RDP Does not seem to be working #2337

New Issue

Open

opened 2025-11-20 07:07:59 -05:00 by saavagebueno · 76 comments

saavagebueno commented 2025-11-20 07:07:59 -05:00

Owner

Copy Link

Originally created by @fxandrei on GitHub (Oct 2, 2025).

Ive just upgraded to v59.1, following the guide here https://docs.netbird.io/selfhosted/selfhosted-quickstart#upgrade

Also did this https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients

Then i upgraded one of the windows clients to the latest version.
Selected the peer, and clicked RDP.
A new window opened with a rdp id in the url, loaded for 2-3 seconds, then showed the same management interface, with the peers.

I was expecting a RDP connection.
What is the expected behavior ?

Originally created by @fxandrei on GitHub (Oct 2, 2025). Ive just upgraded to v59.1, following the guide here https://docs.netbird.io/selfhosted/selfhosted-quickstart#upgrade Also did this https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients Then i upgraded one of the windows clients to the latest version. Selected the peer, and clicked RDP. A new window opened with a rdp id in the url, loaded for 2-3 seconds, then showed the same management interface, with the peers. I was expecting a RDP connection. What is the expected behavior ?

saavagebueno added the triage-needed label 2025-11-20 07:07:59 -05:00

saavagebueno commented 2025-11-20 07:08:00 -05:00

Author

Owner

Copy Link

@scroguard commented on GitHub (Oct 2, 2025):

i am having this same issue. it just reloads the management interface instead of connecting via rdp as expected.

@scroguard commented on GitHub (Oct 2, 2025): i am having this same issue. it just reloads the management interface instead of connecting via rdp as expected.

saavagebueno commented 2025-11-20 07:08:00 -05:00

Author

Owner

Copy Link

@scroguard commented on GitHub (Oct 2, 2025):

to add to my previous comment, the SSH function exhibits the same behavior.

@scroguard commented on GitHub (Oct 2, 2025): to add to my previous comment, the SSH function exhibits the same behavior.

saavagebueno commented 2025-11-20 07:08:00 -05:00

Author

Owner

Copy Link

@fxandrei commented on GitHub (Oct 2, 2025):

Hope this gets fixed. Its a marvelous feature.

@fxandrei commented on GitHub (Oct 2, 2025): Hope this gets fixed. Its a marvelous feature.

saavagebueno commented 2025-11-20 07:08:00 -05:00

Author

Owner

Copy Link

@Ghx0sty commented on GitHub (Oct 2, 2025):

Same issue here. I get redirected to auth, then back to Users screen. Truly great feature though, I'll be waiting for any updates!

@Ghx0sty commented on GitHub (Oct 2, 2025): Same issue here. I get redirected to auth, then back to Users screen. Truly great feature though, I'll be waiting for any updates!

saavagebueno commented 2025-11-20 07:08:00 -05:00

Author

Owner

Copy Link

@streletskiy commented on GitHub (Oct 3, 2025):

Same problem here, and another opened issue with this:
https://github.com/netbirdio/netbird/issues/4577

@streletskiy commented on GitHub (Oct 3, 2025): Same problem here, and another opened issue with this: https://github.com/netbirdio/netbird/issues/4577

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@dzxx36gyy commented on GitHub (Oct 3, 2025):

Also, the same as #4568
The update missed the netbird,wasm, but also has some wrong redirect.

@dzxx36gyy commented on GitHub (Oct 3, 2025): Also, the same as #4568 The update missed the netbird,wasm, but also has some wrong redirect.

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 3, 2025):

Hey Folks, we are looking into the issue. There are a few things that we need to change to have it working properly behind a proxy. We will update your soon.

@mlsmaycon commented on GitHub (Oct 3, 2025): Hey Folks, we are looking into the issue. There are a few things that we need to change to have it working properly behind a proxy. We will update your soon.

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@mvthul commented on GitHub (Oct 3, 2025):

also the netbird.wasm isnt in the dashboard container at /usr/share/nginx/html after downloaded (https://pkgs.netbird.io/wasm/client) and name it netbird.wasm seems to do more... need to fix my routes only now properly (Traefik)

bash-5.1# cd /usr/share/nginx/html/
bash-5.1# wget https://pkgs.netbird.io/wasm/client -o netbird.wasm
bash-5.1# ls -la
total 47156
<SNIP
-rw-r--r--    1 root     root          3852 Oct  1 23:15 install.txt
drwxr-xr-x    2 root     root           111 Oct  1 23:15 ironrdp-pkg
drwxr-xr-x    2 root     root            35 Oct  1 23:15 local
-rw-r--r--    1 root     root            88 Oct  3 07:48 netbird.wasm
-rw-r--r--    1 root     root         11640 Oct  1 23:15 network-routes.html
<SNIP>
bash-5.1#

No error:

When trying to connect:

This is my traefik route currently but not working:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  creationTimestamp: '2025-09-03T19:19:23Z'
  generation: 16
  name: netbird-traefik
  namespace: netbird
  resourceVersion: '50238762'
  uid: 6858700c-aa63-4530-8bd4-41599a07a7f0
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: >-
        Host(`netbird.selfhosted.domain`) && !PathPrefix(`/api`) &&
        !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) &&
        !PathPrefix(`/ws-proxy/management`) && !PathPrefix(`/ws-proxy/signal`)
      services:
        - name: netbird-dashboard
          namespace: netbird
          passHostHeader: true
          port: 80
    - kind: Rule
      match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/api`)
      services:
        - name: netbird-management-management
          namespace: netbird
          passHostHeader: true
          port: 80
    - kind: Rule
      match: Host(`relay.netbird.selfhosted.domain`)
      services:
        - name: netbird-management-relay
          namespace: netbird
          passHostHeader: true
          port: 33080
    - kind: Rule
      match: >-
        Host(`netbird.selfhosted.domain`) &&
        PathPrefix(`/management.ManagementService/`)
      services:
        - name: netbird-management-management
          namespace: netbird
          passHostHeader: true
          port: 80
          scheme: h2c
    - kind: Rule
      match: >-
        Host(`netbird.selfhosted.domain`) &&
        PathPrefix(`/signalexchange.SignalExchange/`)
      services:
        - name: netbird-management-signal
          namespace: netbird
          passHostHeader: true
          port: 80
          scheme: h2c
    - kind: Rule
      match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/management`)
      services:
        - name: netbird-management-management
          namespace: netbird
          passHostHeader: true
          port: 33073
    - kind: Rule
      match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/signal`)
      services:
        - name: netbird-management-signal
          namespace: netbird
          passHostHeader: true
          port: 10000
  tls:
    secretName: netbird-tls

@mvthul commented on GitHub (Oct 3, 2025): also the netbird.wasm isnt in the dashboard container at /usr/share/nginx/html after downloaded (https://pkgs.netbird.io/wasm/client) and name it netbird.wasm seems to do more... need to fix my routes only now properly (Traefik) ``` bash-5.1# cd /usr/share/nginx/html/ bash-5.1# wget https://pkgs.netbird.io/wasm/client -o netbird.wasm bash-5.1# ls -la total 47156 <SNIP -rw-r--r-- 1 root root 3852 Oct 1 23:15 install.txt drwxr-xr-x 2 root root 111 Oct 1 23:15 ironrdp-pkg drwxr-xr-x 2 root root 35 Oct 1 23:15 local -rw-r--r-- 1 root root 88 Oct 3 07:48 netbird.wasm -rw-r--r-- 1 root root 11640 Oct 1 23:15 network-routes.html <SNIP> bash-5.1# ``` No error: <img width="2239" height="785" alt="Image" src="https://github.com/user-attachments/assets/9964d1c7-e936-4092-b6d5-288c2bad9376" /> When trying to connect: <img width="2077" height="765" alt="Image" src="https://github.com/user-attachments/assets/db392986-b9f3-4b60-9567-9edb37f04f41" /> This is my traefik route currently but not working: ``` apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: creationTimestamp: '2025-09-03T19:19:23Z' generation: 16 name: netbird-traefik namespace: netbird resourceVersion: '50238762' uid: 6858700c-aa63-4530-8bd4-41599a07a7f0 spec: entryPoints: - websecure routes: - kind: Rule match: >- Host(`netbird.selfhosted.domain`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/ws-proxy/management`) && !PathPrefix(`/ws-proxy/signal`) services: - name: netbird-dashboard namespace: netbird passHostHeader: true port: 80 - kind: Rule match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/api`) services: - name: netbird-management-management namespace: netbird passHostHeader: true port: 80 - kind: Rule match: Host(`relay.netbird.selfhosted.domain`) services: - name: netbird-management-relay namespace: netbird passHostHeader: true port: 33080 - kind: Rule match: >- Host(`netbird.selfhosted.domain`) && PathPrefix(`/management.ManagementService/`) services: - name: netbird-management-management namespace: netbird passHostHeader: true port: 80 scheme: h2c - kind: Rule match: >- Host(`netbird.selfhosted.domain`) && PathPrefix(`/signalexchange.SignalExchange/`) services: - name: netbird-management-signal namespace: netbird passHostHeader: true port: 80 scheme: h2c - kind: Rule match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/management`) services: - name: netbird-management-management namespace: netbird passHostHeader: true port: 33073 - kind: Rule match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/signal`) services: - name: netbird-management-signal namespace: netbird passHostHeader: true port: 10000 tls: secretName: netbird-tls ``` <img width="3155" height="932" alt="Image" src="https://github.com/user-attachments/assets/905e4881-3145-44bc-8a3e-e3937bb3269b" />

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 3, 2025):

We've released a new version of the dashboard handling a few issues, but with the connect button disabled. We are investigating a few issues on some deployments. Once they are resolved, we will enable it again.

@mlsmaycon commented on GitHub (Oct 3, 2025): We've released a new version of the dashboard handling a few issues, but with the connect button disabled. We are investigating a few issues on some deployments. Once they are resolved, we will enable it again.

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@trbutler commented on GitHub (Oct 3, 2025):

I'm having the same issue. I do have the self-hosted interface behind an NGINX proxy.

@trbutler commented on GitHub (Oct 3, 2025): I'm having the same issue. I do have the self-hosted interface behind an NGINX proxy.

saavagebueno commented 2025-11-20 07:08:01 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 6, 2025):

Helloq folks, we've released a new version.

Please update the management, signal, and dashboard. If you deployed using our quick-start guide, ensure to review the steps in the following URL as some ports have changed:

https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients

For those using Traefik or Nginx, we've updated the Docker template from our infrastructure_files:

https://github.com/netbirdio/netbird/blob/main/infrastructure_files/docker-compose.yml.tmpl.traefik
https://github.com/netbirdio/netbird/blob/main/infrastructure_files/nginx.tmpl.conf

@mlsmaycon commented on GitHub (Oct 6, 2025): Helloq folks, we've released a new version. Please update the management, signal, and dashboard. If you deployed using our quick-start guide, ensure to review the steps in the following URL as some ports have changed: https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients For those using Traefik or Nginx, we've updated the Docker template from our infrastructure_files: https://github.com/netbirdio/netbird/blob/main/infrastructure_files/docker-compose.yml.tmpl.traefik https://github.com/netbirdio/netbird/blob/main/infrastructure_files/nginx.tmpl.conf

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@fxandrei commented on GitHub (Oct 7, 2025):

I just updated this and it still does not work.

So now i get the login popup, and i enter the user and password, hit connect.
I get another popup about trusting a certificate, then get this in the console:

2025-10-07T08:41:31+03:00 ERRO shared/signal/client/worker.go:46: failed to handle message: wrongly addressed message zOC/ltbdwejsyGz1uUKpWaWYLL76AK52NvlTwNg/VXs=
wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-07T08:41:32+03:00 ERRO client/wasm/internal/rdp/rdcleanpath_handlers.go:242: Failed to read from TLS: remote error: tls: internal error

PS: i followed the upgrade instructions, and upgraded the clients as well.

