netbird
netbird copied to clipboard
netbirdio
Dashboard doesn't load after initial setup - IDP authenticates and forwards fine
Using Ubuntu 22.04 on a VM. Netbird is the only application running. My Idp is Authentik on another VM. I am using Nginx Proxy Manager and have Lets Encrypt certificates for both. HTTPS connections seem to work.
When i navigate to the netbird URL, it forward to Authentik, i sign in, it authenticates me and forwards me to https://mynetbirddomain.com/peers.
The issues is the website never loads. I just get the netbird loading icon. The containers are up and i can see the dashboard container doing things in the logs.
I have reinstalled multiple times and this is very repeatable.
Are there other logs i can look at? I feel like it should be loading the page. I know i probably am missing some NGINX config for the gRPC stuff and other things but would that affect this?
Docker Compose Config:
version: "3"
services:
#UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://netbirddomain.com:33073
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirddomain.com:33073
# OIDC
- AUTH_AUDIENCE=EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox
- AUTH_CLIENT_ID=EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox
- AUTH_CLIENT_SECRET=
- AUTH_AUTHORITY=https://idpdomain.com/application/o/netbird/
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
- AUTH_REDIRECT_URI=
- AUTH_SILENT_REDIRECT_URI=
- NETBIRD_TOKEN_SOURCE=accessToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=
- LETSENCRYPT_EMAIL=
volumes:
- netbird-letsencrypt:/etc/letsencrypt/
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 10000:80
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- ./management.json:/etc/netbird/management.json
ports:
- 33073:443 #API port
# # command for Let's Encrypt validation without dashboard container
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
command: [
"--port", "443",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=true",
"--single-account-mode-domain=netbirddomain.com",
"--dns-domain=netbird.selfhosted"
]
# Coturn coturn:
image: coturn/coturn:latest
restart: unless-stopped
domainname: netbirddomain.com
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
Setup.env file config:
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbirddomain.com"
# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""
# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="EXTERNAL IP"
# -------------------------------------------
# OIDC
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://idpdomain.com/application/o/netbird/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox"
NETBIRD_AUTH_CLIENT_ID="EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox"
NETBIRD_MGMT_IDP="authentik"
NETBIRD_IDP_MGMT_CLIENT_ID="EBjiOlTxSIf07j1vjXbw01tnDBGZqAaPGYaKdAox"
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="XLzYVo8fc6cQFhAGeTJzh7xfJiG5sYzBtXngapH6UvAt6s2tplWrQxOm9C9K"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
# if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. [email protected]
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=true
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
I am seeing this same issue. I am using Netbird self hosted on a Digital Ocean VPS with Authentik hosted on a separate Digital Ocean VPS.
The system goes through authentication with Authentik, then attempts to route to https://mydomain.com/peers, but the peers view never comes up. Just the loading animation of Netbird.
Looking at the logs of both Dashboard and Management, and nothing shows there as an error or warning.
Nothing in the web browser console either.
Not sure what's causing it to get hung. I've tried it on multiple browsers, private windows, and even reinstalled three times, and re-setup Authentik just to make sure I didn't miss something there.
I am not attempting to use a separate reverse proxy in front of Netbird at this time. So my difference is that I have 'false' for NETBIRD_DISABLE_LETSENCRYPT ,and I have my email filled in.
It makes me wonder if the communication between Netbird and Authentik is not working correctly and not kicking off the initial account creation.
My servers are on the same VLAN, and the reverse proxy is also on the same VLAN, and for testing I disabled the firewalls so nothing should be getting blocked.
Hi netbird team,
I experience the same issue, after redirect from authentik idp, only a loading screen appears for the context /pears.
There are no errors shown in the docker logs.
Would be nice to find a solution for this problem.
Thanks and best regards
Hello
Editing the host file helped me. I removed the redirect to my domain, after reboot the */peers opened
sudo nano /etc/hosts
my host file
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
PS. if you use cloudflare watch this video
Same here nothing worked for me anyone else solve this besides editing the host file i about to give up and try something else such a shame i really wanted to use this
edit: I just changed from trying to install on ubuntu to installing on debian and it worked as expected.
New information:
I get this error now. It seems to be unable to verify the certificate Authentik is using.
management-1 | 2024-05-15T16:59:44Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration
management-1 | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration Get "https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority
I don't know what you all are using for reverse proxy, if anything, but I was using NgInx Proxy Manager, and it doesn't like gRPC out of the box. You have to add some extra stuff in advanced. I wonder if the gRPC communication might be what is causing this. If I expose this directly to web without reverse proxy, it starts to work.
I don't know what you all are using for reverse proxy, if anything, but I was using NgInx Proxy Manager, and it doesn't like gRPC out of the box. You have to add some extra stuff in advanced. I wonder if the gRPC communication might be what is causing this. If I expose this directly to web without reverse proxy, it starts to work.
I actually switched to straight NGINX on the box. I found a handful of config file examples and managed to get to the same point in the setup with the Peers not loading properly.
Hi,
I was able to eliminate this by changing standard ports for signal and dashboard to 443 and activate TLS in reverse proxy.
I ended up having to pass through my hosts CA cert directory into the container to get it to trust the SSL cert on my Authentik instance. Very strange.
Hi @Sgt-Ogre how exactly did you managed to solve this problem? I'm having the same issue. Would you mind giving more details on what you did / changed? I'm using NGINX as a reverse proxy infront of Netbird on the same machine.
This problem was pising me off too... My VPC on digital ocean have 1 GB of RAM and 20 GB of SSD. As time passed I realize that 1GB of RAM is not enough for Netbird. It will work at start but after some time my VPC become unavailable and connection to dashboard sometimes works and sometimes don't. If I want to connect to dashboard I had to restart VPC....Then connection to dashboard start to work and stops after 10 minutes , let's say....
My solution was to create swap file and give it 4GB on my Ubuntu 22 installed on VPC. As I created swap file my problems become EX :) Now I'm able to connect to Netbird dashboard and my VPC on digital ocean is working without problems and VPC is available as it suppose to be.
Don't know if this one is going to help you but I guess that you have VPC with 1 GB of ram and that you don't have SWAP file configurated....I know that I catch somewhere in logs that my system is without memory after sometime....
Have a good day!
Hello, I also have this problem (stuck on initial loading). I followed this guide. I see an error in logs:
{"level":"error","ts":1719790850.6021206,"logger":"http.log.error","msg":"dial tcp 172.18.0.7:80: connect: connection refused","request":{"remote_ip":"REDACTED","remote_port":"58809","client_ip":"REDACTED","proto":"HTTP/2.0","method":"GET","host":"|netbird.REDACTED.com","uri":"/api/users","headers":{"Sec-Fetch-Mode":["cors"],"Referer":["https://|netbird.REDACTED.com/peers"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=1, i"],"Sec-Ch-Ua":["\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\""],"Accept":["application/json"],"Accept-Language":["en,pl-PL;q=0.9,pl;q=0.8,en-US;q=0.7"],"Cookie":["REDACTED"],"Dnt":["1"],"Authorization":["REDACTED"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"],"Content-Type":["application/json"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["empty"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"|netbird.REDACTED.com"}},"duration":0.001640851,"status":502,"err_id":"c6qy2rmtr","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
