netbird icon indicating copy to clipboard operation
netbird copied to clipboard
Published 2 months ago verified publisher icon netbirdio

Netbird ssh/rdp not working with entraid

Open Der-Papst opened this issue 2 months ago • 0 comments

I am running a self-hosted NetBird environment using Azure AD (Entra ID) for authentication and an external Traefik reverse proxy terminating SSL. While basic connectivity (ping/status) works and clients report as "Connected", the SSH feature fails consistently both via the Web Dashboard and the CLI.

The error points to a timeout or token exchange failure during the connection handshake.

Environment:

NetBird Version: 0.61.2 (Agent & Server)

Infrastructure: Self-hosted on Linux (Docker Compose)

Reverse Proxy: External Traefik (v3) terminating SSL, forwarding gRPC via h2c.

Identity Provider: Azure AD (Entra ID)

Client OS: Windows 11 (Client), Linux (Target/Server)

Connection Status: Clients are currently connected via Relay.

The Issue: When attempting to SSH into a peer (which has netbird up --allow-server-ssh enabled), the connection hangs and eventually fails.

Web Dashboard Terminal: Opens the window but stays black/connecting indefinitely. No errors in browser console.

CLI (netbird ssh): Successfully opens the Microsoft Login browser window, authenticates, but then fails at the final connection step.

Logs & Errors:

Client-Side Error (Windows PowerShell):

Plaintext

ssh authentication required. Authentication successful! Failed to connect to [email protected]:22 Error: dial 100.124.10.71:22: request JWT token: wait for JWT token: rpc error: code = DeadlineExceeded desc = context deadline exceeded Target Peer Logs (client.log on Linux): No significant errors appear on the target during the attempt.

Plaintext

WARN shared/management/client/grpc.go:176: disconnected from the Management service but will retry silently... What I have tried:

Verified Status: netbird status shows Management, Signal, and Relay are "Connected" on both peers.

Disable Auth Workaround: Tried running netbird up --allow-server-ssh --disable-ssh-auth on the target to bypass the JWT token exchange.

Result: The Windows client still prompts for SSO login (ignoring the flag) and fails with the same DeadlineExceeded.

Standard SSH: ssh [email protected] works fine over the NetBird IP (proving the tunnel is up). The issue is isolated to the netbird ssh feature / Access Control.

i pasted my traefik config as well. For entra id configuration i strictly used the steps described in the documentation of entra id variables in the setup.env

Image Image Image Image Image

ithub.com/user-attachments/assets/13e86a70-d319-43cf-84ef-870c5fe6ad0d" />

A clear and concise description of what the problem i

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior

A clear and concise description of what you expected to happen.

Are you using NetBird Cloud?

Please specify whether you use NetBird Cloud or self-host NetBird's control plane.

NetBird version

netbird version

Is any other VPN software installed?

If yes, which one?

Debug output

To help us resolve the problem, please attach the following anonymized status output

netbird status -dA

Create and upload a debug bundle, and share the returned file key:

netbird debug for 1m -AS -U

Uploaded files are automatically deleted after 30 days.

Alternatively, create the file only and attach it here manually:

netbird debug for 1m -AS

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Have you tried these troubleshooting steps?

  • [x] Reviewed client troubleshooting (if applicable)
  • [x] Checked for newer NetBird versions
  • [x] Searched for similar issues on GitHub (including closed ones)
  • [x] Restarted the NetBird client
  • [x] Disabled other VPN software
  • [x] Checked firewall settings

Der-Papst avatar Jan 07 '26 11:01 Der-Papst