netbirdio
RDP Does not seem to be working
Ive just upgraded to v59.1, following the guide here https://docs.netbird.io/selfhosted/selfhosted-quickstart#upgrade
Also did this https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients
Then i upgraded one of the windows clients to the latest version. Selected the peer, and clicked RDP. A new window opened with a rdp id in the url, loaded for 2-3 seconds, then showed the same management interface, with the peers.
I was expecting a RDP connection. What is the expected behavior ?
i am having this same issue. it just reloads the management interface instead of connecting via rdp as expected.
to add to my previous comment, the SSH function exhibits the same behavior.
Same issue here. I get redirected to auth, then back to Users screen. Truly great feature though, I'll be waiting for any updates!
Same problem here, and another opened issue with this: https://github.com/netbirdio/netbird/issues/4577
Also, the same as #4568 The update missed the netbird,wasm, but also has some wrong redirect.
Hey Folks, we are looking into the issue. There are a few things that we need to change to have it working properly behind a proxy. We will update your soon.
also the netbird.wasm isnt in the dashboard container at /usr/share/nginx/html after downloaded (https://pkgs.netbird.io/wasm/client) and name it netbird.wasm seems to do more... need to fix my routes only now properly (Traefik)
bash-5.1# cd /usr/share/nginx/html/
bash-5.1# wget https://pkgs.netbird.io/wasm/client -o netbird.wasm
bash-5.1# ls -la
total 47156
<SNIP
-rw-r--r-- 1 root root 3852 Oct 1 23:15 install.txt
drwxr-xr-x 2 root root 111 Oct 1 23:15 ironrdp-pkg
drwxr-xr-x 2 root root 35 Oct 1 23:15 local
-rw-r--r-- 1 root root 88 Oct 3 07:48 netbird.wasm
-rw-r--r-- 1 root root 11640 Oct 1 23:15 network-routes.html
<SNIP>
bash-5.1#
No error:
When trying to connect:
This is my traefik route currently but not working:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
creationTimestamp: '2025-09-03T19:19:23Z'
generation: 16
name: netbird-traefik
namespace: netbird
resourceVersion: '50238762'
uid: 6858700c-aa63-4530-8bd4-41599a07a7f0
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: >-
Host(`netbird.selfhosted.domain`) && !PathPrefix(`/api`) &&
!PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) &&
!PathPrefix(`/ws-proxy/management`) && !PathPrefix(`/ws-proxy/signal`)
services:
- name: netbird-dashboard
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/api`)
services:
- name: netbird-management-management
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`relay.netbird.selfhosted.domain`)
services:
- name: netbird-management-relay
namespace: netbird
passHostHeader: true
port: 33080
- kind: Rule
match: >-
Host(`netbird.selfhosted.domain`) &&
PathPrefix(`/management.ManagementService/`)
services:
- name: netbird-management-management
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: >-
Host(`netbird.selfhosted.domain`) &&
PathPrefix(`/signalexchange.SignalExchange/`)
services:
- name: netbird-management-signal
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/management`)
services:
- name: netbird-management-management
namespace: netbird
passHostHeader: true
port: 33073
- kind: Rule
match: Host(`netbird.selfhosted.domain`) && PathPrefix(`/ws-proxy/signal`)
services:
- name: netbird-management-signal
namespace: netbird
passHostHeader: true
port: 10000
tls:
secretName: netbird-tls
We've released a new version of the dashboard handling a few issues, but with the connect button disabled. We are investigating a few issues on some deployments. Once they are resolved, we will enable it again.
I'm having the same issue. I do have the self-hosted interface behind an NGINX proxy.
Helloq folks, we've released a new version.
Please update the management, signal, and dashboard. If you deployed using our quick-start guide, ensure to review the steps in the following URL as some ports have changed:
https://docs.netbird.io/selfhosted/selfhosted-quickstart#support-browser-clients
For those using Traefik or Nginx, we've updated the Docker template from our infrastructure_files:
https://github.com/netbirdio/netbird/blob/main/infrastructure_files/docker-compose.yml.tmpl.traefik https://github.com/netbirdio/netbird/blob/main/infrastructure_files/nginx.tmpl.conf
I just updated this and it still does not work.
So now i get the login popup, and i enter the user and password, hit connect. I get another popup about trusting a certificate, then get this in the console:
2025-10-07T08:41:31+03:00 ERRO shared/signal/client/worker.go:46: failed to handle message: wrongly addressed message zOC/ltbdwejsyGz1uUKpWaWYLL76AK52NvlTwNg/VXs= wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:31+03:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=vpn.domain.com: resolve domain vpn.domain.com: lookup vpn.domain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer wasm_exec.js:22 2025-10-07T08:41:32+03:00 ERRO client/wasm/internal/rdp/rdcleanpath_handlers.go:242: Failed to read from TLS: remote error: tls: internal error
PS: i followed the upgrade instructions, and upgraded the clients as well.
@fxandrei What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations
@SuperKali Can you elaborate?
@fxandrei What's the windows version? See https://docs.netbird.io/how-to/browser-client#known-limitations
@SuperKali Can you elaborate?
Yup. Did not saw that. It is indeed windows server 2025. So from what i see i cannot use it on windows server 2025 and windows 11 for now.
Just updated and the auth loop (https://github.com/netbirdio/netbird/issues/4577) is gone (IDP: Entra ID) but still not working. Dev console shows different error. I'm not using any proxy. See compose file in https://github.com/netbirdio/netbird/issues/4577
@flotpg It looks like you're exposing signal without TLS. The error is pretty clear; the browser will refuse to connect without TLS if the dashboard is using TLS. That's not something we can fix.
