netbirdio
Stuck on loading screen on "/peers" (Authentik)
Describe the problem
I'm trying to setup a Netbird selfhosted instance with Authentik as IDP. The client ID and the provider are correct as I see a connection on the service user in Authentik.
The problem is that I can't even reach the initial setup, the dashboard is stuck loading on "/peers" juste after the authentiation via Authentik.
The only error i see in the docker compose logs is this one: management-1 | 2024-12-09T19:19:48Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: invalid character ';' looking for beginning of value
I precise that both my Authentik and my Netbird are behind a Nginx reverse proxy. Ask me the configuration if needed.
Here is my setup.env: (sensitive data replaced)
## example file, you can copy this file to setup.env and update its values
##
# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="nb.redacted.com"
TURN_MIN_PORT=49152
TURN_MAX_PORT=52000
# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""
# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""
# -------------------------------------------
# OIDC
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="<My client ID>"
NETBIRD_AUTH_CLIENT_ID="<My client ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<My client ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=""
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Service account password>"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
NETBIRD_DISABLE_LETSENCRYPT=true
NETBIRD_LETSENCRYPT_EMAIL="<my email>"
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.vpn.localdomain
# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN=""
# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT=""
My management.json:
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:nb.redacted.com:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "turn:nb.redacted.com:3478",
"Username": "self",
"Password": "password"
}
]
},
"Relay": {
"Addresses": [
"rel://nb.redacted.com:33080"
],
"CredentialsTTL": "24h0m0s",
"Secret": "password"
},
"Signal": {
"Proto": "https",
"URI": "nb.redacted.com:10000",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "password",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "<My client ID>",
"AuthIssuer": "https://authentik.redacted.com/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://authentik.redacted.com/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://authentik.redacted.com/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false,
"ExtraAuthAudience": ""
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://authentik.redacted.com/application/o/netbird",
"TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
"ClientID": "<My client ID>",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "password",
"Username": "Netbird"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "<My client ID>",
"ClientSecret": "",
"Domain": "authentik.redacted.com",
"Audience": "<My client ID>",
"TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
"DeviceAuthEndpoint": "https://authentik.redacted.com/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "<My client ID>",
"ClientSecret": "",
"Domain": "",
"Audience": "<My client ID>",
"TokenEndpoint": "https://authentik.redacted.com/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://authentik.redacted.com/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": [
"http://localhost:53000"
]
}
},
"StoreConfig": {
"Engine": "sqlite"
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
}
}
To Reproduce
Steps to reproduce the behavior:
Go to '...' Click on '....' Scroll down to '....' See error Expected behavior
A clear and concise description of what you expected to happen.
Are you using NetBird Cloud?
No NetBird version
v0.34.1
NetBird status -dA output:
If applicable, add the `netbird status -dA' command output.
Do you face any client issues on desktop?
Please provide the file created by netbird debug for 1m -AS. We advise reviewing the anonymized files for any remaining PII.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
It happens to me as well when I enter my netbird.my-domain.tld page.
I'm using Zitadel selfhosted. I wondered if it was the setting of NETBIRD_AUTH_REDIRECT_URI="/auth" (I did this while following the guide, and I tried to change that in the docker-compose.yml back to the commented one versione (which was #NETBIRD_AUTH_REDIRECT_URI="/peers") but then I got a
{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."} after reloading the page.
So i reverted to the /auth version suggested by the guide - which btw was filled by the ./configure.sh script that gets all the variables from the setup.env and put them in the various netbird config files (docker-compose.yml, management.json, etc.)
No matter what I do, I always end up to the netbird.my-domain.tld/peers page when Netbird seems to do an endless search for peers or something like that.
I'm using Traefik as my reverse proxy
I think my issue is related to yours. At least i was experiencing the same behaviour. In my case I was using google as my IDP and i had to comment out any configuration in setup.env related to NETBIRD_MGMT_<...> and NETBIRD_IDP_MGMT_<...>. Does this solve something for you?
