SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-18 22:22:14 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Netbird Authentik failed loggin in peer #2402

New Issue
Closed
opened 2025-11-20 07:09:16 -05:00 by saavagebueno · 9 comments
saavagebueno commented 2025-11-20 07:09:16 -05:00
Owner
Copy Link

Originally created by @Fridasbabe on GitHub (Oct 22, 2025).

Are you using NetBird Cloud?
NO

NetBird version
Everything the latest, pulled docker for all images
WindowsNetbird v0.59.8
iOS 26.0.1 `Netbird v0.0.11

docker-compose.yml
setup.env.yml

`

Is any other VPN software installed?

Wireguard on opnsense, not used, also checked on phone. iOS 26.0.1
Port 33080 is causing problems! Changed to 666

Debug output

2025-10-22T13:07:52Z INFO management/server/account.go:292: set peer update buffer interval to 1ms 2025-10-22T13:07:52Z INFO management/server/account.go:236: single account mode enabled, accounts number 0 2025-10-22T13:07:52Z INFO management/internals/server/server.go:144: running gRPC backward compatibility server: [::]:33073 2025-10-22T13:07:52Z INFO management/internals/server/server.go:182: management server version 0.59.8 2025-10-22T13:07:52Z INFO management/internals/server/server.go:183: running HTTP server and gRPC server on the same port: [::]:443 2025-10-22T13:07:52Z INFO management/server/account.go:620: 1 entries received from IdP management 2025-10-22T13:07:52Z INFO management/server/account.go:651: warmed up IDP cache with 0 entries for 0 accounts 2025-10-22T13:07:54Z WARN [context: GRPC, requestID: 82cb6865-4fa4-43af-a0b7-58d4a3055b3c, accountID: UNKNOWN, peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=] management/server/grpcserver.go:545: failed logging in peer Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=: no peer auth method provided, please use a setup key or interactive SSO login 2025-10-22T13:07:59Z WARN [peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=, context: GRPC, requestID: 5357a469-d27d-4f04-9de5-dc6e7366c23a, accountID: UNKNOWN] management/server/grpcserver.go:545: failed logging in peer Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=: no peer auth method provided, please use a setup key or interactive SSO login 2025-10-22T13:07:59Z ERRO [context: GRPC, requestID: a09a347e-5a39-41b5-afed-c1bdb88f5731, accountID: UNKNOWN, peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=] management/server/store/sql_store.go:792: error when getting account d3sdebov0i1s73e1kut0 from the store: record not found

Comment: Please note i haven't got it working so this would be hard to troubleshoot. I never see any logs in artifacts-coturn-1, artifacts-relay-1 and artifacts-signal-1

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings
Originally created by @Fridasbabe on GitHub (Oct 22, 2025). **Are you using NetBird Cloud?** NO **NetBird version** Everything the latest, pulled docker for all images Windows`Netbird v0.59.8` iOS 26.0.1 `Netbird v0.0.11 [docker-compose.yml](https://github.com/user-attachments/files/23054625/docker-compose.yml) [setup.env.yml](https://github.com/user-attachments/files/23054626/setup.env.yml) ` **Is any other VPN software installed?** Wireguard on opnsense, not used, also checked on phone. iOS 26.0.1 Port 33080 is causing problems! Changed to 666 **Debug output** `2025-10-22T13:07:52Z INFO management/server/account.go:292: set peer update buffer interval to 1ms 2025-10-22T13:07:52Z INFO management/server/account.go:236: single account mode enabled, accounts number 0 2025-10-22T13:07:52Z INFO management/internals/server/server.go:144: running gRPC backward compatibility server: [::]:33073 2025-10-22T13:07:52Z INFO management/internals/server/server.go:182: management server version 0.59.8 2025-10-22T13:07:52Z INFO management/internals/server/server.go:183: running HTTP server and gRPC server on the same port: [::]:443 2025-10-22T13:07:52Z INFO management/server/account.go:620: 1 entries received from IdP management 2025-10-22T13:07:52Z INFO management/server/account.go:651: warmed up IDP cache with 0 entries for 0 accounts 2025-10-22T13:07:54Z WARN [context: GRPC, requestID: 82cb6865-4fa4-43af-a0b7-58d4a3055b3c, accountID: UNKNOWN, peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=] management/server/grpcserver.go:545: failed logging in peer Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=: no peer auth method provided, please use a setup key or interactive SSO login 2025-10-22T13:07:59Z WARN [peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=, context: GRPC, requestID: 5357a469-d27d-4f04-9de5-dc6e7366c23a, accountID: UNKNOWN] management/server/grpcserver.go:545: failed logging in peer Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=: no peer auth method provided, please use a setup key or interactive SSO login 2025-10-22T13:07:59Z ERRO [context: GRPC, requestID: a09a347e-5a39-41b5-afed-c1bdb88f5731, accountID: UNKNOWN, peerID: Z3BXZP7oH2IwWyVxm63fvjwNvSNg90dVWq42CA0F42E=] management/server/store/sql_store.go:792: error when getting account d3sdebov0i1s73e1kut0 from the store: record not found` **Comment: Please note i haven't got it working so this would be hard to troubleshoot. I never see any logs in artifacts-coturn-1, artifacts-relay-1 and artifacts-signal-1** - [x] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable) - [x] Checked for newer NetBird versions - [x] Searched for similar issues on GitHub (including closed ones) - [x] Restarted the NetBird client - [x] Disabled other VPN software - [x] Checked firewall settings
saavagebueno added the triage-needed label 2025-11-20 07:09:16 -05:00
saavagebueno commented 2025-11-20 07:09:17 -05:00
Author
Owner
Copy Link