@fxandrei commented on GitHub (Oct 7, 2025): I just updated this and it still does not work. So now i get the login popup, and i enter the user and password, hit connect. I get another popup about trusting a certificate, then get this in the console: 2025-10-07T08:41:31+03:00 ERRO shared/signal/client/worker.go:46: failed to handle message: wrongly addressed message zOC/ltbdwejsyGz1uUKpWaWYLL76AK52NvlTwNg/VXs= wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:32+03:00 ERRO client/wasm/internal/rdp/rdcleanpath_handlers.go:242: Failed to read from TLS: remote error: tls: internal error PS: i followed the upgrade instructions, and upgraded the clients as well.

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@SuperKali commented on GitHub (Oct 7, 2025):

Still the same issue with both SSH and RDP

@SuperKali commented on GitHub (Oct 7, 2025): Still the same issue with both SSH and RDP

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@lixmal commented on GitHub (Oct 7, 2025):

@fxandrei
What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations

@SuperKali Can you elaborate?

@lixmal commented on GitHub (Oct 7, 2025): @fxandrei What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations @SuperKali Can you elaborate?

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@SuperKali commented on GitHub (Oct 7, 2025):

@lixmal

@SuperKali commented on GitHub (Oct 7, 2025): @lixmal <img width="1533" height="564" alt="Image" src="https://github.com/user-attachments/assets/8103eb6b-98d4-42ca-985c-1463f91b34d3" />

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@fxandrei commented on GitHub (Oct 7, 2025):

@fxandrei What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations

@SuperKali Can you elaborate?

Yup.
Did not saw that.
It is indeed windows server 2025.
So from what i see i cannot use it on windows server 2025 and windows 11 for now.

@fxandrei commented on GitHub (Oct 7, 2025): > [@fxandrei](https://github.com/fxandrei) What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations > > [@SuperKali](https://github.com/SuperKali) Can you elaborate? Yup. Did not saw that. It is indeed windows server 2025. So from what i see i cannot use it on windows server 2025 and windows 11 for now.

saavagebueno commented 2025-11-20 07:08:02 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 7, 2025):

Just updated and the auth loop (https://github.com/netbirdio/netbird/issues/4577) is gone (IDP: Entra ID) but still not working.
Dev console shows different error. I'm not using any proxy. See compose file in https://github.com/netbirdio/netbird/issues/4577

@flotpg commented on GitHub (Oct 7, 2025): Just updated and the auth loop (https://github.com/netbirdio/netbird/issues/4577) is gone (IDP: Entra ID) but still not working. Dev console shows different error. I'm not using any proxy. See compose file in https://github.com/netbirdio/netbird/issues/4577 <img width="4026" height="1818" alt="Image" src="https://github.com/user-attachments/assets/7b3c770f-9c2f-4d4e-a829-a7f8ad4d8955" />

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@lixmal commented on GitHub (Oct 7, 2025):

@flotpg It looks like you're exposing signal without TLS. The error is pretty clear; the browser will refuse to connect without TLS if the dashboard is using TLS. That's not something we can fix.

@lixmal commented on GitHub (Oct 7, 2025): @flotpg It looks like you're exposing signal without TLS. The error is pretty clear; the browser will refuse to connect without TLS if the dashboard is using TLS. That's not something we can fix.

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 7, 2025):

@lixmal thanks for heads up - any hint how I can change this?

@flotpg commented on GitHub (Oct 7, 2025): @lixmal thanks for heads up - any hint how I can change this?

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 7, 2025):

Hello folks, thanks for update I have edited my nginx proxy and upgraded netbird with dependencies. However when I now click RDP button in dashboard window show up with login details and port. Thats ok. But after I send credentials and click Connect I got hung up for a minute or two and nothing happened. Of course log showed up some errors.

Log from my browser:

IronRDP connection failed: IronError {__wbg_ptr: 1769792}

IronRDP backtrace: RDCleanPath response decode
Caused by:
unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING

IronRDP error kind: General (0)

@Oriann commented on GitHub (Oct 7, 2025): Hello folks, thanks for update I have edited my nginx proxy and upgraded netbird with dependencies. However when I now click RDP button in dashboard window show up with login details and port. Thats ok. But after I send credentials and click Connect I got hung up for a minute or two and nothing happened. Of course log showed up some errors. Log from my browser: > IronRDP connection failed: IronError {__wbg_ptr: 1769792} > > IronRDP backtrace: RDCleanPath response decode > Caused by: > unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING > > IronRDP error kind: General (0) <img width="761" height="331" alt="Image" src="https://github.com/user-attachments/assets/bc15995b-c889-4a25-bd5f-e1dc1eb62519" />

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@scroguard commented on GitHub (Oct 8, 2025):

i just updated to the latest version and made sure my Caddyfile contained the newest ports per the guide. i was able to connect to rdp without any issues. great work guys!

@scroguard commented on GitHub (Oct 8, 2025): i just updated to the latest version and made sure my Caddyfile contained the newest ports per the guide. i was able to connect to rdp without any issues. great work guys!

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@SasSam commented on GitHub (Oct 8, 2025):

Just updated and the auth loop (#4577) is gone (IDP: Entra ID) but still not working. Dev console shows different error. I'm not using any proxy. See compose file in #4577

I have the same issue. The self-hosted Netbird was installed by following the official doc and guide. I'm not behind any proxy.

@SasSam commented on GitHub (Oct 8, 2025): > Just updated and the auth loop ([#4577](https://github.com/netbirdio/netbird/issues/4577)) is gone (IDP: Entra ID) but still not working. Dev console shows different error. I'm not using any proxy. See compose file in [#4577](https://github.com/netbirdio/netbird/issues/4577) > I have the same issue. The self-hosted Netbird was installed by following the official doc and guide. I'm not behind any proxy.

saavagebueno commented 2025-11-20 07:08:03 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not.

@Oriann commented on GitHub (Oct 8, 2025): Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not.

saavagebueno commented 2025-11-20 07:08:04 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 8, 2025):

Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not.

I have it running behind Traefik and updated to the latest version right now.
This is my config:

traefik:
    image: "traefik:v3.4"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.email=xxxx"
      - "--certificatesresolvers.letsencrypt.acme.storage=/acme-data/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"

      #- "--experimental.plugins.real-ip.moduleName=github.com/Paxxs/traefik-get-real-ip"
      #- "--experimental.plugins.real-ip.version=v1.0.3"
      # - "--experimental.plugins.real-ip.moduleName=github.com/BetterCorp/cloudflarewarp"
      # - "--experimental.plugins.real-ip.version=v1.3.0"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "netbird-letsencrypt:/acme-data" 

When i'am trying to connect via SSH it opens the window and tries to connect for a few seconds.
I see lots of websocket requests to wss://netbird.mydomain.com/ws-proxy/management, but after a few second the window says "Connection failed".

Here is more output from the browser console:

WebSocket connection to 'wss://netbird.mydomain.com/ws-proxy/management' failed: 
construct @ 3763-92892e28d4796930.js:1
syscall/js.valueNew @ wasm_exec.js:404
$func2031 @ client:0x174ef1
$func2030 @ client:0x174c26
$func23420 @ client:0x135cb78
$func21645 @ client:0x11b523e
$func21647 @ client:0x11b61fe
$func23038 @ client:0x12fc23c
$func23037 @ client:0x12fbc2b
$func23036 @ client:0x12fadf2
$func1516 @ client:0x13e83b
$resume @ client:0x13e90a
_resume @ wasm_exec.js:559
(anonymous) @ wasm_exec.js:285Understand this error
wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO shared/management/client/grpc.go:66: failed creating connection to Management Service: context deadline exceeded
wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO client/internal/login.go:102: failed connecting to the Management service https://netbird.mydomain.com:443 context deadline exceeded
3763-92892e28d4796930.js:1 login: context deadline exceeded
2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: client not started

@sevensolutions commented on GitHub (Oct 8, 2025): > Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not. I have it running behind Traefik and updated to the latest version right now. This is my config: ```yml traefik: image: "traefik:v3.4" command: - "--log.level=DEBUG" - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entryPoints.web.address=:80" - "--entryPoints.websecure.address=:443" - "--certificatesresolvers.letsencrypt.acme.email=xxxx" - "--certificatesresolvers.letsencrypt.acme.storage=/acme-data/acme.json" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" #- "--experimental.plugins.real-ip.moduleName=github.com/Paxxs/traefik-get-real-ip" #- "--experimental.plugins.real-ip.version=v1.0.3" # - "--experimental.plugins.real-ip.moduleName=github.com/BetterCorp/cloudflarewarp" # - "--experimental.plugins.real-ip.version=v1.3.0" ports: - "80:80" - "443:443" - "8080:8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "netbird-letsencrypt:/acme-data" ``` When i'am trying to connect via SSH it opens the window and tries to connect for a few seconds. I see lots of websocket requests to `wss://netbird.mydomain.com/ws-proxy/management`, but after a few second the window says "Connection failed". Here is more output from the browser console: ``` WebSocket connection to 'wss://netbird.mydomain.com/ws-proxy/management' failed: construct @ 3763-92892e28d4796930.js:1 syscall/js.valueNew @ wasm_exec.js:404 $func2031 @ client:0x174ef1 $func2030 @ client:0x174c26 $func23420 @ client:0x135cb78 $func21645 @ client:0x11b523e $func21647 @ client:0x11b61fe $func23038 @ client:0x12fc23c $func23037 @ client:0x12fbc2b $func23036 @ client:0x12fadf2 $func1516 @ client:0x13e83b $resume @ client:0x13e90a _resume @ wasm_exec.js:559 (anonymous) @ wasm_exec.js:285Understand this error wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO shared/management/client/grpc.go:66: failed creating connection to Management Service: context deadline exceeded wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO client/internal/login.go:102: failed connecting to the Management service https://netbird.mydomain.com:443 context deadline exceeded 3763-92892e28d4796930.js:1 login: context deadline exceeded 2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: client not started ```

saavagebueno commented 2025-11-20 07:08:04 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@sevensolutions and @Oriann can you confirm that you've added the following labels?

# management service
    - traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/management`)
    - traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt
    - traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073

# signal service
    - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/signal`)
    - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
    - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80

@mlsmaycon commented on GitHub (Oct 8, 2025): @sevensolutions and @Oriann can you confirm that you've added the following labels? ```yaml # management service - traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/management`) - traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt - traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073 # signal service - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/signal`) - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80 ```

saavagebueno commented 2025-11-20 07:08:04 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 8, 2025):

Thank you @mlsmaycon these were missing.
I've added them but still got the same error. I've then also enabled tls on both routes and now i get some new errors in the web console:

2025-10-08T21:32:21+02:00 WARN client/internal/profilemanager/service.go:356: failed to get active profile state: failed to set default active profile state: failed to stat active profile state path /var/lib/netbird/active_profile.json: stat /var/lib/netbird/active_profile.json: not implemented on js
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:700: failed to populate DNS cache with management URL: add domain: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:9->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:17->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:25->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:33->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:41->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/routemanager/manager.go:240: failed to load state: read state file: open /var/lib/netbird/state.json: not implemented on js
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:496: WireGuard interface monitor: interface wt0 not found: failed to lookup interface: route ip+net: no such network interface
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/conn_mgr.go:95: lazy connection manager is enabled by management feature flag
2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: context deadline exceeded

@sevensolutions commented on GitHub (Oct 8, 2025): Thank you @mlsmaycon these were missing. I've added them but still got the same error. I've then also enabled tls on both routes and now i get some new errors in the web console: ``` 2025-10-08T21:32:21+02:00 WARN client/internal/profilemanager/service.go:356: failed to get active profile state: failed to set default active profile state: failed to stat active profile state path /var/lib/netbird/active_profile.json: stat /var/lib/netbird/active_profile.json: not implemented on js wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:700: failed to populate DNS cache with management URL: add domain: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:9->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:17->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:25->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:33->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:41->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/routemanager/manager.go:240: failed to load state: read state file: open /var/lib/netbird/state.json: not implemented on js wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:496: WireGuard interface monitor: interface wt0 not found: failed to lookup interface: route ip+net: no such network interface wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/conn_mgr.go:95: lazy connection manager is enabled by management feature flag 2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: context deadline exceeded ```

saavagebueno commented 2025-11-20 07:08:04 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@sevensolutions, can you confirm that the peer running remotely has SSH enabled?