It happens to me as well when I enter my
netbird.my-domain.tldpage.I'm using Zitadel selfhosted. I wondered if it was the setting of
NETBIRD_AUTH_REDIRECT_URI="/auth"(I did this while following the guide, and I tried to change that in thedocker-compose.ymlback to the commented one versione (which was#NETBIRD_AUTH_REDIRECT_URI="/peers") but then I got a{"error":"invalid_request","error_description":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."}after reloading the page.So i reverted to the
/authversion suggested by the guide - which btw was filled by the./configure.shscript that gets all the variables from thesetup.envand put them in the various netbird config files (docker-compose.yml,management.json, etc.)No matter what I do, I always end up to the
netbird.my-domain.tld/peerspage when Netbird seems to do an endless search for peers or something like that.I'm using Traefik as my reverse proxy
I think I've solved by doing a few things (but I'm not sure if they were what fixed it)
- adding the
NETBIRD_MGMT_API_PORT=443,NETBIRD_SIGNAL_PORT=443vars to thesetup.env, then re-run theconfigure.shscript - generating a new client client secret in Zitadel to put in place of the previous one at
NETBIRD_IDP_MGMT_CLIENT_SECRET(again, insetup.env) - composing down then up with
--force-recreateTraefik and Netbird containers
I've tried every suggested solution in every post I could find. So far none have worked for me. NGNX PM, self hosted using authentic...
I also found this, is this an issue running on the same port?
dashboard-1 | NetBird latest version: management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:322: running gRPC backward compatibility server: [::]:33073 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:354: management server version 0.35.1 management-1 | 2024-12-28T03:22:26Z INFO [context: SYSTEM] management/cmd/management.go:355: running HTTP server and gRPC server on the same port: [::]:443
I found there is an issue with latest version of netbird management netbirdio/management:latest.
even doing curl manually inside docker container from nginx curl dont work: curl https://netbird-management:443/api/users or curl http://netbird-management:443/api/users
Some one solved the issue when using Authentik and nginx?
The solution for me was abandon Authentik and use Zitadel. I know it's not a solution if you wanna use Authentik, but at least (for me) works. It was an easy choice cause I didn't have any IdP configured yet and nothing around it, but I imagine that's not always the case
I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install.
I tried the same, completely blew away my install, created a Zitadel model, and still got stuck on ..../peers. Can you share your redacted setup.env and port rules? I put 9 hours into this yesterday. I'm still apologizing to my wife for burning our Saturday. On the plus side, I fired up VS Code for the first time in about a year, got re-acquainted with it, and found some nice extensions to install.
At the moment I'm not home, but I can say, for what I remember, that even for me changing NETBIRD_MGMT_API_PORT and NETBIRD_SIGNAL_PORT to 443 (as @kocey131 did) fix the issue. Or I should say adding, instead of changing, cause strangely those vars weren't in the setup.env.example at all when I gitlcloned the repo. Idk why that was a thing, but if they are needed, this must be fixed
Hello after struggling for some time I finally fixed mine and was able to get pass the /peers screen. What did the trick was changing NETBIRD_MGMT_API_PORT and NETBIRD_SIGNAL_PORT to both 443.
Then somehow running ./configure.sh for me did not change it to 443 in my docker compose file so I did it while assigning different host ports to the containers.
Here is my setup.env for reference:
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""
NETBIRD_DOMAIN="YOUR_DOMAIN_HERE"
NETBIRD_DISABLE_LETSENCRYPT=true
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443
NETBIRD_TURN_DOMAIN=""
NETBIRD_TURN_EXTERNAL_IP="192.168.20.20"
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.home.yourdomain.com/application/o/netbird/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
NETBIRD_MGMT_IDP="authentik"
NETBIRD_IDP_MGMT_CLIENT_ID="CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO"
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="kLIAf9Gy6WvQBApbkajLqzSLfpZDrySYbm1VahFcmCUt0twOufiINcs9H0Qd"
#NETBIRD_IDP_MGMT_CLIENT_SECRET=""
My docker-compose.yml file:
version: "3"
services:
#UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://YOUR_DOMAIN_HERE:443
- NETBIRD_MGMT_GRPC_API_ENDPOINT=YOUR_DOMAIN_HERE443
# OIDC
- AUTH_AUDIENCE=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO
- AUTH_CLIENT_ID=CrLRMKXZqcGW13V0Mauot36gIPioEkg6mzu9YtFO
- AUTH_CLIENT_SECRET=
- AUTH_AUTHORITY=https://authentik.YOUR_DOMAIN_HERE/application/o/netbird/
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
- AUTH_REDIRECT_URI=