@LTSlw commented on GitHub (Oct 22, 2025):

I caught same issue.

@LTSlw commented on GitHub (Oct 22, 2025): I caught same issue.
saavagebueno commented 2025-11-20 07:09:17 -05:00
Author
Owner
Copy Link

@Fridasbabe commented on GitHub (Oct 22, 2025):

I caught same issue.

I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well...

@Fridasbabe commented on GitHub (Oct 22, 2025): > I caught same issue. I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well...
saavagebueno commented 2025-11-20 07:09:17 -05:00
Author
Owner
Copy Link

@LTSlw commented on GitHub (Oct 22, 2025):

I caught same issue.

I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well...

try to restart signal, it works, this issue appears randomly.

log from client:

2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled
@LTSlw commented on GitHub (Oct 22, 2025): > > I caught same issue. > > I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well... try to restart signal, it works, this issue appears randomly. log from client: ``` 2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams 2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled ```
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@Fridasbabe commented on GitHub (Oct 23, 2025):

I caught same issue.

I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well...

try to restart signal, it works, this issue appears randomly.

log from client:

2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled

Tried multiple time, maybe i just have something configured wrong? I can't reproduce this.
Would you like to share you setup.env and docker-compose.yml and whatever you changed as well.

@Fridasbabe commented on GitHub (Oct 23, 2025): > > > I caught same issue. > > > > > > I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well... > > try to restart signal, it works, this issue appears randomly. > > log from client: > > ``` > 2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > 2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > 2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > 2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled > ``` Tried multiple time, maybe i just have something configured wrong? I can't reproduce this. Would you like to share you setup.env and docker-compose.yml and whatever you changed as well.
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@LTSlw commented on GitHub (Oct 23, 2025):

I caught same issue.

I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well...

try to restart signal, it works, this issue appears randomly.
log from client:

2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled

Tried multiple time, maybe i just have something configured wrong? I can't reproduce this. Would you like to share you setup.env and docker-compose.yml and whatever you changed as well.

I deployed netbird separately, docker compose is not used. I will share my configuration later. And as i said, this problem occurs randomly, you might figure out the reason.