You need to enable it on both the dashboard and the client. See https://docs.netbird.io/how-to/ssh#enabling-ssh for more details.

@mlsmaycon commented on GitHub (Oct 8, 2025): @sevensolutions, can you confirm that the peer running remotely has SSH enabled? You need to enable it on both the dashboard and the client. See https://docs.netbird.io/how-to/ssh#enabling-ssh for more details.

saavagebueno commented 2025-11-20 07:08:04 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@SasSam @flotpg, you can do that by one of 3 options:

1. update your docker-compose.yml file, setting the following changes to the signal service:

    depends_on:
      - dashboard
    volumes:
      - netbird-signal:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
    ports:
      - 10000:80
    command: ["--cert-file", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/fullchain.pem",  "--cert-key", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/privkey.pem","--log-file", "console"]
 # replace NETBIRD_DOMAIN with your management domain

2. add a reverse proxy in front of your NetBird deployment
3. moving the signal to a dedicated server, exposing its listening ports as 80 and 443, and setting a --letsencrypt-domain that points to the new server.

Once any of these changes are done, you need to update your management.json file, changing the signal protocol from http to https and restarting the connection to your peers.

@mlsmaycon commented on GitHub (Oct 8, 2025): @SasSam @flotpg, you can do that by one of 3 options: 1. update your docker-compose.yml file, setting the following changes to the signal service: ```yaml depends_on: - dashboard volumes: - netbird-signal:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro ports: - 10000:80 command: ["--cert-file", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/privkey.pem","--log-file", "console"] # replace NETBIRD_DOMAIN with your management domain ``` 2. add a reverse proxy in front of your NetBird deployment 3. moving the signal to a dedicated server, exposing its listening ports as 80 and 443, and setting a `--letsencrypt-domain` that points to the new server. Once any of these changes are done, you need to update your management.json file, changing the signal protocol from http to https and restarting the connection to your peers.

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

@mlsmaycon I have SSH enabled on both ends but still cannot connect. Also I have only nginx proxy set up, I asked about Traefik just to get more details what works.

Netbird error:
SSH connection failed. Check the console for details.

Browser console error:
2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial ...:44338: connect tcp ...:44338: connection was refused

@Oriann commented on GitHub (Oct 8, 2025): @mlsmaycon I have SSH enabled on both ends but still cannot connect. Also I have only nginx proxy set up, I asked about Traefik just to get more details what works. Netbird error: SSH connection failed. Check the console for details. Browser console error: 2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial *.*.*.*:44338: connect tcp *.*.*.*:44338: connection was refused

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@Oriann, can you confirm that SSH works from your own computer?

@mlsmaycon commented on GitHub (Oct 8, 2025): @Oriann, can you confirm that SSH works from your own computer?

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

No problem but you mean SSH via Netbird subnet or remote LAN subnet of remote machine ?

@Oriann commented on GitHub (Oct 8, 2025): No problem but you mean SSH via Netbird subnet or remote LAN subnet of remote machine ?

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

ssh via NetBird:

sudo netbird ssh <user>@<peer>

@mlsmaycon commented on GitHub (Oct 8, 2025): ssh via NetBird: ```shell sudo netbird ssh <user>@<peer> ```

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

Does not work

Log from CMD:

netbird ssh ostritecky@100.*.*.* Error: dial tcp 100.*.*.*:44338: connectex: No connection could be made because the target machine actively refused it. Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer You can verify the connection by running: netbird status Error: dial tcp 100.*.*.*:44338: connectex: No connection could be made because the target machine actively refused it.

EDIT:
Just in case netbird status

netbird status
OS: windows/amd64
Daemon version: 0.59.4
CLI version: 0.59.4
Profile: default
Management: Connected
Signal: Connected
Relays: 1/3 Available
Nameservers: 3/3 Available
FQDN: pc-*.netbird.cloud
NetBird IP: 100*.*.*/16
Interface type: Userspace
Quantum resistance: false
Lazy connection: false
Networks: -
Forwarding rules: 0
Peers count: 8/10 Connected

@Oriann commented on GitHub (Oct 8, 2025): Does not work Log from CMD: `netbird ssh ostritecky@100.*.*.* Error: dial tcp 100.*.*.*:44338: connectex: No connection could be made because the target machine actively refused it. Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer You can verify the connection by running: netbird status Error: dial tcp 100.*.*.*:44338: connectex: No connection could be made because the target machine actively refused it.` EDIT: Just in case `netbird status` ``` netbird status OS: windows/amd64 Daemon version: 0.59.4 CLI version: 0.59.4 Profile: default Management: Connected Signal: Connected Relays: 1/3 Available Nameservers: 3/3 Available FQDN: pc-*.netbird.cloud NetBird IP: 100*.*.*/16 Interface type: Userspace Quantum resistance: false Lazy connection: false Networks: - Forwarding rules: 0 Peers count: 8/10 Connected ```

saavagebueno commented 2025-11-20 07:08:05 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

Can you check if it is enabled with:

sudo grep ServerSSHAllowed /var/lib/netbird/default.json

if is set to false, can you run:

netbird down
netbird up --allow-server-ssh

@mlsmaycon commented on GitHub (Oct 8, 2025): Can you check if it is enabled with: ``` sudo grep ServerSSHAllowed /var/lib/netbird/default.json ``` if is set to false, can you run: ```shell netbird down netbird up --allow-server-ssh ```

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 8, 2025):

@sevensolutions, can you confirm that the peer running remotely has SSH enabled?

You need to enable it on both the dashboard and the client. See https://docs.netbird.io/how-to/ssh#enabling-ssh for more details.

Thank you again @mlsmaycon.
I thought enabling this in the Gui would enable it remotely on the peer. I should better read the docs 🙈
But i have another very weird problem now.

I executed

netbird down
netbird up --allow-server-ssh

according to the docs but the netbird up command just froze with not log output.
I've restarted the server, restarted all netbird containers several times... Didn't work.
Then i've removed the labels again and the peer immediately connected again.

So it seems the new routes "somehow" break the initial agent connection.
Are the agents also using this route somehow?

I'am really not sure if this is some very bad infrastructure problem on my side and I will do some further testing tomorrow.

@sevensolutions commented on GitHub (Oct 8, 2025): > [@sevensolutions](https://github.com/sevensolutions), can you confirm that the peer running remotely has SSH enabled? > > You need to enable it on both the dashboard and the client. See https://docs.netbird.io/how-to/ssh#enabling-ssh for more details. Thank you again @mlsmaycon. I thought enabling this in the Gui would enable it remotely on the peer. I should better read the docs 🙈 But i have another very weird problem now. I executed ``` netbird down netbird up --allow-server-ssh ``` according to the docs but the netbird up command just froze with not log output. I've restarted the server, restarted all netbird containers several times... Didn't work. Then i've removed the labels again and the peer immediately connected again. So it seems the new routes "somehow" break the initial agent connection. Are the agents also using this route somehow? I'am really not sure if this is some very bad infrastructure problem on my side and I will do some further testing tomorrow.

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@sevensolutions, by route, you mean the LB path route? No, they shouldn't. It is possible that some cleanup or one of the management domains wasn't available.

can you get a debug bundle for me to check? You can generate one and upload it with:

netbird debug bundle --upload-bundle --anonymize

@mlsmaycon commented on GitHub (Oct 8, 2025): @sevensolutions, by route, you mean the LB path route? No, they shouldn't. It is possible that some cleanup or one of the management domains wasn't available. can you get a debug bundle for me to check? You can generate one and upload it with: ```shell netbird debug bundle --upload-bundle --anonymize ```

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 8, 2025):

@mlsmaycon ok I've now re-added the traefik-labels and I can reproduce the same issue. netbird up just freezes.
I then created the debug bundle.
Here is the file key: 1f70b97ffde3a8a0183e3b7b8be8c9544392b2a7709e9bc9526e468232e012f6/dc07a1c2-076e-4de5-a03a-4e010454b402

@sevensolutions commented on GitHub (Oct 8, 2025): @mlsmaycon ok I've now re-added the traefik-labels and I can reproduce the same issue. `netbird up` just freezes. I then created the debug bundle. Here is the file key: `1f70b97ffde3a8a0183e3b7b8be8c9544392b2a7709e9bc9526e468232e012f6/dc07a1c2-076e-4de5-a03a-4e010454b402`

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@sevensolutions I am seeing errors like:

2025-10-08T16:41:23Z INFO client/internal/peer/guard/sr_watcher.go:106: reconnected to Signal or Relay server
2025-10-08T16:41:23Z INFO shared/signal/client/grpc.go:160: connected to the Signal Service stream
2025-10-08T16:42:23Z ERRO shared/signal/client/grpc.go:417: Stream receive error: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: INTERNAL_ERROR
2025-10-08T16:42:23Z WARN shared/signal/client/grpc.go:177: disconnected from the Signal service but will retry silently. Reason: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: INTERNAL_ERROR

To confirm, you've replaced the NETBIRD_DOMAIN with your domain? You should have something similar to this:

    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.domain.com`) && PathPrefix(`/ws-proxy/signal`)
    - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
    - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.domain.com`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c

@mlsmaycon commented on GitHub (Oct 8, 2025): @sevensolutions I am seeing errors like: ``` 2025-10-08T16:41:23Z INFO client/internal/peer/guard/sr_watcher.go:106: reconnected to Signal or Relay server 2025-10-08T16:41:23Z INFO shared/signal/client/grpc.go:160: connected to the Signal Service stream 2025-10-08T16:42:23Z ERRO shared/signal/client/grpc.go:417: Stream receive error: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: INTERNAL_ERROR 2025-10-08T16:42:23Z WARN shared/signal/client/grpc.go:177: disconnected from the Signal service but will retry silently. Reason: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: INTERNAL_ERROR ``` To confirm, you've replaced the NETBIRD_DOMAIN with your domain? You should have something similar to this: ```yaml labels: - traefik.enable=true - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.domain.com`) && PathPrefix(`/ws-proxy/signal`) - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80 - traefik.http.routers.netbird-signal.rule=Host(`netbird.domain.com`) && PathPrefix(`/signalexchange.SignalExchange/`) - traefik.http.services.netbird-signal.loadbalancer.server.port=10000 - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c ```

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

@mlsmaycon

grep ServerSSHAllowed /var/lib/netbird/default.json
"ServerSSHAllowed": true,

But I achieved that in this order:

netbird down
netbird up --allow-server-ssh

If I use only this with netbird running

netbird up --allow-server-ssh it wont work

Also now CMD shows this:

netbird ssh user@100.*.*.*
Error: failed to run raw terminal: The parameter is incorrect.

SUMMARY:
SSH working now for me with nginx proxy.
RDP still does not work, see my previous post, if you want more info or debugging I will be at service tomorrow.