- AUTH_SILENT_REDIRECT_URI=
- NETBIRD_TOKEN_SOURCE=accessToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=
- LETSENCRYPT_EMAIL=
volumes:
- netbird-letsencrypt:/etc/letsencrypt/
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 4433:443
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Relay
relay:
image: netbirdio/relay:latest
restart: unless-stopped
environment:
- NB_LOG_LEVEL=info
- NB_LISTEN_ADDRESS=:33080
- NB_EXPOSED_ADDRESS=YOUR_DOMAIN_HERE:33080
# todo: change to a secure secret
- NB_AUTH_SECRET=AIXKqao2mSAq7WuoNR1plgdpjsO3NdimirrVk7RwSO4
ports:
- 33080:33080
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- ./management.json:/etc/netbird/management.json
ports:
- 4430:443 #API port
# # command for Let's Encrypt validation without dashboard container
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
command: [
"--port", "443",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=YOUR_DOMAIN_HERE",
"--dns-domain=netbird.selfhosted"
]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
environment:
- NETBIRD_STORE_ENGINE_POSTGRES_DSN=
# Coturn
coturn:
image: coturn/coturn:latest
restart: unless-stopped
#domainname: YOUR_DOMAIN_HERE # only needed when TLS is enabled
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host
command:
- -c /etc/turnserver.conf
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
I got this to run behind nginx proxy manager by adding the following configuration under Advanced then Custom nginx configuration:
location /api {
proxy_pass http://192.168.20.20:4430;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /management.ManagementService/ {
grpc_pass grpcs://192.168.20.20:4430;
}
location /signalexchange.SignalExchange/ {
grpc_pass grpcs://192.168.20.20:4433;
}
For nginx I found this and it works too : https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230
However I am met with another error when trying to set up a peer : error: failed while getting Management Service public key so i'll probably try to look into this again tomorrow...
Hi and thank you. Hmmmm, I've tried to mirror your config with my values... no change. Your setup looks like you are running it in a dedicated VM, I am to but I'm running it on my Docker host VM so I had to change the initial ports of 80 & 443 to 1280 & 12443 respectively. I tried with and without the NGNX PM Advanced setting you provided. I'll dig deeper more next week.
i used debian 12 in a VM, used the script:
export NETBIRD_DOMAIN=netbird.REDACTED.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
And now am stuck in the exact same position....
Edit: Seems to be an Issue with Firewall/Ports! Even though i have:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
33073/tcp ALLOW Anywhere
10000/tcp ALLOW Anywhere
33080/tcp ALLOW Anywhere
3478/udp ALLOW Anywhere
49152:65535/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
33073/tcp (v6) ALLOW Anywhere (v6)
10000/tcp (v6) ALLOW Anywhere (v6)
33080/tcp (v6) ALLOW Anywhere (v6)
3478/udp (v6) ALLOW Anywhere (v6)
49152:65535/udp (v6) ALLOW Anywhere (v6)
when i use ufw disable it just works.
I am also getting the same error with Google Idp. I have tried disabling the firewall as suggested by @haldi4803, but it did not fix the issue.
@haldi4803 where did you use ufw disable, in Docker compose or did you pass it into the install script? I had to drop this for a few weeks after burning myself out trying to find a solution. Thinking about trying again this weekend...
Im not sure if you were able to solve this or not, but here are my configs that are working with Traefik, Authentik, Crowdsec, and Netbird on the same host. Only exposing 80 and 443 on TCP
I think its important to note that the peers page failing to load is usually a sign that the management service is having some problems. I would start by checking the logs for that container.
https://github.com/twoleftankles/Single-Stack/tree/63930c292decf9c7049245d6342c2cae82677928/docker-compose/netbird/infrastructure_files
In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly. The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue.
It looks to containers communicate internally via the public DNS name/IP address.
It would be better to communicate internally directly via docker names, otherwise the traffic might have to go via external routers/firewalls.
Maybe is this just a matter of the getting-started-with-zitadel.sh script which I used to setup my server.
I'm using traefik as forward proxy and solved this issue by setting the Content-Security-Policy of authentik:
traefik.http.middlewares.contentsec.headers.contentsecuritypolicy=frame-ancestors 'self' https://<URL to netbird>;
Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
In my case was it caused by a firewall problem, nat reflection/hairpin on the router ahead of it did not work properly. The webinterface worked in general, but it often stucked. Not sure why it worked anyhow a bit with that issue.
