOfRage, [Andi_bz](https://www.reddit.com/user/Andi_bz/) did an awesome job summarizing the steps to run behind a Traefik proxy: https://www.reddit.com/r/selfhosted/comments/xpju6p/comment/iu85hqy/?context=1 For Nginx, you can map the configuration and use something like: ``` upstream signal { server 192.168.3.83:310000; } server { listen 443 ssl http2; ssl_certificate /tmp/server.crt; #Enter you certificate location ssl_certificate_key /tmp/server.key; location /signalexchange { grpc_pass grpcs://signal; } } ```

saavagebueno commented 2025-11-20 05:08:13 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 4, 2022):

Cool, I'll try that. Thank you :)

@TheEdgeOfRage commented on GitHub (Nov 4, 2022): Cool, I'll try that. Thank you :)

saavagebueno commented 2025-11-20 05:08:13 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 19, 2022):

@mlsmaycon I've been trying to get this up for a while now. I got all the server-side stuff to run and I can open the dashboard and log in through Auth0, but the CLI won't connect to the management service. I get this error when trying to connect:

$ sudo netbird up --management-url https://netbirdapi.redacted.com

WARN[2022-11-19T21:01:12+01:00]root.go:166 retrying Login to the Management service in 1.104660288s due to error rpc error: code = Unknown desc = context deadline exceeded
WARN[2022-11-19T21:01:23+01:00]root.go:166 retrying Login to the Management service in 2.160763633s due to error rpc error: code = Unknown desc = context deadline exceeded
Error: login backoff cycle failed: rpc error: code = Unknown desc = context deadline exceeded

Here's my docker-compose:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:main
    restart: unless-stopped
    environment:
      - AUTH_AUDIENCE=https://redacted.eu.auth0.com/api/v2/
      - AUTH_CLIENT_ID=VooPlF3gVzYXHDyYQWM8hZMW8SJNUk2P
      - AUTH_AUTHORITY=https://redacted.eu.auth0.com/
      - USE_AUTH0=true
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api email_verified
      - NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.redacted.com
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=http://netbirdapi.redacted.com:33073
      - NGINX_SSL_PORT=443
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
    ports:
      - "8029:80"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain="]
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:33073 #API port
      - 33074:443 #API port
  # Coturn
  coturn:
    image: coturn/coturn
    restart: unless-stopped
    domainname: netbird.redacted.com
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
volumes:
  netbird-mgmt:
  netbird-signal:

And here's my host nginx config for netbird:

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name netbird.redacted.com;

	location / {
		proxy_pass  http://127.0.0.1:8029;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Host $server_name;
		proxy_set_header X-Forwarded-Proto https;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name netbirdapi.redacted.com;

	location /api {
		proxy_pass  http://127.0.0.1:33074;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Host $server_name;
		proxy_set_header X-Forwarded-Proto https;
	}

	location /signalexchange {
		grpc_pass grpcs://127.0.0.1:10000;
	}

	location /management {
		grpc_pass grpc://127.0.0.1:33074;
		# grpc_pass grpc://127.0.0.1:33073;
		# grpc_pass grpcs://127.0.0.1:33073;
		# grpc_pass grpcs://127.0.0.1:33074;
	}
}

The commented grpc_pass directives in the management section are all the ones I've tried.

And finally, the management.json:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.redacted.com:3478",
            "Username": "",
            "Password": null
        }
    ],
    "TURNConfig": {
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.redacted.com:3478",
                "Username": "self",
                "Password": "redacted"
            }
        ],
        "CredentialsTTL": "12h",
        "Secret": "secret",
        "TimeBasedCredentials": false
    },
    "Signal": {
        "Proto": "http",
        "URI": "signal:80",  # tried both this and "netbird.theedgeofrage.com:443"
        "Username": "",
        "Password": null
    },
    "Datadir": "",
    "HttpConfig": {
        "Address": "0.0.0.0:33073",
        "AuthIssuer": "https://redacted.eu.auth0.com/",
        "AuthAudience": "https://redacted.eu.auth0.com/api/v2/",
        "AuthKeysLocation": "https://redacted.eu.auth0.com/.well-known/jwks.json",
        "OIDCConfigEndpoint":"https://redacted.eu.auth0.com/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
        "Manager": "none"
     },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
          "Audience": "https://redacted.eu.auth0.com/api/v2/",
          "Domain": "",
          "ClientID": "",
          "TokenEndpoint": "https://redacted.eu.auth0.com/oauth/token",
          "DeviceAuthEndpoint": "https://redacted.eu.auth0.com/oauth/device/code"
         }
    }
}