@Oriann commented on GitHub (Oct 8, 2025): @mlsmaycon ``` grep ServerSSHAllowed /var/lib/netbird/default.json "ServerSSHAllowed": true, ``` But I achieved that in this order: ``` netbird down netbird up --allow-server-ssh ``` If I use only this with netbird running `netbird up --allow-server-ssh` it wont work Also now CMD shows this: ``` netbird ssh user@100.*.*.* Error: failed to run raw terminal: The parameter is incorrect. ``` SUMMARY: SSH working now for me with nginx proxy. RDP still does not work, see my previous post, if you want more info or debugging I will be at service tomorrow.

saavagebueno commented 2025-11-20 07:08:06 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@Oriann, can you confirm the remote Windows node version? We are not yet supporting Windows 11 or Windows server 2025

@mlsmaycon commented on GitHub (Oct 8, 2025): @Oriann, can you confirm the remote Windows node version? We are not yet supporting Windows 11 or Windows server 2025

saavagebueno commented 2025-11-20 07:08:07 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 8, 2025):

@mlsmaycon

Edition	Windows 10 Enterprise
Version	22H2
Date of install	‎27.‎03.‎2023
OS build number	19045.6332

@Oriann commented on GitHub (Oct 8, 2025): @mlsmaycon ``` Edition Windows 10 Enterprise Version 22H2 Date of install ‎27.‎03.‎2023 OS build number 19045.6332 ```

saavagebueno commented 2025-11-20 07:08:07 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

@Oriann thanks for confirming. If you have the chance, can you test with different browsers and maybe without extensions?

@mlsmaycon commented on GitHub (Oct 8, 2025): @Oriann thanks for confirming. If you have the chance, can you test with different browsers and maybe without extensions?

saavagebueno commented 2025-11-20 07:08:07 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 8, 2025):

@mlsmaycon

To confirm, you've replaced the NETBIRD_DOMAIN with your domain? You should have something similar to this:

Yes i've replaced them.

This is what i have:

# On the signal container
    - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/signal`)
    - traefik.http.routers.netbird-wsproxy-signal.tls=true
    - traefik.http.routers.netbird-wsproxy-signal.tls.certresolver=letsencrypt
    - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
    - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80
# And on the management container
    - traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/management`)
    - traefik.http.routers.netbird-wsproxy-mgmt.tls=true
    - traefik.http.routers.netbird-wsproxy-mgmt.tls.certresolver=letsencrypt
    - traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt
    - traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073

I also tried removing the added tls config again. No difference, still freezing.

@sevensolutions commented on GitHub (Oct 8, 2025): @mlsmaycon > To confirm, you've replaced the NETBIRD_DOMAIN with your domain? You should have something similar to this: Yes i've replaced them. This is what i have: ``` # On the signal container - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/signal`) - traefik.http.routers.netbird-wsproxy-signal.tls=true - traefik.http.routers.netbird-wsproxy-signal.tls.certresolver=letsencrypt - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80 # And on the management container - traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/management`) - traefik.http.routers.netbird-wsproxy-mgmt.tls=true - traefik.http.routers.netbird-wsproxy-mgmt.tls.certresolver=letsencrypt - traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt - traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073 ``` I also tried removing the added tls config again. No difference, still freezing.

saavagebueno commented 2025-11-20 07:08:07 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 8, 2025):

I will have to test the setup again and get back to you.

@mlsmaycon commented on GitHub (Oct 8, 2025): I will have to test the setup again and get back to you.

saavagebueno commented 2025-11-20 07:08:07 -05:00

Author

Owner

Copy Link

@SasSam commented on GitHub (Oct 9, 2025):

Does anyone have any ideas on how we could enable the WSS Socket without using a proxy? The repo's setup.env.example has only this:

# Signal service connecting port. If none is supplied
# it will default to 10000
# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
NETBIRD_SIGNAL_PORT=""

So, I suppose most of us, like me, simply left it blank during the installation. Therefore, the Docker looks like this:

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #       - 443:443
  #     command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

That's why we have this issue:
Mixed Content: The page at 'https://netbird.example.com/peer/rdp?id=asdfghjkl' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://netbird.example.com:10000/ws-proxy/signal'. This request has been blocked; this endpoint must be available over WSS.

I tried changing the port to 10000:443, but had no luck.

@SasSam commented on GitHub (Oct 9, 2025): Does anyone have any ideas on how we could enable the WSS Socket without using a proxy? The repo's [`setup.env.example`](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example#L114C1-L117C23) has only this: ``` # Signal service connecting port. If none is supplied # it will default to 10000 # should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy NETBIRD_SIGNAL_PORT="" ``` So, I suppose most of us, like me, simply left it blank during the installation. Therefore, the Docker looks like this: ``` # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"] logging: driver: "json-file" options: max-size: "500m" max-file: "2" ``` That's why we have [this](https://github.com/netbirdio/netbird/issues/4580#issuecomment-3375644489) issue: `Mixed Content: The page at 'https://netbird.example.com/peer/rdp?id=asdfghjkl' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://netbird.example.com:10000/ws-proxy/signal'. This request has been blocked; this endpoint must be available over WSS.` I tried changing the port to `10000:443`, but had no luck.

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.

@davidchi2020 commented on GitHub (Oct 9, 2025): I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4. <img width="513" height="256" alt="Image" src="https://github.com/user-attachments/assets/3bf89bea-ddcf-488c-b56a-ab583e164ca1" />

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@dzxx36gyy commented on GitHub (Oct 9, 2025):

@SasSam The Signal Container log shows it only provides "HTTP server with WebSocket proxy (no TLS)" on port 80, which means it's WS rather than WSS, to get WSS.
So, if you want to make the Signal run with SSL (WSS), you must allocate a cert to it. (refer to https://github.com/netbirdio/netbird/tree/main/signal)
Also, you may need to build the container by yourself since the official one didn't use these flags.

These operations are not good for future upgrades, so using a proxy may be a better choice.

@dzxx36gyy commented on GitHub (Oct 9, 2025): @SasSam The Signal Container log shows it only provides "HTTP server with WebSocket proxy (no TLS)" on port 80, which means it's WS rather than WSS, to get WSS. So, if you want to make the Signal run with SSL (WSS), you must allocate a cert to it. (refer to https://github.com/netbirdio/netbird/tree/main/signal) Also, you may need to build the container by yourself since the official one didn't use these flags. These operations are not good for future upgrades, so using a proxy may be a better choice.

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@dzxx36gyy commented on GitHub (Oct 9, 2025):

I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。

Check if the last seen of this peer is reachable on your dashboard.

This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log.

@dzxx36gyy commented on GitHub (Oct 9, 2025): > I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。 > > <img alt="Image" width="513" height="256" src="https://private-user-images.githubusercontent.com/63038048/499166717-3bf89bea-ddcf-488c-b56a-ab583e164ca1.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTk5ODY4MTcsIm5iZiI6MTc1OTk4NjUxNywicGF0aCI6Ii82MzAzODA0OC80OTkxNjY3MTctM2JmODliZWEtZGRjZi00ODhjLWI1NmEtYWI1ODNlMTY0Y2ExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMDklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDA5VDA1MDgzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc5N2JiNjcxMWE0Nzc2YjA5YmM2MTQzY2EwMjQ5YWM3NWYzNTZlMWU1YmI5NTMzYThkNTU1NzMxNzBkOTY5ODAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.JnmkEiqRcEMQcKWBtaqKGdNkNbej0AzrRJCC--mZuVo"> Check if the last seen of this peer is reachable on your dashboard. This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log.

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。

Check if the last seen of this peer is reachable on your dashboard.

This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log.

The dashboard shows that the Windows system peer is online. When connecting via RDP, after waiting for about 2 minutes, an error message pops up in the browser, as shown in Figure 1. The information displayed in F12 doesn’t seem to show any obvious errors, as shown in Figure 2. I’m not sure which specific information would be helpful to provide. dashboard显示这个windows系统的peer是在线的。连接RDP时，在等待了大概2分钟后，浏览器上弹出报错消息，如图1，f12中显示的信息好像没有明显的错误，如图2，我不知道具体提供哪个信息是有帮助的

@davidchi2020 commented on GitHub (Oct 9, 2025): > > I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。 > > <img alt="Image" width="513" height="256" src="https://private-user-images.githubusercontent.com/63038048/499166717-3bf89bea-ddcf-488c-b56a-ab583e164ca1.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTk5ODY4MTcsIm5iZiI6MTc1OTk4NjUxNywicGF0aCI6Ii82MzAzODA0OC80OTkxNjY3MTctM2JmODliZWEtZGRjZi00ODhjLWI1NmEtYWI1ODNlMTY0Y2ExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMDklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDA5VDA1MDgzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc5N2JiNjcxMWE0Nzc2YjA5YmM2MTQzY2EwMjQ5YWM3NWYzNTZlMWU1YmI5NTMzYThkNTU1NzMxNzBkOTY5ODAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.JnmkEiqRcEMQcKWBtaqKGdNkNbej0AzrRJCC--mZuVo"> > > Check if the last seen of this peer is reachable on your dashboard. > > This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log. The dashboard shows that the Windows system peer is online. When connecting via RDP, after waiting for about 2 minutes, an error message pops up in the browser, as shown in Figure 1. The information displayed in F12 doesn’t seem to show any obvious errors, as shown in Figure 2. I’m not sure which specific information would be helpful to provide. dashboard显示这个windows系统的peer是在线的。连接RDP时，在等待了大概2分钟后，浏览器上弹出报错消息，如图1，f12中显示的信息好像没有明显的错误，如图2，我不知道具体提供哪个信息是有帮助的 <img width="779" height="556" alt="Image" src="https://github.com/user-attachments/assets/78fbf1e4-cdf3-4713-8a84-ddc2520aacd2" /> <img width="1382" height="462" alt="Image" src="https://github.com/user-attachments/assets/82d84988-af43-44e9-89a6-bf5d69a7f5a7" />

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。

Check if the last seen of this peer is reachable on your dashboard.

This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log.

@davidchi2020 commented on GitHub (Oct 9, 2025): > > I encountered an issue while using the recently launched feature to connect via RDP through the web dashboard. The peer remains in an Idle state. I suspect this might be related to the problem where the NetBird client on Windows systems has been unable to establish peer connections since version 0.58.0. My Windows version is Windows 10 22H2 Enterprise 19045.5796, the NetBird server is self-hosted and upgraded to the version dated 2025-10-09, and the NetBird client version is 0.59.4.在使用最近推出的通过网页仪表板通过 RDP 连接的功能时，我遇到了一个问题。对等方仍然处于空闲状态。我怀疑这可能与此问题有关，即自 0.58.0 版本以来，Windows 系统上的 NetBird 客户端无法建立对等连接。我的 Windows 版本是 Windows 10 22H2 企业版 19045.5796，NetBird 服务器是自托管并升级到 2025 年 10 月 9 日的版本，NetBird 客户端版本是 0.59.4。 > > <img alt="Image" width="513" height="256" src="https://private-user-images.githubusercontent.com/63038048/499166717-3bf89bea-ddcf-488c-b56a-ab583e164ca1.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTk5ODY4MTcsIm5iZiI6MTc1OTk4NjUxNywicGF0aCI6Ii82MzAzODA0OC80OTkxNjY3MTctM2JmODliZWEtZGRjZi00ODhjLWI1NmEtYWI1ODNlMTY0Y2ExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMDklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDA5VDA1MDgzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc5N2JiNjcxMWE0Nzc2YjA5YmM2MTQzY2EwMjQ5YWM3NWYzNTZlMWU1YmI5NTMzYThkNTU1NzMxNzBkOTY5ODAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.JnmkEiqRcEMQcKWBtaqKGdNkNbej0AzrRJCC--mZuVo"> > > Check if the last seen of this peer is reachable on your dashboard. > > This feature connects the peer via the relay. rather than directly. So, maybe you can check what the console said in your F12 log. <img width="1074" height="365" alt="Image" src="https://github.com/user-attachments/assets/f30b4b2e-9bda-46f2-be03-b8d1c669eba0" /> <img width="803" height="287" alt="Image" src="https://github.com/user-attachments/assets/94327def-f209-42ea-8b8a-9a75d9abe08e" /> <img width="1379" height="306" alt="Image" src="https://github.com/user-attachments/assets/7d3d070c-3457-4c47-952b-b3c3d31540d6" />

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 9, 2025):

@SasSam I think you missed this message: https://github.com/netbirdio/netbird/issues/4580#issuecomment-3383010649

@mlsmaycon commented on GitHub (Oct 9, 2025): @SasSam I think you missed this message: https://github.com/netbirdio/netbird/issues/4580#issuecomment-3383010649

saavagebueno commented 2025-11-20 07:08:08 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 9, 2025):

@davidchi2020 can you confirm that RDP works from your own machine?