Just to clarify...with theese kind of services consider using Split Brain DNS, hairpin is not ideal solution because of the loop you make WAN>LAN>WAN.
I am going crazy, i cant get netbird + authentik + nginx-proxymanager working. Here are my settings and configs:
setup.env
## example file, you can copy this file to setup.env and update its values
##
# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.MYDOMAIN.de"
# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="hetzner-01.MYDOMAIN.de"
# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="49.xxx.xxx.xxx"
# -------------------------------------------
# OIDC
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="XygzTCj9........0K0EGkXR"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
# NETBIRD_AUTH_REDIRECT_URI="/peers"
# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="authentik"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="XygzTCj9........0K0EGkXR"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
#NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=""
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
NETBIRD_IDP_MGMT_EXTRA_USERNAME="NetbirdServiceAcc"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="KcxH2RdJ.....(app-password, not api-token).......baRHpvv"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
# if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. [email protected]
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN=""
# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT=""
NETBIRD_MGMT_API_PORT=3448
NETBIRD_SIGNAL_PORT=3449
https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configurationis accessible without issues- run
./configure.sh
artifacts/docker-compose.yml
I changed some exposed ports in the template and added the NginxReverseproxymanager Docker-Network at the bottom and on every service, so that i can access the containers by their hostname:
services:
# UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
container_name: nb-dashboard
networks:
- reverse-proxy-network
ports:
- 87:80
- 447:443
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.MYDOMAIN.de:3448
# OIDC
- AUTH_AUDIENCE=XygzTCj9........0K0EGkXR
- AUTH_CLIENT_ID=XygzTCj9........0K0EGkXR
- AUTH_CLIENT_SECRET=
- AUTH_AUTHORITY=https://auth.MYDOMAIN.de/application/o/netbird/
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
- AUTH_REDIRECT_URI=
- AUTH_SILENT_REDIRECT_URI=
- NETBIRD_TOKEN_SOURCE=accessToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=
- LETSENCRYPT_EMAIL=
volumes:
- netbird-letsencrypt:/etc/letsencrypt/
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
container_name: nb-signal
networks:
- reverse-proxy-network
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 3449:80
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Relay
relay:
image: netbirdio/relay:latest
restart: unless-stopped
container_name: nb-relay
networks:
- reverse-proxy-network
environment:
- NB_LOG_LEVEL=info
- NB_LISTEN_ADDRESS=:33080
- NB_EXPOSED_ADDRESS=netbird.MYDOMAIN.de:33080
# todo: change to a secure secret
- NB_AUTH_SECRET=97tiTvQAEy6................02wRk5n8
ports:
- 33080:33080
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
container_name: nb-management
networks:
- reverse-proxy-network
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- ./management.json:/etc/netbird/management.json
ports:
- 3448:443 #API port
# # command for Let's Encrypt validation without dashboard container
# command: ["--letsencrypt-domain", "", "--log-file", "console"]
command: [
"--port", "443",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=netbird.MYDOMAIN.de",
"--dns-domain=netbird.selfhosted"
]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
environment:
- NETBIRD_STORE_ENGINE_POSTGRES_DSN=
- NETBIRD_STORE_ENGINE_MYSQL_DSN=
# Coturn
coturn:
image: coturn/coturn:latest
restart: unless-stopped
container_name: nb-coturn
#domainname: hetzner-01.MYDOMAIN.de # only needed when TLS is enabled
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host
command:
- -c /etc/turnserver.conf
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
networks:
reverse-proxy-network:
name: npm_default
external: true
driver: bridge
artifacts/management.json
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:hetzner-01.MYDOMAIN.de:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "turn:hetzner-01.MYDOMAIN.de:3478",
"Username": "self",
"Password": "EaX8AM.......337k"
}
]
},
"Relay": {
"Addresses": [
"rel://netbird.MYDOMAIN.de:33080"
],
"CredentialsTTL": "24h0m0s",
"Secret": "97tiT..........5n8"
},
"Signal": {
"Proto": "https",
"URI": "netbird.MYDOMAIN.de:3449",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "G8kw...................oIhM=",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "XygzTCj9........0K0EGkXR",
"AuthIssuer": "https://auth.MYDOMAIN.de/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://auth.MYDOMAIN.de/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false,
"ExtraAuthAudience": ""
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://auth.MYDOMAIN.de/application/o/netbird",
"TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
"ClientID": "XygzTCj9........0K0EGkXR",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "KcxH2Rd..............RHpvv",
"Username": "NetbirdServiceAcc"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "XygzTCj9........0K0EGkXR",
"ClientSecret": "",
"Domain": "auth.MYDOMAIN.de",
"Audience": "XygzTCj9........0K0EGkXR",
"TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
"DeviceAuthEndpoint": "https://auth.MYDOMAIN.de/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "XygzTCj9........0K0EGkXR",
"ClientSecret": "",
"Domain": "",