Any help on this would be appreciated

@TheEdgeOfRage commented on GitHub (Nov 19, 2022): @mlsmaycon I've been trying to get this up for a while now. I got all the server-side stuff to run and I can open the dashboard and log in through Auth0, but the CLI won't connect to the management service. I get this error when trying to connect: ``` $ sudo netbird up --management-url https://netbirdapi.redacted.com WARN[2022-11-19T21:01:12+01:00]root.go:166 retrying Login to the Management service in 1.104660288s due to error rpc error: code = Unknown desc = context deadline exceeded WARN[2022-11-19T21:01:23+01:00]root.go:166 retrying Login to the Management service in 2.160763633s due to error rpc error: code = Unknown desc = context deadline exceeded Error: login backoff cycle failed: rpc error: code = Unknown desc = context deadline exceeded ``` Here's my docker-compose: ```yaml version: "3" services: #UI dashboard dashboard: image: wiretrustee/dashboard:main restart: unless-stopped environment: - AUTH_AUDIENCE=https://redacted.eu.auth0.com/api/v2/ - AUTH_CLIENT_ID=VooPlF3gVzYXHDyYQWM8hZMW8SJNUk2P - AUTH_AUTHORITY=https://redacted.eu.auth0.com/ - USE_AUTH0=true - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api email_verified - NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.redacted.com - NETBIRD_MGMT_GRPC_API_ENDPOINT=http://netbirdapi.redacted.com:33073 - NGINX_SSL_PORT=443 - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= ports: - "8029:80" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain="] volumes: - netbird-mgmt:/var/lib/netbird - ./management.json:/etc/netbird/management.json ports: - 33073:33073 #API port - 33074:443 #API port # Coturn coturn: image: coturn/coturn restart: unless-stopped domainname: netbird.redacted.com volumes: - ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host volumes: netbird-mgmt: netbird-signal: ``` And here's my host nginx config for netbird: ```nginx server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name netbird.redacted.com; location / { proxy_pass http://127.0.0.1:8029; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto https; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name netbirdapi.redacted.com; location /api { proxy_pass http://127.0.0.1:33074; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto https; } location /signalexchange { grpc_pass grpcs://127.0.0.1:10000; } location /management { grpc_pass grpc://127.0.0.1:33074; # grpc_pass grpc://127.0.0.1:33073; # grpc_pass grpcs://127.0.0.1:33073; # grpc_pass grpcs://127.0.0.1:33074; } } ``` The commented grpc_pass directives in the management section are all the ones I've tried. And finally, the management.json: ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.redacted.com:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:netbird.redacted.com:3478", "Username": "self", "Password": "redacted" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Signal": { "Proto": "http", "URI": "signal:80", # tried both this and "netbird.theedgeofrage.com:443" "Username": "", "Password": null }, "Datadir": "", "HttpConfig": { "Address": "0.0.0.0:33073", "AuthIssuer": "https://redacted.eu.auth0.com/", "AuthAudience": "https://redacted.eu.auth0.com/api/v2/", "AuthKeysLocation": "https://redacted.eu.auth0.com/.well-known/jwks.json", "OIDCConfigEndpoint":"https://redacted.eu.auth0.com/.well-known/openid-configuration" }, "IdpManagerConfig": { "Manager": "none" }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "Audience": "https://redacted.eu.auth0.com/api/v2/", "Domain": "", "ClientID": "", "TokenEndpoint": "https://redacted.eu.auth0.com/oauth/token", "DeviceAuthEndpoint": "https://redacted.eu.auth0.com/oauth/device/code" } } } ``` Any help on this would be appreciated

saavagebueno commented 2025-11-20 05:08:13 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 20, 2022):

hello @TheEdgeOfRage, I spotted a few things to adjust:
on docker-compose.yml:

1. NETBIRD_MGMT_GRPC_API_ENDPOINT=http://netbirdapi.redacted.com:33073 should be NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.redacted.com:443
2. management.ports should have only 33074:443 #API port

on nginx.conf

1. /signalexchange location is pointing to grpcs
2. also, you are pointing to localhost, but I am assuming your nginx is not running on a container, right?

on management.json

1. you can configure your signal as follows:

    "Signal": {
        "Proto": "https",
        "URI": "netbirdapi.theedgeofrage.com:443",
        "Username": "",
        "Password": null
    },

once you do that, you can run your clients with:

netbird up --management-url https://netbirdapi.redacted.com:443

@mlsmaycon commented on GitHub (Nov 20, 2022): hello @TheEdgeOfRage, I spotted a few things to adjust: on docker-compose.yml: 1. NETBIRD_MGMT_GRPC_API_ENDPOINT=http://netbirdapi.redacted.com:33073 should be NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.redacted.com:443 2. management.ports should have only `33074:443 #API port` on nginx.conf 1. /signalexchange location is pointing to `grpcs` 2. also, you are pointing to localhost, but I am assuming your nginx is not running on a container, right? on management.json 1. you can configure your signal as follows: ``` "Signal": { "Proto": "https", "URI": "netbirdapi.theedgeofrage.com:443", "Username": "", "Password": null }, ``` once you do that, you can run your clients with: ``` netbird up --management-url https://netbirdapi.redacted.com:443 ```

saavagebueno commented 2025-11-20 05:08:13 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 20, 2022):

Success! A different error 😄

Error: login failed: rpc error: code = NotFound desc = no SSO provider returned from management. If you are using hosting Netbird see documentation at https://github.com/netbirdio/netbird/tree/main/management for details

It seems to be at least connecting now though. The nginx logs show this:

