netbirdio
Browser SSH does not work - Traefik / Authentik
Hi, I'm facing some issues with the browser ssh feature. I can connect to my peers using the netbird ssh user@ip command just fine without any issues, however the browser ssh terminal does not seem to work for me. I'm using traefik and authentik. Also lazy connections are enabled. I only had to do some slight deviations to the default configuration in the setup.env:
# Relay server connection port. If none is supplied
# it will default to 33080
NETBIRD_RELAY_PORT="443"
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443
The docker compose also deviates just slightly from the template:
x-default: &default
restart: 'unless-stopped'
logging:
driver: 'json-file'
options:
max-size: '500m'
max-file: '2'
services:
# UI dashboard
dashboard:
<<: *default
image: netbirdio/dashboard:latest
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://netbird.mydomain.com:443
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.mydomain.com:443
# OIDC
- AUTH_AUDIENCE=REDACTED
- AUTH_CLIENT_ID=REDACTED
- AUTH_CLIENT_SECRET=EMPTY, maybe wrong?!
- AUTH_AUTHORITY=https://auth.mydomain.com/application/o/netbird/
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
- AUTH_REDIRECT_URI=/auth
- AUTH_SILENT_REDIRECT_URI=/silent-auth
- NETBIRD_TOKEN_SOURCE=accessToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=
- LETSENCRYPT_EMAIL=
volumes:
- netbird-letsencrypt:/etc/letsencrypt/
labels:
- traefik.enable=true
- traefik.http.routers.netbird-dashboard.rule=Host(`netbird.mydomain.com`)
- traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
# - "traefik.http.routers.netbird-dashboard.tls=true"
- "traefik.http.routers.netbird-dashboard.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-dashboard.entrypoints=https"
networks:
- proxy
- netbird
# Signal
signal:
<<: *default
image: netbirdio/signal:latest
volumes:
- netbird-signal:/var/lib/netbird
labels:
- traefik.enable=true
- traefik.http.routers.netbird-wsproxy-signal.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/signal`)
- traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
- traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=80
- traefik.http.routers.netbird-signal.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/signalexchange.SignalExchange/`)
- traefik.http.services.netbird-signal.loadbalancer.server.port=10000
- traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
- traefik.http.routers.netbird-signal.service=netbird-signal
# - "traefik.http.routers.netbird-signal.tls=true"
- "traefik.http.routers.netbird-signal.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-signal.entrypoints=https"
# - "traefik.http.routers.netbird-wsproxy-signal.tls=true"
- "traefik.http.routers.netbird-wsproxy-signal.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-wsproxy-signal.entrypoints=https"
networks:
- proxy
- netbird
# Relay
relay:
<<: *default
image: netbirdio/relay:latest
environment:
- NB_LOG_LEVEL=info
- NB_LISTEN_ADDRESS=:33080
- NB_EXPOSED_ADDRESS=rels://netbird.mydomain.com:443/relay
# todo: change to a secure secret
- NB_AUTH_SECRET=REDACTED
labels:
- traefik.enable=true
- traefik.http.routers.netbird-relay.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/relay`)
- traefik.http.services.netbird-relay.loadbalancer.server.port=33080
# - "traefik.http.routers.netbird-relay.tls=true"
- "traefik.http.routers.netbird-relay.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-relay.entrypoints=https"
networks:
- proxy
- netbird
# Management
management:
<<: *default
image: netbirdio/management:latest
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- ./management.json:/etc/netbird/management.json
command: [
"--port", "33073",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=netbird.mydomain.com",
"--dns-domain=netbird.selfhosted"
]
labels:
- traefik.enable=true
- traefik.http.routers.netbird-api.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/api`)
- traefik.http.routers.netbird-api.service=netbird-api
- traefik.http.services.netbird-api.loadbalancer.server.port=33073
# - "traefik.http.routers.netbird-api.tls=true"
- "traefik.http.routers.netbird-api.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-api.entrypoints=https"
- traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/ws-proxy/management`)
- traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt
- traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073
# - "traefik.http.routers.netbird-management.tls=true"
- "traefik.http.routers.netbird-management.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-management.entrypoints=https"
- traefik.http.routers.netbird-management.rule=Host(`netbird.mydomain.com`) && PathPrefix(`/management.ManagementService/`)
- traefik.http.routers.netbird-management.service=netbird-management
- traefik.http.services.netbird-management.loadbalancer.server.port=33073
- traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
# - "traefik.http.routers.netbird-wsproxy-mgmt.tls=true"
- "traefik.http.routers.netbird-wsproxy-mgmt.tls.certresolver=zerossl"
- "traefik.http.routers.netbird-wsproxy-mgmt.entrypoints=https"
environment:
- NETBIRD_STORE_ENGINE_POSTGRES_DSN=
- NETBIRD_STORE_ENGINE_MYSQL_DSN=
networks:
- proxy
- netbird
# Coturn
coturn:
<<: *default
image: coturn/coturn:latest
domainname: netbird.mydomain.com
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
networks:
proxy:
external: true
netbird:
In the screenshot there are some errors in the js console - especially the one related to "peer not found in wg stats" looks suspicious. Maybe some of you faced similar issues? Trying to solve the issue for a few hours already but by now I'm running out of ideas. Tried it in Firefox, Chrome and Brave - same behavior for all of them.
Debug bundle can be found here (from the ssh host I'm trying to connect to - I don't know if / how to generate it for the web ssh): 59697b80ffe61c405fc0a97d7233c0e361b359f6a9797af6d5f8ef3104137d84/2af04e82-9e1d-425b-a6c9-baf9a26742ff
Are you using NetBird Cloud?
Self-Hosted
NetBird version
v0.61.2 / v0.61.2
Have you tried these troubleshooting steps?
- [x] Reviewed client troubleshooting (if applicable)
- [x] Checked for newer NetBird versions
- [x] Searched for similar issues on GitHub (including closed ones)
- [x] Restarted the NetBird client
- [x] Disabled other VPN software
- [x] Checked firewall settings
I am sure I have the same issue but with RDP from the management dashboard
I have the same issue, but with the ssh on terminal as well. I m trying to fix this already for 2 days and i use traefik as well as entra id. I get no erros in webconsole, managment logs or dashbord logs. I m out of ideas at this point. I think it might be eather traefik issues, entra id or some unset variables that are needed now with the 0.61 update.
Thanks to Ashley Mensah from slack I could pinpoint the problem to lazy connections enabled on the peer. As a workaround: By disabling lazy connections (on the device itself, disabling in the admin panel is not enough!) I was able to connect to the host successfully.
If you want to disable lazy connections as well, follow these steps: Set LazyConnectionEnabled to false in /var/lib/netbird/default.json and make sure ServerSSHAllowed is set to true!
Reconfigure service with sudo netbird service reconfigure and check the netbird status with sudo netbird status -d if the settings applied.