@mlsmaycon commented on GitHub (Oct 9, 2025): @davidchi2020 can you confirm that RDP works from your own machine?

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 9, 2025):

@mlsmaycon I have same symptoms like @davidchi2020

Tried Chrome, Edge, Firefox.

This log is from testing with Firefox:

Netbird

RDP Connection Error
RDCleanPath response decode Caused by: unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING

Firefox console:

`WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error:
 TypeError: WebAssembly: Response has unsupported MIME type 'application/octet-stream' expected 'application/wasm' [ironrdp_web.js:1145:29](https://netbird.ostritecky.cz/ironrdp-pkg/ironrdp_web.js)
IronRDP connection failed: 
Object { __wbg_ptr: 1769736 }
[2117-10baa1aa48bd24e6.js:1:4064](https://netbird.ostritecky.cz/_next/static/chunks/2117-10baa1aa48bd24e6.js)
IronRDP backtrace: RDCleanPath response decode

Caused by:
    unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING [2117-10baa1aa48bd24e6.js:1:4064](https://netbird.ostritecky.cz/_next/static/chunks/2117-10baa1aa48bd24e6.js)
IronRDP error kind: General (0)

Also for you Q classic RDP works without hassle. Maybe I will mention the PC is in domain and logging in is via domain account if thats not a problem.

@Oriann commented on GitHub (Oct 9, 2025): @mlsmaycon I have same symptoms like @davidchi2020 Tried Chrome, Edge, Firefox. This log is from testing with Firefox: Netbird ``` RDP Connection Error RDCleanPath response decode Caused by: unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING ``` Firefox console: ``` `WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error: TypeError: WebAssembly: Response has unsupported MIME type 'application/octet-stream' expected 'application/wasm' [ironrdp_web.js:1145:29](https://netbird.ostritecky.cz/ironrdp-pkg/ironrdp_web.js) IronRDP connection failed: Object { __wbg_ptr: 1769736 } [2117-10baa1aa48bd24e6.js:1:4064](https://netbird.ostritecky.cz/_next/static/chunks/2117-10baa1aa48bd24e6.js) IronRDP backtrace: RDCleanPath response decode Caused by: unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING [2117-10baa1aa48bd24e6.js:1:4064](https://netbird.ostritecky.cz/_next/static/chunks/2117-10baa1aa48bd24e6.js) IronRDP error kind: General (0) ``` Also for you Q classic RDP works without hassle. Maybe I will mention the PC is in domain and logging in is via domain account if thats not a problem.

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

@davidchi2020 can you confirm that RDP works from your own machine?

Yes. This screenshot was taken after I directly used an RDP client to log in to that Windows PC and ran the netbird command.

So I suspect this is actually related to the issue where Netbird on Windows systems, starting from version 0.58.0, is unable to establish connections with other peers.

@davidchi2020 commented on GitHub (Oct 9, 2025): > [@davidchi2020](https://github.com/davidchi2020) can you confirm that RDP works from your own machine? Yes. This screenshot was taken after I directly used an RDP client to log in to that Windows PC and ran the netbird command. <img width="513" height="256" alt="Image" src="https://github.com/user-attachments/assets/c63723c2-4f70-4651-9c1e-013425359c57" /> So I suspect this is actually related to the issue where Netbird on Windows systems, starting from version 0.58.0, is unable to establish connections with other peers.

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@dzxx36gyy commented on GitHub (Oct 9, 2025):

@davidchi2020 Does del & add the peer help?
Since even you cannot make a direct connection, it can still connect via the relay.
Also, you can connect to that desktop, run the command in PowerShell netbird.exe status -Ad to check the details of the connection.
You can also check the log files, for Windows, it should be located in C:\ProgramData\Netbird (linux /var/log/netbird/)

@dzxx36gyy commented on GitHub (Oct 9, 2025): @davidchi2020 Does del & add the peer help? Since even you cannot make a direct connection, it can still connect via the relay. Also, you can connect to that desktop, run the command in PowerShell ```netbird.exe status -Ad``` to check the details of the connection. You can also check the log files, for Windows, it should be located in ```C:\ProgramData\Netbird``` (linux ```/var/log/netbird/```)

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 9, 2025):

@mlsmaycon new info here. As many of my devices are in domain I have tried to RDP to computer without domain and it works. I suspect the problem is login format domain\user ?

SUMMARY
SSH - working but need to take netbird down first
RDP - working but not for domain PCs and Windows 11 and Windows server 2025

If somebody elso have more info pls report so devs can iron things out.

EDIT: Also RDP is for now kinda slow and resizing window make display reload. Internet connection between my devices are approx. 70/70Mbit so no network problems.

@Oriann commented on GitHub (Oct 9, 2025): @mlsmaycon new info here. As many of my devices are in domain I have tried to RDP to computer without domain and it works. I suspect the problem is login format domain\user ? SUMMARY SSH - working but need to take netbird down first RDP - working but not for domain PCs and Windows 11 and Windows server 2025 If somebody elso have more info pls report so devs can iron things out. EDIT: Also RDP is for now kinda slow and resizing window make display reload. Internet connection between my devices are approx. 70/70Mbit so no network problems.

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@dzxx36gyy commented on GitHub (Oct 9, 2025):

@Oriann So if there's AD, then it failed? Also, I find that, if the peer has logged in to a Microsoft account, it will fail with the same error.

@dzxx36gyy commented on GitHub (Oct 9, 2025): @Oriann So if there's AD, then it failed? Also, I find that, if the peer has logged in to a Microsoft account, it will fail with the same error.

saavagebueno commented 2025-11-20 07:08:09 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Oct 9, 2025):

@dzxx36gyy Yes, my computers are not logged into MS accounts only connected to AD.

@Oriann commented on GitHub (Oct 9, 2025): @dzxx36gyy Yes, my computers are not logged into MS accounts only connected to AD.

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

@davidchi2020 Does del & add the peer help? Since even you cannot make a direct connection, it can still connect via the relay. Also, you can connect to that desktop, run the command in PowerShell netbird.exe status -Ad to check the details of the connection. You can also check the log files, for Windows, it should be located in C:\ProgramData\Netbird (linux /var/log/netbird/)

1. Re-adding the peer did not fix the problem.
2. Initiating an RDP from the dashboard and running netbird status -Adon the Windows PC reveals a peer named "chrome" with status "Idle".
3. Log output:
   2025-10-10T11:04:35+08:00 INFO client/internal/engine.go:873: SSH server is not enabled 2025-10-10T11:04:36+08:00 INFO client/internal/dns/host_windows.go:267: added 2 separate NRPT entries. Domain list: [.netbird.selfhosted .109.100.in-addr.arpa] 2025-10-10T11:04:36+08:00 INFO client/internal/dns/host_windows.go:348: updated search domains: [netbird.selfhosted] 2025-10-10T11:04:36+08:00 INFO client/internal/acl/manager.go:72: ACL rules processed in: 505.9µs, total rules count: 12 2025-10-10T11:04:36+08:00 WARN [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:174: peer does not support lazy connection (), open permanent connection 2025-10-10T11:04:36+08:00 INFO client/internal/engine.go:873: SSH server is not enabled 2025-10-10T11:04:36+08:00 INFO client/internal/acl/manager.go:72: ACL rules processed in: 106.9µs, total rules count: 12 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:220: removed peer from lazy conn manager 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/conn.go:228: close peer connection 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/guard/guard.go:42: starting guard for reconnection with MaxInterval: 31.767s 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/handshaker.go:114: stop listening for remote offers and answers 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/conn.go:262: peer connection closed 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/lazyconn/activity/listener.go:42: created activity listener: 127.0.0.1:54278 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:204: peer added to lazy conn manager 2025-10-10T11:04:39+08:00 INFO client/internal/dns/host_windows.go:318: registered DNS names 2025-10-10T11:04:39+08:00 INFO client/internal/dns/host_windows.go:341: flushed DNS cache

@davidchi2020 commented on GitHub (Oct 9, 2025): > [@davidchi2020](https://github.com/davidchi2020) Does del & add the peer help? Since even you cannot make a direct connection, it can still connect via the relay. Also, you can connect to that desktop, run the command in PowerShell `netbird.exe status -Ad` to check the details of the connection. You can also check the log files, for Windows, it should be located in `C:\ProgramData\Netbird` (linux `/var/log/netbird/`) 1. Re-adding the peer did not fix the problem. 2. Initiating an RDP from the dashboard and running netbird status -Adon the Windows PC reveals a peer named "chrome" with status "Idle". 3. Log output: `2025-10-10T11:04:35+08:00 INFO client/internal/engine.go:873: SSH server is not enabled 2025-10-10T11:04:36+08:00 INFO client/internal/dns/host_windows.go:267: added 2 separate NRPT entries. Domain list: [.netbird.selfhosted .109.100.in-addr.arpa] 2025-10-10T11:04:36+08:00 INFO client/internal/dns/host_windows.go:348: updated search domains: [netbird.selfhosted] 2025-10-10T11:04:36+08:00 INFO client/internal/acl/manager.go:72: ACL rules processed in: 505.9µs, total rules count: 12 2025-10-10T11:04:36+08:00 WARN [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:174: peer does not support lazy connection (), open permanent connection 2025-10-10T11:04:36+08:00 INFO client/internal/engine.go:873: SSH server is not enabled 2025-10-10T11:04:36+08:00 INFO client/internal/acl/manager.go:72: ACL rules processed in: 106.9µs, total rules count: 12 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:220: removed peer from lazy conn manager 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/conn.go:228: close peer connection 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/guard/guard.go:42: starting guard for reconnection with MaxInterval: 31.767s 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/handshaker.go:114: stop listening for remote offers and answers 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/peer/conn.go:262: peer connection closed 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/lazyconn/activity/listener.go:42: created activity listener: 127.0.0.1:54278 2025-10-10T11:04:36+08:00 INFO [peer: CbDfggs6jAwl5SpqQcWIoGQ3YR3ysHvuCEE3D1HDAmk=] client/internal/conn_mgr.go:204: peer added to lazy conn manager 2025-10-10T11:04:39+08:00 INFO client/internal/dns/host_windows.go:318: registered DNS names 2025-10-10T11:04:39+08:00 INFO client/internal/dns/host_windows.go:341: flushed DNS cache `

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@davidchi2020 commented on GitHub (Oct 9, 2025):

After globally disabling the lazy connections feature, my issue was resolved. Therefore, the problem I encountered likely appeared after version 0.58.0, stemming from changes in the mechanism used by the Netbird client on Windows systems to manage the lazy state.