 - - [20/Nov/2022:18:07:23 +0100] "POST /management.ManagementService/GetServerKey HTTP/2.0" 200 61 "-" "grpc-go/1.43.0"
 - - [20/Nov/2022:18:07:23 +0100] "POST /management.ManagementService/Login HTTP/2.0" 200 0 "-" "grpc-go/1.43.0"
 - - [20/Nov/2022:18:07:24 +0100] "POST /management.ManagementService/GetServerKey HTTP/2.0" 200 60 "-" "grpc-go/1.43.0"
 - - [20/Nov/2022:18:07:24 +0100] "POST /management.ManagementService/GetDeviceAuthorizationFlow HTTP/2.0" 200 0 "-" "grpc-go/1.43.0"

This smells like a configuration issue to me. But considering I managed to log into the dashboard through Auth0, I'm not sure what could be causing this :/ and no other issue mentions that error

@TheEdgeOfRage commented on GitHub (Nov 20, 2022): Success! A different error :smile: ``` Error: login failed: rpc error: code = NotFound desc = no SSO provider returned from management. If you are using hosting Netbird see documentation at https://github.com/netbirdio/netbird/tree/main/management for details ``` It seems to be at least connecting now though. The nginx logs show this: ``` - - [20/Nov/2022:18:07:23 +0100] "POST /management.ManagementService/GetServerKey HTTP/2.0" 200 61 "-" "grpc-go/1.43.0" - - [20/Nov/2022:18:07:23 +0100] "POST /management.ManagementService/Login HTTP/2.0" 200 0 "-" "grpc-go/1.43.0" - - [20/Nov/2022:18:07:24 +0100] "POST /management.ManagementService/GetServerKey HTTP/2.0" 200 60 "-" "grpc-go/1.43.0" - - [20/Nov/2022:18:07:24 +0100] "POST /management.ManagementService/GetDeviceAuthorizationFlow HTTP/2.0" 200 0 "-" "grpc-go/1.43.0" ``` This smells like a configuration issue to me. But considering I managed to log into the dashboard through Auth0, I'm not sure what could be causing this :/ and no other issue mentions that error

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 20, 2022):

you are missing the Domain and ClientID for the DeviceAuthorizationFlow in your management.json, if you didn't create a new application in auth0 yet, please check the guide here: https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-auth0#step-4-enable-interactive-sso-login-optional

@mlsmaycon commented on GitHub (Nov 20, 2022): you are missing the Domain and ClientID for the DeviceAuthorizationFlow in your management.json, if you didn't create a new application in auth0 yet, please check the guide here: https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-auth0#step-4-enable-interactive-sso-login-optional

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 20, 2022):

I have now configured my management.json like this:

{
    ...
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
          "Audience": "https://redacted.eu.auth0.com/api/v2/",
          "Domain": "redacted.eu.auth0.com",
          "ClientID": "redacted-client-id",
          "TokenEndpoint": "https://redacted.eu.auth0.com/oauth/token",
          "DeviceAuthEndpoint": "https://redacted.eu.auth0.com/oauth/device/code"
         }
    }
}

But I still get the same error on the client:

Error: login failed: rpc error: code = NotFound desc = no SSO provider returned from management.

@TheEdgeOfRage commented on GitHub (Nov 20, 2022): I have now configured my management.json like this: ```json { ... "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "Audience": "https://redacted.eu.auth0.com/api/v2/", "Domain": "redacted.eu.auth0.com", "ClientID": "redacted-client-id", "TokenEndpoint": "https://redacted.eu.auth0.com/oauth/token", "DeviceAuthEndpoint": "https://redacted.eu.auth0.com/oauth/device/code" } } } ``` But I still get the same error on the client: `Error: login failed: rpc error: code = NotFound desc = no SSO provider returned from management.`

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 20, 2022):

I missed a couple of things, actually:

You've been using what it seems to be the Auth0 management API identifier as Audience, it should be the one created in step 3 of the guide. Looking at your whole configuration, you might need to update all entries of "https://redacted.eu.auth0.com/api/v2/" with the correct value.

Also, you must specify the DeviceAuthorizationFlow.Provider as "hosted" to enable it.

@mlsmaycon commented on GitHub (Nov 20, 2022): I missed a couple of things, actually: You've been using what it seems to be the Auth0 management API identifier as Audience, it should be the one created in step 3 of the [guide](https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-auth0#step-3-create-and-configure-auth0-api). Looking at your whole configuration, you might need to update all entries of "https://redacted.eu.auth0.com/api/v2/" with the correct value. Also, you must specify the DeviceAuthorizationFlow.Provider as "hosted" to enable it.

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 20, 2022):

Yeah, looks like I used the system API that Auth0 created by default 😬 I created a fresh one and used that. It works now. Thank you for the help and sorry for the bother <3

@TheEdgeOfRage commented on GitHub (Nov 20, 2022): Yeah, looks like I used the system API that Auth0 created by default :grimacing: I created a fresh one and used that. It works now. Thank you for the help and sorry for the bother <3

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 20, 2022):

Thanks for checking that and for sharing your configuration files; we might use that in our docs later.

@mlsmaycon commented on GitHub (Nov 20, 2022): Thanks for checking that and for sharing your configuration files; we might use that in our docs later.