"Audience": "XygzTCj9........0K0EGkXR",
"TokenEndpoint": "https://auth.MYDOMAIN.de/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://auth.MYDOMAIN.de/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": [
"http://localhost:53000"
]
}
},
"StoreConfig": {
"Engine": "sqlite"
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
}
NGINX Proxymanager config
Advanced: (i also tried the docker exposed ports 3448 for mgmt and 3449 for signal)
location /api {
proxy_pass http://nb-management:443;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /management.ManagementService/ {
grpc_pass grpcs://nb-management:443;
}
location /signalexchange.SignalExchange/ {
grpc_pass grpcs://nb-signal:80;
}
Authentik
Logs
docker nb-management
2025-03-26T16:43:14Z INFO [context: SYSTEM] management/cmd/management.go:510: loading OIDC configuration from the provided IDP configuration endpoint https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:515: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.MYDOMAIN.de/application/o/netbird/.well-known/openid-configuration
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:517: overriding HttpConfig.AuthIssuer with a new value https://auth.MYDOMAIN.de/application/o/netbird/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:521: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.MYDOMAIN.de/application/o/netbird/jwks/, previously configured value: https://auth.MYDOMAIN.de/application/o/netbird/jwks/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:526: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:529: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/device/, previously configured value: https://auth.MYDOMAIN.de/application/o/device/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:537: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.MYDOMAIN.de, previously configured value:
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:547: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/token/, previously configured value: https://auth.MYDOMAIN.de/application/o/token/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:550: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.MYDOMAIN.de/application/o/authorize/, previously configured value: https://auth.MYDOMAIN.de/application/o/authorize/
2025-03-26T16:43:16Z INFO management/cmd/management.go:557: Relay addresses: [rel://netbird.MYDOMAIN.de:33080]
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/store.go:258: using SQLite store engine
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/store/sql_store.go:89: Set max open db connections to 1
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:142: No records in table peers, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:257: No plain setup keys found in table setup_keys, no migration needed
2025-03-26T16:43:16Z INFO management/server/migration/migration.go:295: Migration of plain setup key to hashed setup key completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_resources, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_resources completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:338: No rows with empty enabled found in table network_routers, no migration needed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/migration/migration.go:352: Migration of empty enabled to default value in table network_routers completed
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:184: update config with activity store key
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/cmd/management.go:196: geolocation service has been initialized from /var/lib/netbird/
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account_request_buffer.go:45: set account request buffer interval to 100ms
2025-03-26T16:43:16Z INFO [context: SYSTEM] management/server/account.go:196: single account mode enabled, accounts number 0
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:318: running gRPC backward compatibility server: [::]:33073
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:350: management server version 0.39.1
2025-03-26T16:43:18Z INFO [context: SYSTEM] management/cmd/management.go:351: running HTTP server and gRPC server on the same port: [::]:443
2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:462: 1 entries received from IdP management
2025-03-26T16:43:21Z INFO [context: SYSTEM] management/server/account.go:493: warmed up IDP cache with 0 entries for 0 accounts
I read (and I think tried, at least most of them) the following netbird gh issues:
https://github.com/netbirdio/netbird/issues/3007 Stuck on loading screen on "/peers" (Authentik) https://github.com/netbirdio/netbird/issues/3007#issuecomment-2564843380 https://github.com/netbirdio/netbird/issues/2941 Request failed with status code 401 (Authentik) https://github.com/netbirdio/netbird/issues/2515 Unable to authenticate with Authentik SSO https://github.com/netbirdio/netbird/issues/2510 Netbird with NGiNX Proxy Manager and Authentik https://github.com/netbirdio/netbird/issues/2338 Can't access dashboard - Token Invalid, Authentik https://github.com/netbirdio/netbird/issues/2043 error: failed while getting Management Service public key https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230 https://github.com/netbirdio/netbird/issues/1962 netbird dashboard does not open properly https://github.com/netbirdio/netbird/issues/1742 NGINX reverse proxy question https://github.com/netbirdio/netbird/issues/1250 Authentik login not working: Login Error: User state: Unauthenticated https://github.com/netbirdio/netbird/issues/536 Run netbird behind reverse proxy
Please help, I am totally clueless anymore. What can I try next? Can i provide more information?