@davidchi2020 commented on GitHub (Oct 9, 2025): After globally disabling the lazy connections feature, my issue was resolved. Therefore, the problem I encountered likely appeared after version 0.58.0, stemming from changes in the mechanism used by the Netbird client on Windows systems to manage the lazy state.

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@bySimpson commented on GitHub (Oct 10, 2025):

I am receiving different errors when adding the netbird-wsproxy-signal part. The management route I can add without any problems. None of my nodes can connect until I comment it out again. Did you find a solution? My signal service's compose file looks like this:

  # Signal
  signal:
    <<: *default
    image: netbirdio/signal:latest
    volumes:
      - netbird-signal:/var/lib/netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.mydomain.eu`) && PathPrefix(`/ws-proxy/signal`)
    - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
    - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.mydomain.eu`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
    - "traefik.http.routers.netbird-signal.tls=true"
    - "traefik.http.routers.netbird-signal.tls.certresolver=zerossl"
    - "traefik.http.routers.netbird-signal.entrypoints=https"
    - "traefik.http.routers.netbird-wsproxy-signal.tls=true"
    - "traefik.http.routers.netbird-wsproxy-signal.tls.certresolver=zerossl"
    - "traefik.http.routers.netbird-wsproxy-signal.entrypoints=https"
    networks:
      - proxy
      - netbird

The following errors are thrown in the client.log whent trying to connect:

2025-10-10T14:06:40+02:00 ERRO client/iface/udpmux/universal.go:98: error while reading packet: shared socked stopped
2025-10-10T14:06:40+02:00 INFO client/iface/iface.go:298: interface wt0 has been removed
2025-10-10T14:06:40+02:00 INFO client/internal/engine.go:340: stopped Netbird Engine
2025-10-10T14:06:40+02:00 INFO client/internal/connect.go:305: stopped NetBird client
2025-10-10T14:06:40+02:00 INFO shared/signal/client/worker.go:51: Message worker stopping due to context cancellation
2025-10-10T14:06:40+02:00 INFO client/server/server.go:823: service is down
2025-10-10T14:06:42+02:00 INFO client/server/server.go:451: active profile: default for 
2025-10-10T14:06:42+02:00 INFO client/server/server.go:685: active profile: default for 
2025-10-10T14:06:42+02:00 INFO client/internal/connect.go:124: starting NetBird client version 0.59.5 on linux/amd64
2025-10-10T14:06:42+02:00 INFO client/net/env_linux.go:70: system supports advanced routing
2025-10-10T14:06:43+02:00 INFO client/internal/connect.go:265: connecting to the Relay service(s): rels://netbird.mydomain.eu:443/relay
2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:71: try to connecting to relay server: rels://netbird.mydomain.eu:443/relay
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:168: create new relay connection: local peerID: <REDAC>=, local peer hashedID: <REDAC>
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:174: connecting to relay server
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:66: dialing Relay server via quic
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:66: dialing Relay server via WS
2025-10-10T14:06:43+02:00 ERRO shared/relay/client/dialer/quic/quic.go:56: failed to resolve UDP address: lookup udp/443/relay: unknown port
2025-10-10T14:06:43+02:00 ERRO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:79: failed to dial via quic: lookup udp/443/relay: unknown port
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:91: successfully dialed via: WS
2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:196: relay connection established
2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:89: connected to Relay server: rels://netbird.mydomain.eu:443/relay
2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:63: chosen home Relay server: rels://netbird.mydomain.eu:443/relay
2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:269: I am: <REDA>
2025-10-10T14:06:43+02:00 INFO client/iface/wgproxy/ebpf/proxy.go:97: local wg proxy listening on: 3128
2025-10-10T14:06:43+02:00 INFO client/iface/wgproxy/factory_kernel.go:31: WireGuard Proxy Factory will produce eBPF proxy
2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:387: rosenpass is enabled
2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:389: running rosenpass in permissive mode
2025-10-10T14:06:44+02:00 INFO client/internal/rosenpass/manager.go:158: starting rosenpass server on port 45123
2025-10-10T14:06:44+02:00 INFO client/internal/routemanager/manager.go:230: Routing setup complete
2025-10-10T14:06:44+02:00 INFO client/firewall/create_linux.go:73: creating an nftables firewall manager
2025-10-10T14:06:44+02:00 INFO client/internal/engine.go:554: rosenpass interface traffic allowed on port 45123
2025-10-10T14:06:44+02:00 INFO client/internal/dns/host_unix.go:54: System DNS manager discovered: file
2025-10-10T14:06:44+02:00 INFO client/internal/conn_mgr.go:62: lazy connection manager is disabled
2025-10-10T14:06:44+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:06:45+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:06:45+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:06:46+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:06:50+02:00 INFO ./caller_not_available:0: 2025/10/10 14:06:50 WARNING: [core] [Server #1]grpc: Server.processUnaryRPC failed to write status: connection error: desc = "transport is closing"
2025-10-10T14:06:53+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:06:56+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:07:16+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:07:27+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:07:40+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:07:52+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:07:57+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-10T14:08:07+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams

Is there something I am still missing?
(I am using Authentik as identity provider)

@bySimpson commented on GitHub (Oct 10, 2025): I am receiving different errors when adding the netbird-wsproxy-signal part. The management route I can add without any problems. None of my nodes can connect until I comment it out again. Did you find a solution? My signal service's compose file looks like this: ```yml # Signal signal: <<: *default image: netbirdio/signal:latest volumes: - netbird-signal:/var/lib/netbird labels: - traefik.enable=true - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.mydomain.eu`) && PathPrefix(`/ws-proxy/signal`) - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80 - traefik.http.routers.netbird-signal.rule=Host(`netbird.mydomain.eu`) && PathPrefix(`/signalexchange.SignalExchange/`) - traefik.http.services.netbird-signal.loadbalancer.server.port=10000 - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c - "traefik.http.routers.netbird-signal.tls=true" - "traefik.http.routers.netbird-signal.tls.certresolver=zerossl" - "traefik.http.routers.netbird-signal.entrypoints=https" - "traefik.http.routers.netbird-wsproxy-signal.tls=true" - "traefik.http.routers.netbird-wsproxy-signal.tls.certresolver=zerossl" - "traefik.http.routers.netbird-wsproxy-signal.entrypoints=https" networks: - proxy - netbird ``` The following errors are thrown in the client.log whent trying to connect: ``` 2025-10-10T14:06:40+02:00 ERRO client/iface/udpmux/universal.go:98: error while reading packet: shared socked stopped 2025-10-10T14:06:40+02:00 INFO client/iface/iface.go:298: interface wt0 has been removed 2025-10-10T14:06:40+02:00 INFO client/internal/engine.go:340: stopped Netbird Engine 2025-10-10T14:06:40+02:00 INFO client/internal/connect.go:305: stopped NetBird client 2025-10-10T14:06:40+02:00 INFO shared/signal/client/worker.go:51: Message worker stopping due to context cancellation 2025-10-10T14:06:40+02:00 INFO client/server/server.go:823: service is down 2025-10-10T14:06:42+02:00 INFO client/server/server.go:451: active profile: default for 2025-10-10T14:06:42+02:00 INFO client/server/server.go:685: active profile: default for 2025-10-10T14:06:42+02:00 INFO client/internal/connect.go:124: starting NetBird client version 0.59.5 on linux/amd64 2025-10-10T14:06:42+02:00 INFO client/net/env_linux.go:70: system supports advanced routing 2025-10-10T14:06:43+02:00 INFO client/internal/connect.go:265: connecting to the Relay service(s): rels://netbird.mydomain.eu:443/relay 2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:71: try to connecting to relay server: rels://netbird.mydomain.eu:443/relay 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:168: create new relay connection: local peerID: <REDAC>=, local peer hashedID: <REDAC> 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:174: connecting to relay server 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:66: dialing Relay server via quic 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:66: dialing Relay server via WS 2025-10-10T14:06:43+02:00 ERRO shared/relay/client/dialer/quic/quic.go:56: failed to resolve UDP address: lookup udp/443/relay: unknown port 2025-10-10T14:06:43+02:00 ERRO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:79: failed to dial via quic: lookup udp/443/relay: unknown port 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/dialer/race_dialer.go:91: successfully dialed via: WS 2025-10-10T14:06:43+02:00 INFO [relay: rels://netbird.mydomain.eu:443/relay] shared/relay/client/client.go:196: relay connection established 2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:89: connected to Relay server: rels://netbird.mydomain.eu:443/relay 2025-10-10T14:06:43+02:00 INFO shared/relay/client/picker.go:63: chosen home Relay server: rels://netbird.mydomain.eu:443/relay 2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:269: I am: <REDA> 2025-10-10T14:06:43+02:00 INFO client/iface/wgproxy/ebpf/proxy.go:97: local wg proxy listening on: 3128 2025-10-10T14:06:43+02:00 INFO client/iface/wgproxy/factory_kernel.go:31: WireGuard Proxy Factory will produce eBPF proxy 2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:387: rosenpass is enabled 2025-10-10T14:06:43+02:00 INFO client/internal/engine.go:389: running rosenpass in permissive mode 2025-10-10T14:06:44+02:00 INFO client/internal/rosenpass/manager.go:158: starting rosenpass server on port 45123 2025-10-10T14:06:44+02:00 INFO client/internal/routemanager/manager.go:230: Routing setup complete 2025-10-10T14:06:44+02:00 INFO client/firewall/create_linux.go:73: creating an nftables firewall manager 2025-10-10T14:06:44+02:00 INFO client/internal/engine.go:554: rosenpass interface traffic allowed on port 45123 2025-10-10T14:06:44+02:00 INFO client/internal/dns/host_unix.go:54: System DNS manager discovered: file 2025-10-10T14:06:44+02:00 INFO client/internal/conn_mgr.go:62: lazy connection manager is disabled 2025-10-10T14:06:44+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:06:45+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:06:45+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:06:46+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:06:50+02:00 INFO ./caller_not_available:0: 2025/10/10 14:06:50 WARNING: [core] [Server #1]grpc: Server.processUnaryRPC failed to write status: connection error: desc = "transport is closing" 2025-10-10T14:06:53+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:06:56+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:07:16+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:07:27+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:07:40+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:07:52+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:07:57+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-10T14:08:07+02:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams ``` Is there something I am still missing? (I am using Authentik as identity provider)

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 10, 2025):

Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue:

- traefik.http.routers.netbird-signal.service=netbird-signal

I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example:

docker-compose.yml

@mlsmaycon commented on GitHub (Oct 10, 2025): Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue: ```yaml - traefik.http.routers.netbird-signal.service=netbird-signal ``` I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example: [docker-compose.yml](https://github.com/user-attachments/files/22853898/docker-compose.yml)

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@bySimpson commented on GitHub (Oct 10, 2025):

Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue:

• traefik.http.routers.netbird-signal.service=netbird-signal
  I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example:

docker-compose.yml

Can confirm, this fixes my issue. Thanks!

@bySimpson commented on GitHub (Oct 10, 2025): > Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue: > > - traefik.http.routers.netbird-signal.service=netbird-signal > I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example: > > [docker-compose.yml](https://github.com/user-attachments/files/22853898/docker-compose.yml) Can confirm, this fixes my issue. Thanks!

saavagebueno commented 2025-11-20 07:08:10 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 10, 2025):

@Oriann we are working on a fix for the AD login.

@mlsmaycon commented on GitHub (Oct 10, 2025): @Oriann we are working on a fix for the AD login.

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 10, 2025):

Folks, we discovered an issue with lazy connections for Windows nodes.

If you have it enabled, please disable lazy connections for your Windows and try again.

We are looking into the issue and will update you soon.

@mlsmaycon commented on GitHub (Oct 10, 2025): Folks, we discovered an issue with lazy connections for Windows nodes. If you have it enabled, please disable lazy connections for your Windows and try again. We are looking into the issue and will update you soon.