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Nov 20, 2022):

If you find you need some other config just let me know. I'll be happy to help :)

@TheEdgeOfRage commented on GitHub (Nov 20, 2022): If you find you need some other config just let me know. I'll be happy to help :)

saavagebueno commented 2025-11-20 05:08:14 -05:00

Author

Owner

Copy Link

@MohammedNoureldin commented on GitHub (Apr 13, 2023):

Hey @TheEdgeOfRage,

have you managed or tried to get this working using K8s ingress? For some reason I am not able to connect. Is there any way I can debug this properly? Which configuration/annotations did you use for Nginx ingress if you have already used it?

@MohammedNoureldin commented on GitHub (Apr 13, 2023): Hey @TheEdgeOfRage, have you managed or tried to get this working using K8s ingress? For some reason I am not able to connect. Is there any way I can debug this properly? Which configuration/annotations did you use for Nginx ingress if you have already used it?

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Apr 14, 2023):

I have not tried to use a k8s ingress, but it shouldn't be too dissimilar to just using plain nginx. Here's my nginx config:

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name netbird.example.com;

	error_log /var/log/nginx/netbird.error.log error;
	access_log /var/log/nginx/netbird.access.log;

	location / {
		proxy_pass  http://127.0.0.1:8029;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Host $server_name;
		proxy_set_header X-Forwarded-Proto https;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name netbirdapi.example.com;

	error_log /var/log/nginx/netbirdapi.error.log error;
	access_log /var/log/nginx/netbirdapi.access.log;

	location /api {
		proxy_pass  http://127.0.0.1:33073;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Host $server_name;
		proxy_set_header X-Forwarded-Proto https;
	}

	location /signalexchange {
		grpc_pass grpc://127.0.0.1:10000;
	}

	location /management {
		grpc_pass grpc://127.0.0.1:33073;
	}
}

I'm not sure how you would get the grpc_pass directives on a k8s ingress tho :/ Never tried that

@TheEdgeOfRage commented on GitHub (Apr 14, 2023): I have not tried to use a k8s ingress, but it shouldn't be too dissimilar to just using plain nginx. Here's my nginx config: ```nginx server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name netbird.example.com; error_log /var/log/nginx/netbird.error.log error; access_log /var/log/nginx/netbird.access.log; location / { proxy_pass http://127.0.0.1:8029; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto https; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name netbirdapi.example.com; error_log /var/log/nginx/netbirdapi.error.log error; access_log /var/log/nginx/netbirdapi.access.log; location /api { proxy_pass http://127.0.0.1:33073; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto https; } location /signalexchange { grpc_pass grpc://127.0.0.1:10000; } location /management { grpc_pass grpc://127.0.0.1:33073; } } ``` I'm not sure how you would get the grpc_pass directives on a k8s ingress tho :/ Never tried that

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@MohammedNoureldin commented on GitHub (Apr 14, 2023):

Well, for Nginx ingress, I got it working using these annotations (though I am still unsure how important the SSL is):

    annotations:
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

@MohammedNoureldin commented on GitHub (Apr 14, 2023): Well, for Nginx ingress, I got it working using these annotations (though I am still unsure how important the SSL is): annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@MohammedNoureldin commented on GitHub (Apr 14, 2023):

@TheEdgeOfRage Any idea why do need to specify the --port in the args of the container and in the management.json? One of them seems to be redundant?

And also, why would we need to forward to the port 443 instead of port 80 if the netbird management will run with no TLS, because the reverse proxy should take care about forwarding the traffic from its HTTPs 443 to the containers port 80?

@MohammedNoureldin commented on GitHub (Apr 14, 2023): @TheEdgeOfRage Any idea why do need to specify the `--port` in the `args` of the container and in the `management.json`? One of them seems to be redundant? And also, why would we need to forward to the port 443 instead of port 80 if the netbird management will run with no TLS, because the reverse proxy should take care about forwarding the traffic from its HTTPs 443 to the containers port 80?

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (Apr 15, 2023):

I did not list the port in management.json, only as an arg.

It's set to port 443, but it's not actually serving TLS traffic, just regular plain HTTP.

@TheEdgeOfRage commented on GitHub (Apr 15, 2023): I did not list the port in management.json, only as an arg. It's set to port 443, but it's not actually serving TLS traffic, just regular plain HTTP.

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@HybridRCG commented on GitHub (May 15, 2024):

Can you please share all the config files if possible? I've bene stuck for weeks trying to get this installed. :(
I have nginx as my reverse proxy.
I want to use authentik . have that working as expected.
But the netbird install help docs is not very clear on how to go about setting this up.
Thanks , will be much appreciated!

