SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-06-09 17:02:09 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

A couple of questions and feedback #233

New Issue
Closed
opened 2025-11-20 05:08:24 -05:00 by saavagebueno · 7 comments
saavagebueno commented 2025-11-20 05:08:24 -05:00
Owner
Copy Link

Originally created by @tvarsis on GitHub (Nov 19, 2022).

I have tried to set this up following your self-hosting docker instructions, and have come across some issues and have a couple of questions and feedback. I'm opening an issue about them, since I could not find any information about these in the documentation or in other issues, so could be good to get it documented here.

  1. In the generated management.json file, this row exists: "Secret": "secret". I tried to figure out what that does, and maybe it is not used at all, but it gives the impression of a value that should be changed or else insecure, right?
  2. docker-compose file uses host network for coturn container. That is usually bad practice. Should it not be possible to avoid that and rely on docker network where you just expose needed services to the host instead of using the host network layer?
  3. Setting up OIDC provider usually requires both client id and secret together with the discovery endpoint. But I can't find anywhere to add the secret?
  4. Is there any documentation how to run this behind a regular nginx reverse proxy? I'm not a fan of having docker-compose files that "includes everything", since that will mess up other web services running on the same host. I think most people that self-host run some kind of reverse proxy in front of their docker stuff, so some documentation or alternative docker-compose file for those cases would be awesome.
  5. After following the guide, I ended up with this error from docker-compose up, which indicates some permission issues:
ERROR: for infrastructure_files_coturn_1  Cannot start service coturn: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: errCreating infrastructure_files_management_1 ... done

ERROR: for coturn  Cannot start service coturn: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /proc/sys/kernel/domainname: permission denied: unknown
ERROR: Encountered errors while bringing up the project.
  1. Since you support OIDC standard, I guess this would work with any such provider, right? Documentation seems to indicate that it does not. Also, callback url is hard to find any information about which needs to be provided when configuring the OIDC on the provider side.

I think this project is really cool and hope it gets good traction, so the above points are meant in good faith in hope to improve some current pain points.

Thanks!

Originally created by @tvarsis on GitHub (Nov 19, 2022). I have tried to set this up following your self-hosting docker instructions, and have come across some issues and have a couple of questions and feedback. I'm opening an issue about them, since I could not find any information about these in the documentation or in other issues, so could be good to get it documented here. 1. In the generated management.json file, this row exists: "Secret": "secret". I tried to figure out what that does, and maybe it is not used at all, but it gives the impression of a value that should be changed or else insecure, right? 2. docker-compose file uses host network for coturn container. That is usually bad practice. Should it not be possible to avoid that and rely on docker network where you just expose needed services to the host instead of using the host network layer? 3. Setting up OIDC provider usually requires both client id and secret together with the discovery endpoint. But I can't find anywhere to add the secret? 4. Is there any documentation how to run this behind a regular nginx reverse proxy? I'm not a fan of having docker-compose files that "includes everything", since that will mess up other web services running on the same host. I think most people that self-host run some kind of reverse proxy in front of their docker stuff, so some documentation or alternative docker-compose file for those cases would be awesome. 5. After following the guide, I ended up with this error from docker-compose up, which indicates some permission issues: ``` ERROR: for infrastructure_files_coturn_1 Cannot start service coturn: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: errCreating infrastructure_files_management_1 ... done ERROR: for coturn Cannot start service coturn: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /proc/sys/kernel/domainname: permission denied: unknown ERROR: Encountered errors while bringing up the project. ``` 6. Since you support OIDC standard, I guess this would work with any such provider, right? Documentation seems to indicate that it does not. Also, callback url is hard to find any information about which needs to be provided when configuring the OIDC on the provider side. I think this project is really cool and hope it gets good traction, so the above points are meant in good faith in hope to improve some current pain points. Thanks!
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Nov 20, 2022):

Hello @tvarsis, thanks for opening this issue and giving us feedback. It is true that many things are lacking documentation, we are continuously improving them, and feedback like yours always help.

I will try to address your points below:

  1. We have two modes for configuring Turn credentials and checking now; none have been documented yet. The first case is the Username and Password; these have a direct map to the credentials we generate and update the Coturn config file when you run configure.sh. We also support time-based credentials, which with a shared key between Coturn and the secret you set here, it will be generated and rotated based on the CredentialsTTL you set. This second mode is global, and all Turn servers you configured must share the same secret. See use-auth-secret and static-auth-secret descriptions in the template config file for more info.

