netbird icon indicating copy to clipboard operation
netbird copied to clipboard
verified publisher icon netbirdio

[INFRA] configure.sh regression on rels:// relay URI in case of reverse proxy (should be 443, not 33080)

Open TomGudman opened this issue 5 months ago • 3 comments

Describe the problem A PR was made to ease the reverse proxy setup with configure.sh. Unfortunately a regression was made a few days later which now breaks the relay URI if we use a reverse proxy. rels://FQDN:33080 is incorrect, rels://FQDN:443 is correct in a reverse proxy scenario.

My comment on line #173 in the diff is probably easier to understand in context.

To Reproduce Steps to reproduce the behavior:

  1. Set up as a reverse proxy setup your setup.env (no letsencrypt, port set to 443 for 33073 and 10000)
  2. Run ./configure.sh
  3. Grep for rels:// and look at the output. You'll find something like: rels://netbird.domain.tld:33080/relay

Expected behavior It should be set to rels://netbird.domain.tld:443/relay

"Workaround" Use port 443 instead of 33080 in the rels:// URI in a reverse proxy scenario. However I didn't deep dive to study the logic and why the change was reverted. What is clear though is that in a reverse proxy scenario port 33080 is not exposed on the traefik side so there isn't any port open to accept any connection other than 443, and the coturn ports.

docker-compose.yml

  # Relay
  relay:
    image: netbirdio/relay:0.49.0
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=rels://netbird.domain.tld:443/relay
    - NB_AUTH_SECRET=......
...

management.json

  "Relay": {
    "Addresses": [
      "rels://netbird.domain.tld:443/relay"
    ],
    "CredentialsTTL": "24h",
    "Secret": "...."
  },

Are you using NetBird Cloud? No. I use Netbird Selfhosted with traefik as reverse proxy

NetBird version 0.49.0 management suite selfhosted

Additional context A netbird client status like: netbird status --detail would highlight the issue and when it does work BEFORE

OS: darwin/amd64
Daemon version: 0.49.0
CLI version: 0.49.0
Management: Connected to https://netbird.domain.tld:443
Signal: Connected to https://netbird.domain.tld:443
Relays: 
  [rels://netbird.domain.tld:33080/relay] is Unavailable, reason: relay client not connected

AFTER: with port 443

OS: darwin/amd64
Daemon version: 0.49.0
CLI version: 0.49.0
Management: Connected to https://netbird.domain.tld:443
Signal: Connected to https://netbird.domain.tld:443
Relays: 
  [stun:netbird.domain.tld:3478] is Available
  [turn:netbird.domain.tld:3478?transport=udp] is Available
  [rels://netbird.domain.tld:443/relay] is Available

Have you tried these troubleshooting steps?

  • [ ] Reviewed client troubleshooting (if applicable)
  • [x] Checked for newer NetBird versions
  • [x] Searched for similar issues on GitHub (including closed ones)
  • [ ] Restarted the NetBird client
  • [ ] Disabled other VPN software
  • [ ] Checked firewall settings

TomGudman avatar Jul 02 '25 12:07 TomGudman

Tom is right, that PR has an error.

jordantrujillo-hl avatar Jul 11 '25 23:07 jordantrujillo-hl

this works suprisingly

CustomIcon avatar Sep 23 '25 18:09 CustomIcon

I've found this to be true, even after recent updates. I've changed port from 33080 in rels:// in management.json and it started working again, whether before that it didn't anymore (especially the sheer VPN feature and the ability to connect from outside the LAN. Hope they can fix it. More love for the reverse proxy/Traefik files and configs, pls 🥹

markcst avatar Dec 06 '25 01:12 markcst