@LTSlw commented on GitHub (Oct 23, 2025): > > > > I caught same issue. > > > > > > > > > I played with pretty much all settings and i can't conclude i have ports and reverse proxy fully working. But authentik and netbird definitely seems to cause problems. I followed the guidelines to the teeth. Even authentik own guide as well... > > > > > > try to restart signal, it works, this issue appears randomly. > > log from client: > > ``` > > 2025-10-22T21:42:05+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > > 2025-10-22T21:44:11+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > > 2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams > > 2025-10-22T21:45:06+08:00 ERRO shared/signal/client/grpc.go:186: exiting the Signal service connection retry loop due to the unrecoverable error: context canceled > > ``` > > Tried multiple time, maybe i just have something configured wrong? I can't reproduce this. Would you like to share you setup.env and docker-compose.yml and whatever you changed as well. I deployed netbird separately, docker compose is not used. I will share my configuration later. And as i said, this problem occurs randomly, you might figure out the reason.
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@LTSlw commented on GitHub (Oct 23, 2025):

My configurations:

  • IdP: Auth0
  • STUN/TURN: installed by package manager
  • Cloudflare CDN used

Podman Quadlet:

[Unit]
Description=NetBird Dashboard  
After=local-fs.target network-online.target

[Container]
ContainerName=netbird-dashboard
Environment=NETBIRD_MGMT_API_ENDPOINT=https://$DOMAIN_MANAGEMENT NETBIRD_MGMT_GRPC_API_ENDPOINT=https://$DOMAIN_MANAGEMENT AUTH_AUDIENCE=$AUTH_AUDIENCE AUTH_CLIENT_ID=$AUTH_CLIENTID_DASHBOARD AUTH_AUTHORITY=https://$DOMAIN_AUTH/ USE_AUTH0=true "AUTH_SUPPORTED_SCOPES=openid profile email offline_access api email_verified"
Image=docker.io/netbirdio/dashboard:latest
AutoUpdate=registry
PublishPort=127.0.0.1:$PORT_LOCAL_DASHBOARD:80

[Install]
WantedBy=default.target

[Unit]
Description=NetBird Management
After=local-fs.target network-online.target

[Container]
ContainerName=netbird-management
Exec=--dns-domain $DOMAIN_MANAGEMENT
Image=docker.io/netbirdio/management:latest
AutoUpdate=registry
PublishPort=127.0.0.1:$PORT_LOCAL_MANAGEMENT:80
Volume=/var/lib/nerbird/management/management.json:/etc/netbird/management.json
Volume=/var/lib/nerbird/management/data:/var/lib/netbird

[Install]
WantedBy=default.target

[Unit]
Description=NetBird Signal
After=local-fs.target network-online.target

[Container]
ContainerName=netbird-signal
Image=docker.io/netbirdio/signal:latest
AutoUpdate=registry
PublishPort=127.0.0.1:$PORT_LOCAL_SIGNAL:80

[Install]
WantedBy=default.target

[Unit]
Description=NetBird Relay
After=local-fs.target network-online.target

[Container]
ContainerName=netbird-relay
Exec=-s $RELAY_SECRET -e rels://$DOMAIN_RELAY:443/relay
Image=docker.io/netbirdio/relay:latest
AutoUpdate=registry
PublishPort=127.0.0.1:$PORT_LOCAL_RELAY:443

[Install]
WantedBy=default.target

management.json:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:$DOMAIN_STUN:3478",
            "Username": "",
            "Password": null
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:$DOMAIN_TURN:3478",
                "Username": "self",
                "Password": "$TURN_PASSWORD"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rels://$DOMAIN_RELAY:443"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "$RELAY_SECRET"
    },
    "Signal": {
        "Proto": "https",
        "URI": "$DOMAIN_SIGNAL:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "$MANAGEMENT_DATA_STORE_ENCRYPTION_KEY",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "$AUTH_AUDIENCE",
        "AuthIssuer": "https://$DOMAIN_AUTH/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://$DOMAIN_AUTH/.well-known/jwks.json",
        "OIDCConfigEndpoint": "https://$DOMAIN_AUTH/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "none",
        "ClientConfig": {
            "Issuer": "https://$DOMAIN_AUTH",
            "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token",
            "ClientID": "$AUTH_CLIENTID_MANAGEMENT",
            "ClientSecret": "$AUTH_SECRET_MANAGEMENT",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {},
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "$AUTH_CLIENTID_DEVICE",
            "ClientSecret": "",
            "Domain": "$DOMAIN_AUTH",
            "Audience": "$AUTH_AUDIENCE",
            "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token",
            "DeviceAuthEndpoint": "https://$DOMAIN_AUTH/oauth/device/code",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null,
            "DisablePromptLogin": false,
            "LoginFlag": 0
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "$AUTH_CLIENTID_DASHBOARD",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "$AUTH_AUDIENCE",
            "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://$DOMAIN_AUTH/authorize",
            "Scope": "openid profile email offline_access api email_verified",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ],
            "DisablePromptLogin": false,
            "LoginFlag": 0
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    },
    "DisableDefaultPolicy": false
}