  2. That is correct, and the main reason for us to use the host network here is that Coturn can potentially listen to thousands of ports(defaults to ~/16K). These ports are allocated based on need, and we can't limit this too low to avoid connection issues.
    One can map the ports and ranges from listening-por, min-port, and max-port in your turnserver.conf, but if you go with defaults port ranges, that might take up to 60 minutes in a 2 cores 7GB VM.

  3. Our system is set to use PKCE flow, which doesn't require a secret for most IDP providers. Unfortunately, Google's OAUTH2 clients aren't supported as they need a fake secret.

  4. another point needing documentation, I am working with another user on that now in the issue #536 but we will have other options on our getting started with nginx, traefik, and caddy.

  5. Can you check if the path /proc/sys/kernel/domainname exists (might need sudo), and can you test running Coturn without the domainname key in the docker-compose.yml?

  6. Regarding the callback urls, you can use 2 environment variables to change them, see the example here. We are using a generic OIDC library which covers many IDP providers that support OIDC with PKCE flow. Some providers we know that doesn't work:

  • Google oauth2 (requires a secret)
  • Gitlab (incompatible access token)

Let us know which provider you are using, and we can have a look at which settings might be required on our side. If they are simple enough, we might be able to include a fix in the next releases.

@mlsmaycon commented on GitHub (Nov 20, 2022): Hello @tvarsis, thanks for opening this issue and giving us feedback. It is true that many things are lacking documentation, we are continuously improving them, and feedback like yours always help. I will try to address your points below: 1. We have two modes for configuring Turn credentials and checking now; none have been documented yet. The first case is the Username and Password; these have a direct map to the credentials we generate and update the Coturn config file when you run configure.sh. We also support time-based credentials, which with a shared key between Coturn and the secret you set here, it will be generated and rotated based on the CredentialsTTL you set. This second mode is global, and all Turn servers you configured must share the same secret. See use-auth-secret and static-auth-secret descriptions in the template config file for more info. 2. That is correct, and the main reason for us to use the host network here is that Coturn can potentially listen to thousands of ports(defaults to ~/16K). These ports are allocated based on need, and we can't limit this too low to avoid connection issues. One can map the ports and ranges from listening-por, min-port, and max-port in your turnserver.conf, but if you go with defaults port ranges, that might take up to 60 minutes in a 2 cores 7GB VM. 3. Our system is set to use PKCE flow, which doesn't require a secret for most IDP providers. Unfortunately, Google's OAUTH2 clients aren't supported as they need a fake secret. 4. another point needing documentation, I am working with another user on that now in the issue #536 but we will have other options on our getting started with nginx, traefik, and caddy. 5. Can you check if the path `/proc/sys/kernel/domainname` exists (might need sudo), and can you test running Coturn without the domainname key in the docker-compose.yml? 6. Regarding the callback urls, you can use 2 environment variables to change them, see the example [here](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example#L18). We are using a generic OIDC library which covers many IDP providers that support OIDC with PKCE flow. Some providers we know that doesn't work: - Google oauth2 (requires a secret) - Gitlab (incompatible access token) Let us know which provider you are using, and we can have a look at which settings might be required on our side. If they are simple enough, we might be able to include a fix in the next releases.
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@tvarsis commented on GitHub (Nov 23, 2022):

Wow, thank you @mlsmaycon for the detailed answers! I will answer on the ones where you had questions and you explained the other things well already.

  1. So if I would like to map up the port ranges in the docker-compose file, do you know how many ports should be available per connected client? Is it 1:1 value here?

  2. That is a nice thread and I will follow it and see if I can get it working behind nginx. Thanks!

  3. Yes, that file exists but I'm running rootless docker so I think that gives that error. I removed the line from docker-compose file as you suggested and that fixed the error. But would that lead to other issues?

  4. I played around a lot more with this and can't get it to fully work. I'm trying to set it up with Azure AD OIDC but I have not been able to get it fully working. I got to the point where I can successfully login after removing "api" from scopes since that does not exists as default in Azure and gives error. But when I then login to netbird it gives 500 errors with empty error message for all endpoints from API and I only see 3 menu options instead of all of them. I tried to create custom API scope in Azure as well for that app, but couldn't get it to work. And not sure what the api scope is used for and if it is actually needed, and do you know if anyone has got it working with Azure AD? I think Azure AD is pretty flexible when configuring the OIDC applications, so it is probably just me who does something wrong here.

Thanks!