@HybridRCG commented on GitHub (May 15, 2024): Can you please share all the config files if possible? I've bene stuck for weeks trying to get this installed. :( I have nginx as my reverse proxy. I want to use authentik . have that working as expected. But the netbird install help docs is not very clear on how to go about setting this up. Thanks , will be much appreciated!

saavagebueno commented 2025-11-20 05:08:15 -05:00

Author

Owner

Copy Link

@TheEdgeOfRage commented on GitHub (May 15, 2024):

I have since stopped using netbird and don't have the configs anymore, sorry :/

@TheEdgeOfRage commented on GitHub (May 15, 2024): I have since stopped using netbird and don't have the configs anymore, sorry :/

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@SinghNanak commented on GitHub (May 18, 2024):

@HybridRCG have you found any success yet because i also want to run Netbird behind Nginx Proxy Manager with Authentik.

can you share your setup.env file. what addition did you make for npm in the file

@SinghNanak commented on GitHub (May 18, 2024): @HybridRCG have you found any success yet because i also want to run Netbird behind Nginx Proxy Manager with Authentik. can you share your setup.env file. what addition did you make for npm in the file

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@mathiash98 commented on GitHub (Oct 13, 2024):

For anyone struggling here is my working Netbird in docker with new relay server + bare metal nginx reverse proxy + Azure EntraID login:

docker-compose.yml

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 8011:80
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.redacted.com
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.redacted.com
      # OIDC
      - AUTH_AUDIENCE=CLIENT_ID
      - AUTH_CLIENT_ID=CLIENT_ID
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://login.microsoftonline.com/TENANT_ID/v2.0
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://CLIENT_ID/api
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=idToken
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=debug
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=rels://netbird.redacted.com:443
    - NB_AUTH_SECRET=SECRET
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
    ports:
      - 8012:80 #API port
    command: [
      "--port", "80",
      "--log-file", "console",
      "--log-level", "debug",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.redacted.com",
      "--dns-domain=netbird.selfhosted"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
      
  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: netbird.redacted.com # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:

nginx.conf

server {
    # HTTP server config
    listen 80;
    server_name _;

    # 301 redirect to HTTPS
    location / {
            return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name netbird.redacted.com;


    # netbird settings ==============
    # This is necessary so that grpc connections do not get closed early
    # see https://stackoverflow.com/a/67805465
    client_header_timeout 1d;
    client_body_timeout 1d;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme $scheme;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        X-Forwarded-Host $host;
    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

    # Proxy dashboard
    location / {
        proxy_pass http://127.0.0.1:8011;
    }
    # Proxy Relay
    location /relay {
        proxy_pass http://127.0.0.1:33080;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        
        # Timeout settings
        #proxy_read_timeout 3600s;
        #proxy_send_timeout 3600s;
        #proxy_connect_timeout 60s;

        # Handle upstream errors
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    }	
    # Proxy Signal
    location /signalexchange {
        grpc_pass grpc://127.0.0.1:10000;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }
    # Proxy Management http endpoint
    location /api {
        proxy_pass http://127.0.0.1:8012;
    }
    # Proxy Management grpc endpoint
    location /management {
        grpc_pass grpc://127.0.0.1:8012;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }
    # Netbird requires settings end ==============

    ssl_certificate /etc/letsencrypt/live/netbird.redacted.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/netbird.redacted.com/privkey.pem; # managed by Certbot
}

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.redacted.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.redacted.com:3478",
                "Username": "self",
                "Password": "PASSWORD"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rels://netbird.redacted.com:443"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "SECRET"
    },
    "Signal": {
        "Proto": "https",
        "URI": "netbird.redacted.com:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "ENCRYPTIONKEY",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "CLIENT_ID",
        "AuthIssuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
        "AuthUserIDClaim": "oid",
        "AuthKeysLocation": "https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys",
        "OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "azure",
        "ClientConfig": {
            "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "ClientID": "CLIENT_ID",
            "ClientSecret": "SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "GraphApiEndpoint": "https://graph.microsoft.com/v1.0",
            "ObjectId": "OBJECT_ID"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "CLIENT_ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/devicecode",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "CLIENT_ID",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "CLIENT_ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize",
            "Scope": "openid profile email offline_access User.Read api://CLIENT_ID/api",
            "UseIDToken": true,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

Edit: Removed timeouts for the relay server and use the default 60s nginx timer. I had some issues with relay server becoming unresponsive