Caddyfile:

{
        servers :443 {
                protocols h1 h2 h2c h3
        }
}

$DOMAIN_DASHBOARD {
        reverse_proxy 127.0.0.1:$PORT_LOCAL_DASHBOARD {
                header_up X-Real-IP {header.Cf-Connecting-IP}
        }
}

$DOMAIN_MANAGEMENT {
        reverse_proxy /management.ManagementService/* h2c://127.0.0.1:$PORT_LOCAL_MANAGEMENT
        reverse_proxy 127.0.0.1:$PORT_LOCAL_MANAGEMENT {
                header_up X-Real-IP {header.Cf-Connecting-IP}
        }
}

$DOMAIN_SIGNAL {
        reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:$PORT_LOCAL_SIGNAL
        reverse_proxy 127.0.0.1:$PORT_LOCAL_SIGNAL {
                header_up X-Real-IP {header.Cf-Connecting-IP}
        }
}

$DOMAIN_RELAY {
        reverse_proxy 127.0.0.1:$PORT_LOCAL_RELAY {
                header_up X-Real-IP {header.Cf-Connecting-IP}
        }
}
@LTSlw commented on GitHub (Oct 23, 2025): My configurations: - IdP: Auth0 - STUN/TURN: installed by package manager - Cloudflare CDN used Podman Quadlet: ```ini [Unit] Description=NetBird Dashboard After=local-fs.target network-online.target [Container] ContainerName=netbird-dashboard Environment=NETBIRD_MGMT_API_ENDPOINT=https://$DOMAIN_MANAGEMENT NETBIRD_MGMT_GRPC_API_ENDPOINT=https://$DOMAIN_MANAGEMENT AUTH_AUDIENCE=$AUTH_AUDIENCE AUTH_CLIENT_ID=$AUTH_CLIENTID_DASHBOARD AUTH_AUTHORITY=https://$DOMAIN_AUTH/ USE_AUTH0=true "AUTH_SUPPORTED_SCOPES=openid profile email offline_access api email_verified" Image=docker.io/netbirdio/dashboard:latest AutoUpdate=registry PublishPort=127.0.0.1:$PORT_LOCAL_DASHBOARD:80 [Install] WantedBy=default.target ``` ```ini [Unit] Description=NetBird Management After=local-fs.target network-online.target [Container] ContainerName=netbird-management Exec=--dns-domain $DOMAIN_MANAGEMENT Image=docker.io/netbirdio/management:latest AutoUpdate=registry PublishPort=127.0.0.1:$PORT_LOCAL_MANAGEMENT:80 Volume=/var/lib/nerbird/management/management.json:/etc/netbird/management.json Volume=/var/lib/nerbird/management/data:/var/lib/netbird [Install] WantedBy=default.target ``` ```ini [Unit] Description=NetBird Signal After=local-fs.target network-online.target [Container] ContainerName=netbird-signal Image=docker.io/netbirdio/signal:latest AutoUpdate=registry PublishPort=127.0.0.1:$PORT_LOCAL_SIGNAL:80 [Install] WantedBy=default.target ``` ```ini [Unit] Description=NetBird Relay After=local-fs.target network-online.target [Container] ContainerName=netbird-relay Exec=-s $RELAY_SECRET -e rels://$DOMAIN_RELAY:443/relay Image=docker.io/netbirdio/relay:latest AutoUpdate=registry PublishPort=127.0.0.1:$PORT_LOCAL_RELAY:443 [Install] WantedBy=default.target ``` `management.json`: ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:$DOMAIN_STUN:3478", "Username": "", "Password": null } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:$DOMAIN_TURN:3478", "Username": "self", "Password": "$TURN_PASSWORD" } ] }, "Relay": { "Addresses": [ "rels://$DOMAIN_RELAY:443" ], "CredentialsTTL": "24h0m0s", "Secret": "$RELAY_SECRET" }, "Signal": { "Proto": "https", "URI": "$DOMAIN_SIGNAL:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "$MANAGEMENT_DATA_STORE_ENCRYPTION_KEY", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "$AUTH_AUDIENCE", "AuthIssuer": "https://$DOMAIN_AUTH/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://$DOMAIN_AUTH/.well-known/jwks.json", "OIDCConfigEndpoint": "https://$DOMAIN_AUTH/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "none", "ClientConfig": { "Issuer": "https://$DOMAIN_AUTH", "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token", "ClientID": "$AUTH_CLIENTID_MANAGEMENT", "ClientSecret": "$AUTH_SECRET_MANAGEMENT", "GrantType": "client_credentials" }, "ExtraConfig": {}, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "$AUTH_CLIENTID_DEVICE", "ClientSecret": "", "Domain": "$DOMAIN_AUTH", "Audience": "$AUTH_AUDIENCE", "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token", "DeviceAuthEndpoint": "https://$DOMAIN_AUTH/oauth/device/code", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null, "DisablePromptLogin": false, "LoginFlag": 0 } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "$AUTH_CLIENTID_DASHBOARD", "ClientSecret": "", "Domain": "", "Audience": "$AUTH_AUDIENCE", "TokenEndpoint": "https://$DOMAIN_AUTH/oauth/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://$DOMAIN_AUTH/authorize", "Scope": "openid profile email offline_access api email_verified", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ], "DisablePromptLogin": false, "LoginFlag": 0 } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] }, "DisableDefaultPolicy": false } ``` Caddyfile: ```caddy { servers :443 { protocols h1 h2 h2c h3 } } $DOMAIN_DASHBOARD { reverse_proxy 127.0.0.1:$PORT_LOCAL_DASHBOARD { header_up X-Real-IP {header.Cf-Connecting-IP} } } $DOMAIN_MANAGEMENT { reverse_proxy /management.ManagementService/* h2c://127.0.0.1:$PORT_LOCAL_MANAGEMENT reverse_proxy 127.0.0.1:$PORT_LOCAL_MANAGEMENT { header_up X-Real-IP {header.Cf-Connecting-IP} } } $DOMAIN_SIGNAL { reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:$PORT_LOCAL_SIGNAL reverse_proxy 127.0.0.1:$PORT_LOCAL_SIGNAL { header_up X-Real-IP {header.Cf-Connecting-IP} } } $DOMAIN_RELAY { reverse_proxy 127.0.0.1:$PORT_LOCAL_RELAY { header_up X-Real-IP {header.Cf-Connecting-IP} } } ```
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@Fridasbabe commented on GitHub (Oct 23, 2025):