@tvarsis commented on GitHub (Nov 23, 2022): Wow, thank you @mlsmaycon for the detailed answers! I will answer on the ones where you had questions and you explained the other things well already. 2. So if I would like to map up the port ranges in the docker-compose file, do you know how many ports should be available per connected client? Is it 1:1 value here? 4. That is a nice thread and I will follow it and see if I can get it working behind nginx. Thanks! 5. Yes, that file exists but I'm running rootless docker so I think that gives that error. I removed the line from docker-compose file as you suggested and that fixed the error. But would that lead to other issues? 6. I played around a lot more with this and can't get it to fully work. I'm trying to set it up with Azure AD OIDC but I have not been able to get it fully working. I got to the point where I can successfully login after removing "api" from scopes since that does not exists as default in Azure and gives error. But when I then login to netbird it gives 500 errors with empty error message for all endpoints from API and I only see 3 menu options instead of all of them. I tried to create custom API scope in Azure as well for that app, but couldn't get it to work. And not sure what the api scope is used for and if it is actually needed, and do you know if anyone has got it working with Azure AD? I think Azure AD is pretty flexible when configuring the OIDC applications, so it is probably just me who does something wrong here. Thanks!
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@tvarsis commented on GitHub (Nov 27, 2022):

@mlsmaycon I tested a lot of more things and got coturn to work without host network by setting these props in turnserver.conf file.

min-port=49160
max-port=49200

Also commented out the "domain" part from coturn section in docker-compose file as mentioned earlier, and all seems to be working fine now. I guess limiting the ports as I did might give issues with a larger number of clients, but for my use case I think it should be fine.

Just documenting that here if others search for the same thing.

I tested to set it up with Auth0 and then I got everything running correctly, but I could not get it working with Azure AD. Do you have any documentation around how to get it running with Azure AD, since that is what I use for my other apps? It feels like it is the "api" scope that is missing since I can see that being part of the AUD array in the token from Auth0 where in Azure token i just points to an app id if I try to add i manually, or I add it in the wrong place (tried a lot of different ways).

Thanks!

@tvarsis commented on GitHub (Nov 27, 2022): @mlsmaycon I tested a lot of more things and got coturn to work without host network by setting these props in turnserver.conf file. min-port=49160 max-port=49200 Also commented out the "domain" part from coturn section in docker-compose file as mentioned earlier, and all seems to be working fine now. I guess limiting the ports as I did might give issues with a larger number of clients, but for my use case I think it should be fine. Just documenting that here if others search for the same thing. I tested to set it up with Auth0 and then I got everything running correctly, but I could not get it working with Azure AD. Do you have any documentation around how to get it running with Azure AD, since that is what I use for my other apps? It feels like it is the "api" scope that is missing since I can see that being part of the AUD array in the token from Auth0 where in Azure token i just points to an app id if I try to add i manually, or I add it in the wrong place (tried a lot of different ways). Thanks!
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Nov 28, 2022):

Hi @tvarsis, thanks for getting back and testing the settings.

You are correct; limiting the turn port might be an issue if you need it to connect more peers. Most of the time, peers on a non-restrict NAT can connect without it.

Azure AD has some caveats for PKCE that I have to document and publish. I plan to do that this week as it is a topic that interests more users.

@mlsmaycon commented on GitHub (Nov 28, 2022): Hi @tvarsis, thanks for getting back and testing the settings. You are correct; limiting the turn port might be an issue if you need it to connect more peers. Most of the time, peers on a non-restrict NAT can connect without it. Azure AD has some caveats for PKCE that I have to document and publish. I plan to do that this week as it is a topic that interests more users.
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@cirrusflyer commented on GitHub (Feb 1, 2023):

Azure AD has some caveats for PKCE that I have to document and publish. I plan to do that this week as it is a topic that interests more users.

Hello, I'm trying to use Azure app registration as the OpenID provider. Anything you can provide to help set this up?

Thanks!

@cirrusflyer commented on GitHub (Feb 1, 2023): > Azure AD has some caveats for PKCE that I have to document and publish. I plan to do that this week as it is a topic that interests more users. Hello, I'm trying to use Azure app registration as the OpenID provider. Anything you can provide to help set this up? Thanks!
saavagebueno commented 2025-11-20 05:08:25 -05:00
Author
Owner
Copy Link

@cirrusflyer commented on GitHub (Feb 1, 2023):

I'm very close to getting this working with what I found on your slack discussion. Looking forward to complete steps.

@cirrusflyer commented on GitHub (Feb 1, 2023): I'm very close to getting this working with what I found on your slack discussion. Looking forward to complete steps.
saavagebueno commented 2025-11-20 05:08:26 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Jun 16, 2023):

@tvarsis @cirrusflyer in case you missed, we've added Azure integration here: https://docs.netbird.io/selfhosted/identity-providers#azure-ad

@mlsmaycon commented on GitHub (Jun 16, 2023): @tvarsis @cirrusflyer in case you missed, we've added Azure integration here: https://docs.netbird.io/selfhosted/identity-providers#azure-ad
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#233
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?