@mathiash98 commented on GitHub (Oct 13, 2024): For anyone struggling here is my working Netbird in docker with new relay server + bare metal nginx reverse proxy + Azure EntraID login: <details><summary>docker-compose.yml</summary> ```yml version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 8011:80 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.redacted.com - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.redacted.com # OIDC - AUTH_AUDIENCE=CLIENT_ID - AUTH_CLIENT_ID=CLIENT_ID - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://login.microsoftonline.com/TENANT_ID/v2.0 - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://CLIENT_ID/api - AUTH_REDIRECT_URI=/auth - AUTH_SILENT_REDIRECT_URI=/silent-auth - NETBIRD_TOKEN_SOURCE=idToken logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=debug - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=rels://netbird.redacted.com:443 - NB_AUTH_SECRET=SECRET ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - ./management.json:/etc/netbird/management.json ports: - 8012:80 #API port command: [ "--port", "80", "--log-file", "console", "--log-level", "debug", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.redacted.com", "--dns-domain=netbird.selfhosted" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: netbird.redacted.com # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: ``` </details> <details><summary>nginx.conf</summary> ```nginx server { # HTTP server config listen 80; server_name _; # 301 redirect to HTTPS location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name netbird.redacted.com; # netbird settings ============== # This is necessary so that grpc connections do not get closed early # see https://stackoverflow.com/a/67805465 client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Proxy dashboard location / { proxy_pass http://127.0.0.1:8011; } # Proxy Relay location /relay { proxy_pass http://127.0.0.1:33080; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; # Timeout settings #proxy_read_timeout 3600s; #proxy_send_timeout 3600s; #proxy_connect_timeout 60s; # Handle upstream errors proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; } # Proxy Signal location /signalexchange { grpc_pass grpc://127.0.0.1:10000; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://127.0.0.1:8012; } # Proxy Management grpc endpoint location /management { grpc_pass grpc://127.0.0.1:8012; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Netbird requires settings end ============== ssl_certificate /etc/letsencrypt/live/netbird.redacted.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/netbird.redacted.com/privkey.pem; # managed by Certbot } ``` </details> <details><summary>management.json</summary> ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.redacted.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:netbird.redacted.com:3478", "Username": "self", "Password": "PASSWORD" } ] }, "Relay": { "Addresses": [ "rels://netbird.redacted.com:443" ], "CredentialsTTL": "24h0m0s", "Secret": "SECRET" }, "Signal": { "Proto": "https", "URI": "netbird.redacted.com:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "ENCRYPTIONKEY", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "CLIENT_ID", "AuthIssuer": "https://login.microsoftonline.com/TENANT_ID/v2.0", "AuthUserIDClaim": "oid", "AuthKeysLocation": "https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys", "OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "azure", "ClientConfig": { "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "ClientID": "CLIENT_ID", "ClientSecret": "SECRET", "GrantType": "client_credentials" }, "ExtraConfig": { "GraphApiEndpoint": "https://graph.microsoft.com/v1.0", "ObjectId": "OBJECT_ID" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "ClientID": "", "ClientSecret": "", "Domain": "", "Audience": "CLIENT_ID", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/devicecode", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "CLIENT_ID", "ClientSecret": "", "Domain": "", "Audience": "CLIENT_ID", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize", "Scope": "openid profile email offline_access User.Read api://CLIENT_ID/api", "UseIDToken": true, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ``` </details> Edit: Removed timeouts for the relay server and use the default 60s nginx timer. I had some issues with relay server becoming unresponsive

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@rashkur commented on GitHub (Nov 25, 2024):

I was able to make it work with this config

nginx.conf

upstream dashboard {
    # insert the http port of your dashboard container here
    server 127.0.0.1:8011;

    # Improve performance by keeping some connections alive.
    keepalive 10;
}
upstream signal {
    # insert the grpc port of your signal container here
    server 127.0.0.1:10000;
}
upstream management {
    # insert the grpc+http port of your signal container here
    server 127.0.0.1:8012;
}

server {
    # HTTP server config
    listen 80;
    server_name _;

    # 301 redirect to HTTPS
    location / {
            return 301 https://$host$request_uri;
    }
}
server {
    # HTTPS server config
    listen 443 ssl http2;
    server_name _;

    # This is necessary so that grpc connections do not get closed early
    # see https://stackoverflow.com/a/67805465
    client_header_timeout 1d;
    client_body_timeout 1d;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme $scheme;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        X-Forwarded-Host $host;
    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

    # Proxy dashboard
    location / {
        proxy_pass http://dashboard;
    }
    # Proxy Signal
    location /signalexchange.SignalExchange/ {
        grpc_pass grpc://signal;
        grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }
    # Proxy Management http endpoint
    location /api {
        proxy_pass http://management;
    }
    # Proxy Management grpc endpoint
    location /management.ManagementService/ {
        grpc_pass grpc://management;
        #grpc_ssl_verify off;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }

    ssl_certificate         fullchain.pem;
    ssl_certificate_key privkey.pem;
}

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.xxx.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.xxx.com:3478",
                "Username": "self",
                "Password": "PASSWORD"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rel://netbird.xxx.com:33080"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "SECRET"
    },
    "Signal": {
        "Proto": "https",
        "URI": "netbird.xxx.com:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "KEY",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "APP_ID",
        "AuthIssuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
        "AuthUserIDClaim": "oid",
        "AuthKeysLocation": "https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys",
        "OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "azure",
        "ClientConfig": {
            "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "ClientID": "APP_ID",
            "ClientSecret": "CLIENT_SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "GraphApiEndpoint": "https://graph.microsoft.com/v1.0",
            "ObjectId": "OBJECT_ID"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "APP_ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/devicecode",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "APP_ID",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "APP_ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize",
            "Scope": "openid profile email offline_access User.Read api://APP_ID/api",
            "UseIDToken": true,
            "RedirectURLs": [
		"http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

docker-compose.yml

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 8011:80
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.xxx.com:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.xxx.com:443
      # OIDC
      - AUTH_AUDIENCE=APP_ID
      - AUTH_CLIENT_ID=APP_ID
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://login.microsoftonline.com/DIRECTORY_ID/v2.0
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://APP_ID/api
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=idToken
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=debug
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=netbird.xxx.com:443
    # todo: change to a secure secret
    - NB_AUTH_SECRET=AUTH_SECRET
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
    ports:
      - 8012:8012 #API port
    command: [
      "--port", "8012",
      "--log-file", "console",
      "--log-level", "debug",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.xxx.com",
      "--dns-domain=netbird.selfhosted",
      "--idp-sign-key-refresh-enabled"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: netbird.xxx.com # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:

@rashkur commented on GitHub (Nov 25, 2024): I was able to make it work with this config <details> <summary>nginx.conf</summary> ``` bash upstream dashboard { # insert the http port of your dashboard container here server 127.0.0.1:8011; # Improve performance by keeping some connections alive. keepalive 10; } upstream signal { # insert the grpc port of your signal container here server 127.0.0.1:10000; } upstream management { # insert the grpc+http port of your signal container here server 127.0.0.1:8012; } server { # HTTP server config listen 80; server_name _; # 301 redirect to HTTPS location / { return 301 https://$host$request_uri; } } server { # HTTPS server config listen 443 ssl http2; server_name _; # This is necessary so that grpc connections do not get closed early # see https://stackoverflow.com/a/67805465 client_header_timeout 1d; client_body_timeout 1d; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Proxy dashboard location / { proxy_pass http://dashboard; } # Proxy Signal location /signalexchange.SignalExchange/ { grpc_pass grpc://signal; grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } # Proxy Management http endpoint location /api { proxy_pass http://management; } # Proxy Management grpc endpoint location /management.ManagementService/ { grpc_pass grpc://management; #grpc_ssl_verify off; grpc_read_timeout 1d; grpc_send_timeout 1d; grpc_socket_keepalive on; } ssl_certificate fullchain.pem; ssl_certificate_key privkey.pem; } ``` </details> <details> <summary>management.json</summary> ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.xxx.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:netbird.xxx.com:3478", "Username": "self", "Password": "PASSWORD" } ] }, "Relay": { "Addresses": [ "rel://netbird.xxx.com:33080" ], "CredentialsTTL": "24h0m0s", "Secret": "SECRET" }, "Signal": { "Proto": "https", "URI": "netbird.xxx.com:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "KEY", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "APP_ID", "AuthIssuer": "https://login.microsoftonline.com/TENANT_ID/v2.0", "AuthUserIDClaim": "oid", "AuthKeysLocation": "https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys", "OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "azure", "ClientConfig": { "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "ClientID": "APP_ID", "ClientSecret": "CLIENT_SECRET", "GrantType": "client_credentials" }, "ExtraConfig": { "GraphApiEndpoint": "https://graph.microsoft.com/v1.0", "ObjectId": "OBJECT_ID" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "ClientID": "", "ClientSecret": "", "Domain": "", "Audience": "APP_ID", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/devicecode", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "APP_ID", "ClientSecret": "", "Domain": "", "Audience": "APP_ID", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize", "Scope": "openid profile email offline_access User.Read api://APP_ID/api", "UseIDToken": true, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ``` </details> <details> <summary>docker-compose.yml</summary> ```yaml version: "3" services: #UI dashboard dashboard: image: netbirdio/dashboard:latest restart: unless-stopped ports: - 8011:80 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.xxx.com:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.xxx.com:443 # OIDC - AUTH_AUDIENCE=APP_ID - AUTH_CLIENT_ID=APP_ID - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://login.microsoftonline.com/DIRECTORY_ID/v2.0 - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://APP_ID/api - AUTH_REDIRECT_URI=/auth - AUTH_SILENT_REDIRECT_URI=/silent-auth - NETBIRD_TOKEN_SOURCE=idToken logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Relay relay: image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=debug - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=netbird.xxx.com:443 # todo: change to a secure secret - NB_AUTH_SECRET=AUTH_SECRET ports: - 33080:33080 logging: driver: "json-file" options: max-size: "500m" max-file: "2" # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - ./management.json:/etc/netbird/management.json ports: - 8012:8012 #API port command: [ "--port", "8012", "--log-file", "console", "--log-level", "debug", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.xxx.com", "--dns-domain=netbird.selfhosted", "--idp-sign-key-refresh-enabled" ] logging: driver: "json-file" options: max-size: "500m" max-file: "2" environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN= # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped #domainname: netbird.xxx.com # only needed when TLS is enabled volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf logging: driver: "json-file" options: max-size: "500m" max-file: "2" volumes: netbird-mgmt: netbird-signal: ``` </details>

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@mathiash98 commented on GitHub (Nov 26, 2024):

I was able to make it work with this config

In this config you are not using relay server behind the nginx reverse proxy, you are using the relay directly on port 33080. It will work fine in most cases. But clients behind strict firewall will need to open port 33080 as well

@mathiash98 commented on GitHub (Nov 26, 2024): > I was able to make it work with this config In this config you are not using relay server behind the nginx reverse proxy, you are using the relay directly on port 33080. It will work fine in most cases. But clients behind strict firewall will need to open port 33080 as well

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@Vivek7849 commented on GitHub (Jan 3, 2025):

@mathiash98 Thanks a lot, how did you figure out that we need to use rels:// instead of rel://
This one simple thing was not allowing my relay to connect through reverse proxy. Once I changed this after cross-checking with your config, it worked!