Yea... I tried again last weekend and ran into the same issue. May try again this weekend using Zitadel instead. I think I'd rather the 2FA provider be hosted externally anyway...
Made it work by modifying as follow:
In docker-compose.yml (dashboard), changed the ports from 33073 to 443
# - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:33073
- NETBIRD_MGMT_API_ENDPOINT=https://netbirdapi.example.com:443
# - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:33073
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbirdapi.example.com:443
In management.json, changed the port from 10000 to 443
"Signal": {
"Proto": "https",
"URI": "netbird.example.com:443",
"Username": "",
"Password": ""
},
Hope that helps !
Hi @Cheekie25 and @e1ke,
I'm experiencing the same issue with a new instance of Netbird and Authentik.
Changing the port to 443 unfortunately didn't help in my case.
I'm not sure whether it's just a coincidence or actually a problem with Netbird, but I noticed that you, @e1ke, used different names for the provider and the service user during setup (Service User: NetbirdServiceAcc, Provider Name: Netbird).
I had the same setup, and once I named both exactly the same(netbird), it suddenly started working.
Maybe try giving the service user and the provider the same name, @e1ke that might help.
It's best to recreate the provider in Authentik so that the new name also appears in the URL ( .../0/xxx/.well-known/...).
In my case, I named both the service user and the provider netbird, and the resulting URL looked like this:
https://auth.xxx.de/application/o/netbird/.well-known/openid-configuration
I could imagine that if this really is the issue, there might be a bug where the wrong variable is used during the Authentik integration for example, where the user variable is expected, but the provider variable is mistakenly used instead.
I chose authentik Self-signed Certificate as both Signing Key and Encryption Key in the provider in Authentik. Removing it from encryption key solved the issue.
Original issue:
I'm having the same issue with Authentik & Nginx setup. Got stuck at /peers after logging through Authentik. I tried all solutions mentioned above, but unfortunately they didn't work. Here are my config files:
Nginx config
server {
listen 0.0.0.0:443 ssl ;
listen [::0]:443 ssl ;
server_name <netbird.domain.name> ;
http2 on;
ssl_certificate /var/lib/acme/<netbird.domain.name>/fullchain.pem;
ssl_certificate_key /var/lib/acme/<netbird.domain.name>/key.pem;
ssl_trusted_certificate /var/lib/acme/<netbird.domain.name>/chain.pem;
location ^~ /.well-known/acme-challenge/ {
root /var/lib/acme/acme-challenge;
auth_basic off;
auth_request off;
}
location / {
proxy_pass http://127.0.0.1:8011;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
}
location /api {
proxy_pass http://127.0.0.1:33073;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
}
location /management.ManagementService/ {
grpc_pass grpc://127.0.0.1:33073;
# grpc_ssl_verify off;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
location /relay {
proxy_pass http://127.0.0.1:33080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
}
location /signalexchange.SignalExchange/ {
grpc_pass grpc://127.0.0.1:10000;
# grpc_ssl_verify off;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
client_header_timeout 1d;
client_body_timeout 1d;
}
management.json
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:<netbird.domain.name>:3478",
"Username": "",
"Password": null
}
],
"TURNConfig": {
"Turns": [
{
"Proto": "udp",
"URI": "turn:<netbird.domain.name>:3478",
"Username": "self",
"Password": "nXwAKkpqLpmRxNle2bBv5cpeOxePjAlC5fW2l0fCtAA"
}
],
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false
},
"Relay": {
"Addresses": [
"rels://<netbird.domain.name>:443/relay"
],
"CredentialsTTL": "24h",
"Secret": "<redacted>"
},
"Signal": {
"Proto": "https",
"URI": "<netbird.domain.name>:443",