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 10, 2025):

@SasSam @flotpg, you can do that by one of 3 options:

1. update your docker-compose.yml file, setting the following changes to the signal service:

   depends_on:

   • dashboard
     volumes:
   • netbird-signal:/var/lib/netbird
   • netbird-letsencrypt:/etc/letsencrypt:ro
     ports:
   • 10000:80
     command: ["--cert-file", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/privkey.pem","--log-file", "console"]

replace NETBIRD_DOMAIN with your management domain

2. add a reverse proxy in front of your NetBird deployment
3. moving the signal to a dedicated server, exposing its listening ports as 80 and 443, and setting a --letsencrypt-domain that points to the new server.

Once any of these changes are done, you need to update your management.json file, changing the signal protocol from http to https and restarting the connection to your peers.

So rv-proxy is a strict requirement?

@flotpg commented on GitHub (Oct 10, 2025): > [@SasSam](https://github.com/SasSam) [@flotpg](https://github.com/flotpg), you can do that by one of 3 options: > > 1. update your docker-compose.yml file, setting the following changes to the signal service: > > depends_on: > - dashboard > volumes: > - netbird-signal:/var/lib/netbird > - netbird-letsencrypt:/etc/letsencrypt:ro > ports: > - 10000:80 > command: ["--cert-file", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/privkey.pem","--log-file", "console"] > # replace NETBIRD_DOMAIN with your management domain > 2. add a reverse proxy in front of your NetBird deployment > 3. moving the signal to a dedicated server, exposing its listening ports as 80 and 443, and setting a `--letsencrypt-domain` that points to the new server. > > Once any of these changes are done, you need to update your management.json file, changing the signal protocol from http to https and restarting the connection to your peers. So rv-proxy is a strict requirement?

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@sevensolutions commented on GitHub (Oct 11, 2025):

Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue:

• traefik.http.routers.netbird-signal.service=netbird-signal
  I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example:

docker-compose.yml

Thank you so much @mlsmaycon, this was the missing piece.
SSH is working now and also the hanging netbird up command is solved. 👍

@sevensolutions commented on GitHub (Oct 11, 2025): > Hey Folks, the Traefik issue is caused by a missing router to service attribution. You can add this label to the service to fix the issue: > > - traefik.http.routers.netbird-signal.service=netbird-signal > I've prepared a self-contained docker compose with Traefik and NetBird deployment as an example: > > [docker-compose.yml](https://github.com/user-attachments/files/22853898/docker-compose.yml) Thank you so much @mlsmaycon, this was the missing piece. SSH is working now and also the hanging `netbird up` command is solved. 👍

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 11, 2025):

@flotpg these are 3 options, or you do the first, or the second or the third.

@mlsmaycon commented on GitHub (Oct 11, 2025): @flotpg these are 3 options, or you do the first, or the second or the third.

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@CodeShellDev commented on GitHub (Oct 11, 2025):

Hey there I am also using traefik,
I cannot ssh into my peers via Dashboard (netbird ssh works).
My compose files is as follows:

---
services:
  dashboard:
    container_name: netbird-dashboard
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://${HOST}:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://${HOST}:443
      # OIDC
      - AUTH_AUDIENCE=${AUDIENCE}
      - AUTH_CLIENT_ID=${CLIENT_ID}
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=${AUTH_URL}
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    networks:
      - frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-dashboard.entrypoints=websecure, web
      - traefik.http.routers.netbird-dashboard.rule=Host(`${HOST}`)
      - traefik.http.routers.netbird-dashboard.tls=true
      - traefik.http.routers.netbird-dashboard.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-dashboard.service=netbird-dashboard-svc
      - traefik.http.services.netbird-dashboard-svc.loadbalancer.server.port=80
      - traefik.docker.network=frontend

  signal:
    container_name: netbird-signal
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    networks:
      - frontend
    labels:
      - traefik.enable=true

      - traefik.http.routers.netbird-signal-ws.entrypoints=websecure, web
      - traefik.http.routers.netbird-signal-ws.rule=Host(`${HOST}`) && PathPrefix(`/ws-proxy/signal`)
      - traefik.http.routers.netbird-signal-ws.tls=true
      - traefik.http.routers.netbird-signal-ws.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-signal-ws.service=netbird-signal-ws-svc

      - traefik.http.services.netbird-signal-ws-svc.loadbalancer.server.port=80

      - traefik.http.routers.netbird-signal.entrypoints=websecure, web
      - traefik.http.routers.netbird-signal.rule=Host(`${HOST}`) && PathPrefix(`/signalexchange.SignalExchange/`)
      - traefik.http.routers.netbird-signal.tls=true
      - traefik.http.routers.netbird-signal.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-signal.service=netbird-signal-svc
      - traefik.http.services.netbird-signal-svc.loadbalancer.server.port=80
      - traefik.http.services.netbird-signal-svc.loadbalancer.server.scheme=h2c
      - traefik.docker.network=frontend

  relay:
    container_name: netbird-relay
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
      - NB_LOG_LEVEL=debug
      - NB_LISTEN_ADDRESS=:33080
      - NB_EXPOSED_ADDRESS=${RELAY}:33080
      - NB_AUTH_SECRET=${RELAY_SECRET}
    ports:
      - "33080:33080"

  management:
    container_name: netbird-management
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./correct-management.json:/etc/netbird/management.json
    command:
      [
        "--port",
        "443",
        "--log-file",
        "console",
        "--disable-anonymous-metrics=true",
        "--single-account-mode-domain=${HOST}",
        "--dns-domain=${DOMAIN}",
      ]
    networks:
      - frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-api.entrypoints=websecure, web
      - traefik.http.routers.netbird-api.rule=Host(`${HOST}`) && PathPrefix(`/api`)
      - traefik.http.routers.netbird-api.tls=true
      - traefik.http.routers.netbird-api.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-api.service=netbird-api-svc

      - traefik.http.services.netbird-api-svc.loadbalancer.server.port=443

      - traefik.http.routers.netbird-management-ws.entrypoints=websecure, web
      - traefik.http.routers.netbird-management-ws.rule=Host(`${HOST}`) && PathPrefix(`/ws-proxy/management`)
      - traefik.http.routers.netbird-management-ws.tls=true
      - traefik.http.routers.netbird-management-ws.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-management-ws.service=netbird-management-ws-svc

      - traefik.http.services.netbird-management-ws-svc.loadbalancer.server.port=443

      - traefik.http.routers.netbird-management.entrypoints=websecure, web
      - traefik.http.routers.netbird-management.rule=Host(`${HOST}`) && PathPrefix(`/management.ManagementService/`)
      - traefik.http.routers.netbird-management.tls=true
      - traefik.http.routers.netbird-management.tls.certresolver=cloudflare
      - traefik.http.routers.netbird-management.service=netbird-management-svc

      - traefik.http.services.netbird-management-svc.loadbalancer.server.port=443
      - traefik.http.services.netbird-management-svc.loadbalancer.server.scheme=h2c

      - traefik.docker.network=frontend

  coturn:
    container_name: netbird-coturn
    image: coturn/coturn:latest
    restart: unless-stopped
    hostname: ${TURN}
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird-signal:

networks:
  frontend:
    external: true

I am getting „Connection Failed“ from the UI.

@CodeShellDev commented on GitHub (Oct 11, 2025): Hey there I am also using traefik, I cannot ssh into my peers via Dashboard (netbird ssh works). My compose files is as follows: ```yaml --- services: dashboard: container_name: netbird-dashboard image: netbirdio/dashboard:latest restart: unless-stopped environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://${HOST}:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://${HOST}:443 # OIDC - AUTH_AUDIENCE=${AUDIENCE} - AUTH_CLIENT_ID=${CLIENT_ID} - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=${AUTH_URL} - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= networks: - frontend labels: - traefik.enable=true - traefik.http.routers.netbird-dashboard.entrypoints=websecure, web - traefik.http.routers.netbird-dashboard.rule=Host(`${HOST}`) - traefik.http.routers.netbird-dashboard.tls=true - traefik.http.routers.netbird-dashboard.tls.certresolver=cloudflare - traefik.http.routers.netbird-dashboard.service=netbird-dashboard-svc - traefik.http.services.netbird-dashboard-svc.loadbalancer.server.port=80 - traefik.docker.network=frontend signal: container_name: netbird-signal image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird networks: - frontend labels: - traefik.enable=true - traefik.http.routers.netbird-signal-ws.entrypoints=websecure, web - traefik.http.routers.netbird-signal-ws.rule=Host(`${HOST}`) && PathPrefix(`/ws-proxy/signal`) - traefik.http.routers.netbird-signal-ws.tls=true - traefik.http.routers.netbird-signal-ws.tls.certresolver=cloudflare - traefik.http.routers.netbird-signal-ws.service=netbird-signal-ws-svc - traefik.http.services.netbird-signal-ws-svc.loadbalancer.server.port=80 - traefik.http.routers.netbird-signal.entrypoints=websecure, web - traefik.http.routers.netbird-signal.rule=Host(`${HOST}`) && PathPrefix(`/signalexchange.SignalExchange/`) - traefik.http.routers.netbird-signal.tls=true - traefik.http.routers.netbird-signal.tls.certresolver=cloudflare - traefik.http.routers.netbird-signal.service=netbird-signal-svc - traefik.http.services.netbird-signal-svc.loadbalancer.server.port=80 - traefik.http.services.netbird-signal-svc.loadbalancer.server.scheme=h2c - traefik.docker.network=frontend relay: container_name: netbird-relay image: netbirdio/relay:latest restart: unless-stopped environment: - NB_LOG_LEVEL=debug - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=${RELAY}:33080 - NB_AUTH_SECRET=${RELAY_SECRET} ports: - "33080:33080" management: container_name: netbird-management image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - ./correct-management.json:/etc/netbird/management.json command: [ "--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain=${HOST}", "--dns-domain=${DOMAIN}", ] networks: - frontend labels: - traefik.enable=true - traefik.http.routers.netbird-api.entrypoints=websecure, web - traefik.http.routers.netbird-api.rule=Host(`${HOST}`) && PathPrefix(`/api`) - traefik.http.routers.netbird-api.tls=true - traefik.http.routers.netbird-api.tls.certresolver=cloudflare - traefik.http.routers.netbird-api.service=netbird-api-svc - traefik.http.services.netbird-api-svc.loadbalancer.server.port=443 - traefik.http.routers.netbird-management-ws.entrypoints=websecure, web - traefik.http.routers.netbird-management-ws.rule=Host(`${HOST}`) && PathPrefix(`/ws-proxy/management`) - traefik.http.routers.netbird-management-ws.tls=true - traefik.http.routers.netbird-management-ws.tls.certresolver=cloudflare - traefik.http.routers.netbird-management-ws.service=netbird-management-ws-svc - traefik.http.services.netbird-management-ws-svc.loadbalancer.server.port=443 - traefik.http.routers.netbird-management.entrypoints=websecure, web - traefik.http.routers.netbird-management.rule=Host(`${HOST}`) && PathPrefix(`/management.ManagementService/`) - traefik.http.routers.netbird-management.tls=true - traefik.http.routers.netbird-management.tls.certresolver=cloudflare - traefik.http.routers.netbird-management.service=netbird-management-svc - traefik.http.services.netbird-management-svc.loadbalancer.server.port=443 - traefik.http.services.netbird-management-svc.loadbalancer.server.scheme=h2c - traefik.docker.network=frontend coturn: container_name: netbird-coturn image: coturn/coturn:latest restart: unless-stopped hostname: ${TURN} volumes: - ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host command: - -c /etc/turnserver.conf volumes: netbird-mgmt: netbird-signal: networks: frontend: external: true ``` I am getting „Connection Failed“ from the UI.

saavagebueno commented 2025-11-20 07:08:11 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 11, 2025):

@CodeShellDev can you confirm that you've updated signal, management and dashboard to the latest, following a docker compose down/up?