@Vivek7849 commented on GitHub (Jan 3, 2025): @mathiash98 Thanks a lot, how did you figure out that we need to use rels:// instead of rel:// This one simple thing was not allowing my relay to connect through reverse proxy. Once I changed this after cross-checking with your config, it worked!

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@mathiash98 commented on GitHub (Jan 3, 2025):

@mathiash98 Thanks a lot, how did you figure out that we need to use rels:// instead of rel:// This one simple thing was not allowing my relay to connect through reverse proxy. Once I changed this after cross-checking with your config, it worked!

In my case I need to use rels:// as I am passing the traffic through my nginx proxy which is using HTTPS encrypted traffic. The s in rels is the same as the s in https -> Using port 443 and encrypted with SSL certificates

@mathiash98 commented on GitHub (Jan 3, 2025): > @mathiash98 Thanks a lot, how did you figure out that we need to use rels:// instead of rel:// This one simple thing was not allowing my relay to connect through reverse proxy. Once I changed this after cross-checking with your config, it worked! In my case I need to use `rels://` as I am passing the traffic through my nginx proxy which is using HTTPS encrypted traffic. The `s` in `rels` is the same as the `s` in `https` -> Using port 443 and encrypted with SSL certificates

saavagebueno commented 2025-11-20 05:08:16 -05:00

Author

Owner

Copy Link

@HybridRCG commented on GitHub (Apr 4, 2025):

@HybridRCG have you found any success yet because i also want to run Netbird behind Nginx Proxy Manager with Authentik.

can you share your setup.env file. what addition did you make for npm in the file

Hi , I since moved over to headscale. took me all of about 10minutes to set up and working as expected , with npm, lovely gui with headscale-admin. not looking back. Hope you could get it working.

@HybridRCG commented on GitHub (Apr 4, 2025): > [@HybridRCG](https://github.com/HybridRCG) have you found any success yet because i also want to run Netbird behind Nginx Proxy Manager with Authentik. > > can you share your setup.env file. what addition did you make for npm in the file Hi , I since moved over to headscale. took me all of about 10minutes to set up and working as expected , with npm, lovely gui with headscale-admin. not looking back. Hope you could get it working.

saavagebueno commented 2025-11-20 05:08:17 -05:00

Author

Owner

Copy Link

@nmapx commented on GitHub (Aug 13, 2025):

@mathiash98 I'm having trouble running relay service using similar config to yours. Do you, by any chance, still use Netbird in latest version and could confirm that there was a change in it's behaviour over the past couple months?
I just shared my issue in details here: https://github.com/netbirdio/netbird/issues/3156

@nmapx commented on GitHub (Aug 13, 2025): @mathiash98 I'm having trouble running relay service using similar config to yours. Do you, by any chance, still use Netbird in latest version and could confirm that there was a change in it's behaviour over the past couple months? I just shared my issue in details here: https://github.com/netbirdio/netbird/issues/3156

saavagebueno commented 2025-11-20 05:08:17 -05:00

Author

Owner

Copy Link

@mathiash98 commented on GitHub (Aug 13, 2025):

@mathiash98 I'm having trouble running relay service using similar config to yours. Do you, by any chance, still use Netbird in latest version and could confirm that there was a change in it's behaviour over the past couple months? I just shared my issue in details here: #3156

Sadly I have left the company in May, but they are still using it fine, unsure about what version they run. Your error looks like a SSL signature issue as it says signature failure. Not sure what the next best step is, but somehow use curl to verify ssl certificate maybe

@mathiash98 commented on GitHub (Aug 13, 2025): > [@mathiash98](https://github.com/mathiash98) I'm having trouble running relay service using similar config to yours. Do you, by any chance, still use Netbird in latest version and could confirm that there was a change in it's behaviour over the past couple months? I just shared my issue in details here: [#3156](https://github.com/netbirdio/netbird/issues/3156) Sadly I have left the company in May, but they are still using it fine, unsure about what version they run. Your error looks like a SSL signature issue as it says signature failure. Not sure what the next best step is, but somehow use curl to verify ssl certificate maybe

saavagebueno commented 2025-11-20 05:08:17 -05:00

Author

Owner

Copy Link

@nmapx commented on GitHub (Aug 14, 2025):

@mathiash98 Thanks for the hint! Forgot to check it with curl. Well... it works on http1.1, it fails on http2. NPM does support http2 so it must be a relay issue. Any more clue?

@nmapx commented on GitHub (Aug 14, 2025): @mathiash98 Thanks for the hint! Forgot to check it with curl. Well... it works on http1.1, it fails on http2. NPM does support http2 so it must be a relay issue. Any more clue?

saavagebueno referenced this issue 2025-11-20 07:11:59 -05:00

[PR #220] [MERGED] Login exits on a single attempt to connect to management #2627

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

embedded-vnc

readme-cleanup

client/capture-dns-forwarder-port

fix-ssh-authorized-users-multi-rule

fix/wireguard-port-zero

windows-dns-firewall

ui-refactor

fix/wgport-config

feature/refactor-clusters

fix/rosenpass

drop-candidateviaroutes-filter

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.71.2

v0.71.1

v0.71.0

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#220