"Username": "",
"Password": null
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
},
"DisableDefaultPolicy": false,
"Datadir": "",
"DataStoreEncryptionKey": "",
"StoreConfig": {
"Engine": "sqlite"
},
"HttpConfig": {
"Address": "0.0.0.0:33073",
"AuthIssuer": "https://<sso.domain.name>/application/o/netbird/",
"AuthAudience": "<redacted>",
"AuthKeysLocation": "https://<sso.domain.name>/application/o/netbird/jwks/",
"AuthUserIDClaim": "",
"IdpSignKeyRefreshEnabled": false,
"OIDCConfigEndpoint": "https://<sso.domain.name>/application/o/netbird/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://<sso.domain.name>/application/o/netbird/",
"TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
"ClientID": "<redacted>",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "<redacted>",
"Username": "Netbird"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "<redacted>",
"AuthorizationEndpoint": "",
"Domain": "",
"ClientID": "<redacted>",
"ClientSecret": "",
"TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
"DeviceAuthEndpoint": "https://<sso.domain.name>/application/o/device/",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"Audience": "<redacted>",
"ClientID": "<redacted>",
"ClientSecret": "",
"Domain": "",
"AuthorizationEndpoint": "https://<sso.domain.name>/application/o/authorize/",
"TokenEndpoint": "https://<sso.domain.name>/application/o/token/",
"Scope": "openid profile email offline_access api",
"RedirectURLs": [
"http://localhost:53000"
],
"UseIDToken": false,
"DisablePromptLogin": true,
"LoginFlag": 0
}
}
}
Env vars used in docker-compose
AUTH_AUDIENCE=<redacted>
AUTH_AUTHORITY=https://<sso.domain.name>/application/o/netbird/
AUTH_CLIENT_ID=<redacted>
AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
NETBIRD_MGMT_API_ENDPOINT=https://<netbird.domain.name>:443
NETBIRD_MGMT_GRPC_API_ENDPOINT=https://<netbird.domain.name>:443
NETBIRD_TOKEN_SOURCE=accessToken
USE_AUTH0=false
NB_AUTH_SECRET=<redacted>
NB_EXPOSED_ADDRESS=rels://<netbird.domain.name>:443/relay
NB_LISTEN_ADDRESS=:33080
NB_LOG_LEVEL=debug
NETBIRD_STORE_ENGINE_MYSQL_DSN=
NETBIRD_STORE_ENGINE_POSTGRES_DSN=
NGINX_SSL_PORT=443
AUTH_REDIRECT_URI=/auth
AUTH_SILENT_REDIRECT_URI=/silent-auth
docker-compose
x-default: &default
restart: 'unless-stopped'
logging:
driver: 'json-file'
options:
max-size: '500m'
max-file: '2'
name: netbird
services:
# UI dashboard
dashboard:
<<: *default
image: netbirdio/dashboard:latest
ports:
- 8011:80
# Signal
signal:
<<: *default
image: netbirdio/signal:latest
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 10000:80
# Relay
relay:
<<: *default
image: netbirdio/relay:latest
ports:
- 33080:33080
# Management
management:
<<: *default
image: netbirdio/management:latest
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- ./management.json:/etc/netbird/management.json
ports:
- 33073:33073
command: [
"--port", "33073",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=<netbird.domain.name>",
"--dns-domain=netbird.selfhosted"
]
# Coturn
coturn:
<<: *default
image: coturn/coturn:latest
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird-signal:
Hey everyone,
I ran into this issue while using the quickstart script. After a few hours (and a couple strands of hair less), I finally figured out what was causing it in my case. Just wanted to drop my two cents here in case it helps someone else.
What made me suspicious was this log message:
management-1 | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://example.com/.well-known/openid-configuration Get "https://example.com/.well-known/openid-configuration": dial tcp 127.0.1.1:443: connect: connection refused
Turned out the problem was using a FQDN as the hostname of my VPS, the same domain I was using to host NetBird, which caused the containers to try to connect to themselves.
None of the solutions above has really worked for me. Forever stuck in /peers loop.