Also, can you a screenshot of the Console tab in the development tools of your browser ssh window?

@mlsmaycon commented on GitHub (Oct 11, 2025): @CodeShellDev can you confirm that you've updated signal, management and dashboard to the latest, following a docker compose down/up? Also, can you a screenshot of the Console tab in the development tools of your browser ssh window?

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@CodeShellDev commented on GitHub (Oct 11, 2025):

@CodeShellDev can you confirm that you've updated signal, management and dashboard to the latest, following a docker compose down/up?

Yes, I am on the latest version.

Also, can you a screenshot of the Console tab in the development tools of your browser ssh window?

Here you go:

Also tried the default port instead of port 22.

@CodeShellDev commented on GitHub (Oct 11, 2025): > @CodeShellDev can you confirm that you've updated signal, management and dashboard to the latest, following a docker compose down/up? Yes, I am on the latest version. > Also, can you a screenshot of the Console tab in the development tools of your browser ssh window? Here you go:  Also tried the default port instead of port 22.

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 12, 2025):

@flotpg these are 3 options, or you do the first, or the second or the third.

Thanks @mlsmaycon !

 signal:
    depends_on:
     - dashboard
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
    command: ["--cert-file", "/etc/letsencrypt/live/my-domain.com/fullchain.pem",  "--cert-key", "/etc/letsencrypt/live/my-domain.com/privkey.pem","--log-file", "console"]

management.json:
   "Signal": {
        "Proto": "https",
        "URI": "my-domain.com:10000",
        "Username": "",
        "Password": ""
    },

docker compose logs signal  -f
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates.
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (no TLS): [::]:443
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:160: running gRPC backward compatibility server: [::]:10000
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:163: signal server version 0.59.5
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:164: started Signal Service
signal-1  | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:111: running metrics server: :9090/metrics
signal-1  | 2025-10-12T07:55:15Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates.
signal-1  | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (no TLS): [::]:443
signal-1  | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:160: running gRPC backward compatibility server: [::]:10000
signal-1  | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:163: signal server version 0.59.5
signal-1  | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:164: started Signal Service
signal-1  | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:111: running metrics server: :9090/metrics

but clients can't connect to signal:

 netbird status
OS: linux/amd64
Daemon version: 0.59.5
CLI version: 0.59.5
Profile: default
Management: Connected
Signal: Disconnected

looks like it's not listening

nc -zvw 5 my-domain.com 10000
nc: connect to my-domain.com (IP) port 10000 (tcp) failed: Connection refused

EDIT:
port must be set to 10000:443

 ports:
      - 10000:443

@flotpg commented on GitHub (Oct 12, 2025): > [@flotpg](https://github.com/flotpg) these are 3 options, or you do the first, or the second or the third. Thanks @mlsmaycon ! ``` signal: depends_on: - dashboard image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro ports: - 10000:80 # # port and command for Let's Encrypt validation # - 443:443 command: ["--cert-file", "/etc/letsencrypt/live/my-domain.com/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/my-domain.com/privkey.pem","--log-file", "console"] ``` ``` management.json: "Signal": { "Proto": "https", "URI": "my-domain.com:10000", "Username": "", "Password": "" }, ``` ``` docker compose logs signal -f signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates. signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (no TLS): [::]:443 signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:160: running gRPC backward compatibility server: [::]:10000 signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:163: signal server version 0.59.5 signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:164: started Signal Service signal-1 | 2025-10-12T07:53:09Z INFO signal/cmd/run.go:111: running metrics server: :9090/metrics signal-1 | 2025-10-12T07:55:15Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates. signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (no TLS): [::]:443 signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:160: running gRPC backward compatibility server: [::]:10000 signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:163: signal server version 0.59.5 signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:164: started Signal Service signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:111: running metrics server: :9090/metrics ``` but clients can't connect to signal: ``` netbird status OS: linux/amd64 Daemon version: 0.59.5 CLI version: 0.59.5 Profile: default Management: Connected Signal: Disconnected ``` looks like it's not listening ``` nc -zvw 5 my-domain.com 10000 nc: connect to my-domain.com (IP) port 10000 (tcp) failed: Connection refused ``` EDIT: port must be set to 10000:**443** ``` ports: - 10000:443 ```

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 12, 2025):

Hm... ssh still not working:

@flotpg commented on GitHub (Oct 12, 2025): Hm... ssh still not working: <img width="3717" height="2082" alt="Image" src="https://github.com/user-attachments/assets/be158de3-9b6a-4645-b51c-cfed8a988fdc" /> <img width="2464" height="230" alt="Image" src="https://github.com/user-attachments/assets/b97ebe92-dd09-4b3a-9ebc-c3749c5b72b8" />

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Oct 13, 2025):

Can this be the issue:
signal-1 | 2025-10-12T07:55:15Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates.
signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (no TLS): [::]:443

Similar issue: https://github.com/netbirdio/netbird/issues/4591

@flotpg commented on GitHub (Oct 13, 2025): Can this be the issue: signal-1 | 2025-10-12T07:55:15Z INFO signal/cmd/run.go:235: setting up TLS with custom certificates. signal-1 | 2025-10-12T07:55:16Z INFO signal/cmd/run.go:141: running HTTP server with WebSocket proxy (**no TLS**): [::]:443 Similar issue: https://github.com/netbirdio/netbird/issues/4591

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Oct 13, 2025):

@flotpg it seems like there is a bug in the signal init. Let me check how to fix that for the next release

@mlsmaycon commented on GitHub (Oct 13, 2025): @flotpg it seems like there is a bug in the signal init. Let me check how to fix that for the next release

saavagebueno commented 2025-11-20 07:08:12 -05:00

Author

Owner

Copy Link

@flotpg commented on GitHub (Nov 8, 2025):

@mlsmaycon I got TLS working for signal but still can't connect using the browser.

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
    ports:
      #- 10000:80
      - 10000:10000
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "netbird.domain.com", "--log-file", "console"]
    command: ["--cert-file", "/etc/letsencrypt/live/netbird.domain.com/fullchain.pem",  "--cert-key", "/etc/letsencrypt/live/netbird.domain.com/privkey.pem","--log-file", "console"]

Browser dev tools console output is
8356-20d8ee7e42df9d65.js:1 WebSocket connection to 'wss://netbird.domain.com:10000/ws-proxy/signal' failed:

Checking endpoint:

curl -vk https://netbird.domain.com:10000/ws-proxy/signal
* Host netbird.domain.com:10000 was resolved.
* IPv6: (none)
* IPv4: 18.8.8.8
*   Trying 18.8.8.8:10000...
* Connected to netbird.domain.com (18.8.8.8) port 10000
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=netbird.domain.com
*  start date: Sep 22 11:05:03 2025 GMT
*  expire date: Dec 21 11:05:02 2025 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://netbird.domain.com:10000/ws-proxy/signal
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: netbird.domain.com:10000]
* [HTTP/2] [1] [:path: /ws-proxy/signal]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /ws-proxy/signal HTTP/2curl -vk https://netbird.domain.com:10000/ws-proxy/signal
* Host netbird.domain.com:10000 was resolved.
* IPv6: (none)
* IPv4: 18.8.8.8
*   Trying 18.8.8.8:10000...
* Connected to netbird.domain.com (18.8.8.8) port 10000
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=netbird.domain.com
*  start date: Sep 22 11:05:03 2025 GMT
*  expire date: Dec 21 11:05:02 2025 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://netbird.domain.com:10000/ws-proxy/signal
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: netbird.domain.com:10000]
* [HTTP/2] [1] [:path: /ws-proxy/signal]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /ws-proxy/signal HTTP/2
> Host: netbird.domain.com:10000
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 415
< content-type: application/grpc
< grpc-status: 3
< grpc-message: invalid gRPC request content-type ""
<
* Connection #0 to host netbird.domain.com left intact
> Host: netbird.domain.com:10000
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 415
< content-type: application/grpc
< grpc-status: 3
< grpc-message: invalid gRPC request content-type ""
<
* Connection #0 to host netbird.domain.com left intact

Any hint?

@flotpg commented on GitHub (Nov 8, 2025): @mlsmaycon I got TLS working for signal but still can't connect using the browser. ``` # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro ports: #- 10000:80 - 10000:10000 # # port and command for Let's Encrypt validation # - 443:443 # command: ["--letsencrypt-domain", "netbird.domain.com", "--log-file", "console"] command: ["--cert-file", "/etc/letsencrypt/live/netbird.domain.com/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/netbird.domain.com/privkey.pem","--log-file", "console"] ``` Browser dev tools console output is `8356-20d8ee7e42df9d65.js:1 WebSocket connection to 'wss://netbird.domain.com:10000/ws-proxy/signal' failed: ` Checking endpoint: ``` curl -vk https://netbird.domain.com:10000/ws-proxy/signal * Host netbird.domain.com:10000 was resolved. * IPv6: (none) * IPv4: 18.8.8.8 * Trying 18.8.8.8:10000... * Connected to netbird.domain.com (18.8.8.8) port 10000 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=netbird.domain.com * start date: Sep 22 11:05:03 2025 GMT * expire date: Dec 21 11:05:02 2025 GMT * issuer: C=US; O=Let's Encrypt; CN=R13 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://netbird.domain.com:10000/ws-proxy/signal * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: netbird.domain.com:10000] * [HTTP/2] [1] [:path: /ws-proxy/signal] * [HTTP/2] [1] [user-agent: curl/8.7.1] * [HTTP/2] [1] [accept: */*] > GET /ws-proxy/signal HTTP/2curl -vk https://netbird.domain.com:10000/ws-proxy/signal * Host netbird.domain.com:10000 was resolved. * IPv6: (none) * IPv4: 18.8.8.8 * Trying 18.8.8.8:10000... * Connected to netbird.domain.com (18.8.8.8) port 10000 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=netbird.domain.com * start date: Sep 22 11:05:03 2025 GMT * expire date: Dec 21 11:05:02 2025 GMT * issuer: C=US; O=Let's Encrypt; CN=R13 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://netbird.domain.com:10000/ws-proxy/signal * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: netbird.domain.com:10000] * [HTTP/2] [1] [:path: /ws-proxy/signal] * [HTTP/2] [1] [user-agent: curl/8.7.1] * [HTTP/2] [1] [accept: */*] > GET /ws-proxy/signal HTTP/2 > Host: netbird.domain.com:10000 > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/2 415 < content-type: application/grpc < grpc-status: 3 < grpc-message: invalid gRPC request content-type "" < * Connection #0 to host netbird.domain.com left intact > Host: netbird.domain.com:10000 > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/2 415 < content-type: application/grpc < grpc-status: 3 < grpc-message: invalid gRPC request content-type "" < * Connection #0 to host netbird.domain.com left intact ``` Any hint?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/concurrent-proxy-snapshot-apply

refactor/ephemeral-cleanup

task/align_protobuff_toolset

feature/session-extend-mgm

ui-refactor

fix/wireguard-port-zero

pcp-android-gw

embedded-vnc

fix-dns-fallback-self-loop

claude/webtransport-relay-wasm-mUjY9

claude/vnc-udp-feasibility-6KB1U

readme-cleanup

client/capture-dns-forwarder-port

fix-ssh-authorized-users-multi-rule

windows-dns-firewall

fix/wgport-config

feature/refactor-clusters

fix/rosenpass

drop-candidateviaroutes-filter

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.71.2

v0.71.1

v0.71.0

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label triage-needed

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#2337