",

Hey, got it to work, found i was using not using "NETBIRD_TOKEN_SOURCE="accessToken"" in setup.env

@Fridasbabe commented on GitHub (Oct 23, 2025): > ", Hey, got it to work, found i was using not using "NETBIRD_TOKEN_SOURCE="accessToken"" in setup.env
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@Fridasbabe commented on GitHub (Oct 23, 2025):

Found that Netbird on Windows doesnt route my regular wireguard software correctly. Need to kill the netbird instance in windows task manager.

But hey it works, wow it was a pain to setup. Gonna play with some setting.
So netbird works behind cloudflare proxy? Gonna try to setup that!

@Fridasbabe commented on GitHub (Oct 23, 2025): Found that Netbird on Windows doesnt route my regular wireguard software correctly. Need to kill the netbird instance in windows task manager. But hey it works, wow it was a pain to setup. Gonna play with some setting. So netbird works behind cloudflare proxy? Gonna try to setup that!
saavagebueno commented 2025-11-20 07:09:18 -05:00
Author
Owner
Copy Link

@gregoriusus commented on GitHub (Nov 6, 2025):

What exactly did you do?

I have same error:
2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams

@gregoriusus commented on GitHub (Nov 6, 2025): What exactly did you do? I have same error: 2025-10-22T21:45:06+08:00 WARN shared/signal/client/grpc.go:154: disconnected from the Signal Exchange due to an error: didn't receive a registration header from the Signal server whille connecting to the streams
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label triage-needed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#2402
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?