Hello folks, thanks for update I have edited my nginx proxy and upgraded netbird with dependencies. However when I now click RDP button in dashboard window show up with login details and port. Thats ok. But after I send credentials and click Connect I got hung up for a minute or two and nothing happened. Of course log showed up some errors.
Log from my browser:
IronRDP connection failed: IronError {__wbg_ptr: 1769792}
IronRDP backtrace: RDCleanPath response decode Caused by: unexpected ASN.1 DER tag: expected SEQUENCE, got OCTET STRING
IronRDP error kind: General (0)
i just updated to the latest version and made sure my Caddyfile contained the newest ports per the guide. i was able to connect to rdp without any issues. great work guys!
Just updated and the auth loop (#4577) is gone (IDP: Entra ID) but still not working. Dev console shows different error. I'm not using any proxy. See compose file in #4577
I have the same issue. The self-hosted Netbird was installed by following the official doc and guide. I'm not behind any proxy.
Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not.
Does somebody have Traefik proxy ? Just check up if its just a nginx problem or not.
I have it running behind Traefik and updated to the latest version right now. This is my config:
traefik:
image: "traefik:v3.4"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=xxxx"
- "--certificatesresolvers.letsencrypt.acme.storage=/acme-data/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
#- "--experimental.plugins.real-ip.moduleName=github.com/Paxxs/traefik-get-real-ip"
#- "--experimental.plugins.real-ip.version=v1.0.3"
# - "--experimental.plugins.real-ip.moduleName=github.com/BetterCorp/cloudflarewarp"
# - "--experimental.plugins.real-ip.version=v1.3.0"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "netbird-letsencrypt:/acme-data"
When i'am trying to connect via SSH it opens the window and tries to connect for a few seconds.
I see lots of websocket requests to wss://netbird.mydomain.com/ws-proxy/management, but after a few second the window says "Connection failed".
Here is more output from the browser console:
WebSocket connection to 'wss://netbird.mydomain.com/ws-proxy/management' failed:
construct @ 3763-92892e28d4796930.js:1
syscall/js.valueNew @ wasm_exec.js:404
$func2031 @ client:0x174ef1
$func2030 @ client:0x174c26
$func23420 @ client:0x135cb78
$func21645 @ client:0x11b523e
$func21647 @ client:0x11b61fe
$func23038 @ client:0x12fc23c
$func23037 @ client:0x12fbc2b
$func23036 @ client:0x12fadf2
$func1516 @ client:0x13e83b
$resume @ client:0x13e90a
_resume @ wasm_exec.js:559
(anonymous) @ wasm_exec.js:285Understand this error
wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO shared/management/client/grpc.go:66: failed creating connection to Management Service: context deadline exceeded
wasm_exec.js:22 2025-10-08T20:52:00+02:00 ERRO client/internal/login.go:102: failed connecting to the Management service https://netbird.mydomain.com:443 context deadline exceeded
3763-92892e28d4796930.js:1 login: context deadline exceeded
2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: client not started
@sevensolutions and @Oriann can you confirm that you've added the following labels?
# management service
- traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/management`)
- traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt
- traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073
# signal service
- traefik.http.routers.netbird-wsproxy-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/signal`)
- traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
- traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80
Thank you @mlsmaycon these were missing. I've added them but still got the same error. I've then also enabled tls on both routes and now i get some new errors in the web console:
2025-10-08T21:32:21+02:00 WARN client/internal/profilemanager/service.go:356: failed to get active profile state: failed to set default active profile state: failed to stat active profile state path /var/lib/netbird/active_profile.json: stat /var/lib/netbird/active_profile.json: not implemented on js
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:700: failed to populate DNS cache with management URL: add domain: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:9->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:17->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:25->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:33->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:41->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/routemanager/manager.go:240: failed to load state: read state file: open /var/lib/netbird/state.json: not implemented on js
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/engine.go:496: WireGuard interface monitor: interface wt0 not found: failed to lookup interface: route ip+net: no such network interface
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:49->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:57->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:65->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/dns/mgmt/mgmt.go:323: failed to add/update domain=netbird.mydomain.com: resolve domain netbird.mydomain.com: lookup netbird.mydomain.com on [::1]:53: write udp 127.0.0.1:73->[::1]:53: write: Connection reset by peer
wasm_exec.js:22 2025-10-08T21:32:21+02:00 WARN client/internal/conn_mgr.go:95: lazy connection manager is enabled by management feature flag
2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial x.x.x.x:44338: context deadline exceeded
@sevensolutions, can you confirm that the peer running remotely has SSH enabled?
You need to enable it on both the dashboard and the client. See https://docs.netbird.io/how-to/ssh#enabling-ssh for more details.
@SasSam @flotpg, you can do that by one of 3 options:
- update your docker-compose.yml file, setting the following changes to the signal service:
depends_on:
- dashboard
volumes:
- netbird-signal:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
ports:
- 10000:80
command: ["--cert-file", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/fullchain.pem", "--cert-key", "/etc/letsencrypt/live/<NETBIRD_DOMAIN>/privkey.pem","--log-file", "console"]
# replace NETBIRD_DOMAIN with your management domain
- add a reverse proxy in front of your NetBird deployment
- moving the signal to a dedicated server, exposing its listening ports as 80 and 443, and setting a
--letsencrypt-domainthat points to the new server.
Once any of these changes are done, you need to update your management.json file, changing the signal protocol from http to https and restarting the connection to your peers.
@mlsmaycon I have SSH enabled on both ends but still cannot connect. Also I have only nginx proxy set up, I asked about Traefik just to get more details what works.
Netbird error: SSH connection failed. Check the console for details.
Browser console error: 2117-10baa1aa48bd24e6.js:1 SSH connection failed: dial ...:44338: connect tcp ...:44338: connection was refused