[SUPPORT] NetBird

[jimrummy101]

5 hours ago, fiR3W4LL said:

I have an issue with managing Docker. It seems it's not starting correctly. I'm encountering this error: "Error: failed reading provided config file: /etc/netbird/management.json: read /etc/netbird/management.json: is a directory."

I haven't made any changes. Any ideas?

 

3 minutes ago, BerndJ said:

I have the same problem. My first installation attempt was on 2024-04-03. 

Error: failed reading provided config file: /etc/netbird/management.json: read /etc/netbird/management.json: is a directory
 

Refer to "Step 5" of the PDF guide above. By default unraid assumes volume maps are directories if nothing exists so it created a directory called management.json. You need to provide the file into the appdata folder as in Step 5 of the guide.

 

On 3/9/2024 at 1:48 PM, zkiprov said:

Can I self host netbird without using reverse proxy and without having domain name?

I didn't see this. I'm not sure, I don't think there's any reason you couldn't just use it locally.

[Hammy Havoc]

Has anybody gotten this up and running with Authentik?

 

When I go to `netbird.mydomain.com`, I get `Login Error: User state: Unauthenticated ;`, even if I launch the "Application" from Authentik. I'm sure I'm probably missing something obvious, but just thought I'd ask if anyone else has any ideas.

 

Would be interested to see your `management.json` file.

Edited April 20 by Hammy Havoc

[IronBeardKnight]

Hi @jimrummy101,

First of all Thank you so much for creating these containers.

After trying for days to get a tailscale client even as  a exit node the way I need it using headscale and having both of them communicating in docker I had just about given up trying to get it to behave like I wanted on unraid as client communication seemed to be not working at all even though they where connected to the management server headscale.

I cam across netbird and although I haven't yet gotten it working for the below questions and reasons (if you you could entertain me it would be appreciated) as long as it can do split dns tunneling I'm hoping it will prove more promising as a solution.


I am NOT trying to use this solution to access my unraid server directly but more it as a standalone container that would then sit inside a vlan which is firewall segregated with only holes to game servers allowed as I would then have my trusted friends able to play on my servers and I don't have to expose my game servers and ip directly to the public as you cannot mask your ip to game servers (dockized) easily or effectively without spending money.
Think of it like a secure gaming lan setup that allows only specific games to travers the wireguard network and there other traffic does not go through my network keeping them private and my bandwidth in tact in case they do downloading etc.

I'm currently finding like headscale and tailscale  solution I attempted above does not have enough information unfortunately. Even I struggle and i have been doing unraid, docker and vms for over 10 years it feels like.

Explanations as to why at lease i'm a little confused:
. why coturn is needed (not what it is as thats easy enough to find https://www.youtube.com/watch?v=4dLJmZOcWFc), if you should self host coturn, how to secure coturn if possible or if its better to have coturn sitting in a dmz or vps somewhere offsite.
. why keycloak is even needed and or if you can just exclude keycloakl from the docker variables and the json and sit the ui behind Authelia / Authentic instead for those that find oauth2 or oidc difficult to understand this one may be a little harder to explain without partially explaining Authelia/Authentic etc workings.
. what specificly do these things even mean:
NETBIRD_AUTH_AUDIENCE="<OAUTH_CLIENT_ID>"
NETBIRD_AUTH_CLIENT_ID="<OAUTH_CLIENT_ID>"
NETBIRD_AUTH_CLIENT_SECRET="<OAUTH_CLIENT_SECRET>"

 Explaining like you would to a 6 year old in descriptions to the individual paths and variables will upskill the wider user base much faster than fumbling through documentation that wasn't initially designed for unraid or docker or relies on other software specificly.

Just some suggestions from someone that has what feels like wasted days on this solution of both and never turned up with a working solution.

Now for some of my own questions  Could you please advise if your able to take the docker client you made and segrigate it with its own ip in a vlan not using host for the network type?

Very much appreciate for your time on this in advance.

 

[jimrummy101]

On 4/20/2024 at 3:59 AM, Hammy Havoc said:

Has anybody gotten this up and running with Authentik?

 

When I go to `netbird.mydomain.com`, I get `Login Error: User state: Unauthenticated ;`, even if I launch the "Application" from Authentik. I'm sure I'm probably missing something obvious, but just thought I'd ask if anyone else has any ideas.

 

Would be interested to see your `management.json` file.

 

On 4/28/2024 at 8:37 AM, IronBeardKnight said:

Hi @jimrummy101,

First of all Thank you so much for creating these containers.

After trying for days to get a tailscale client even as  a exit node the way I need it using headscale and having both of them communicating in docker I had just about given up trying to get it to behave like I wanted on unraid as client communication seemed to be not working at all even though they where connected to the management server headscale.

I cam across netbird and although I haven't yet gotten it working for the below questions and reasons (if you you could entertain me it would be appreciated) as long as it can do split dns tunneling I'm hoping it will prove more promising as a solution.


I am NOT trying to use this solution to access my unraid server directly but more it as a standalone container that would then sit inside a vlan which is firewall segregated with only holes to game servers allowed as I would then have my trusted friends able to play on my servers and I don't have to expose my game servers and ip directly to the public as you cannot mask your ip to game servers (dockized) easily or effectively without spending money.
Think of it like a secure gaming lan setup that allows only specific games to travers the wireguard network and there other traffic does not go through my network keeping them private and my bandwidth in tact in case they do downloading etc.

I'm currently finding like headscale and tailscale  solution I attempted above does not have enough information unfortunately. Even I struggle and i have been doing unraid, docker and vms for over 10 years it feels like.

Explanations as to why at lease i'm a little confused:
. why coturn is needed (not what it is as thats easy enough to find https://www.youtube.com/watch?v=4dLJmZOcWFc), if you should self host coturn, how to secure coturn if possible or if its better to have coturn sitting in a dmz or vps somewhere offsite.
. why keycloak is even needed and or if you can just exclude keycloakl from the docker variables and the json and sit the ui behind Authelia / Authentic instead for those that find oauth2 or oidc difficult to understand this one may be a little harder to explain without partially explaining Authelia/Authentic etc workings.
. what specificly do these things even mean:
NETBIRD_AUTH_AUDIENCE="<OAUTH_CLIENT_ID>"
NETBIRD_AUTH_CLIENT_ID="<OAUTH_CLIENT_ID>"
NETBIRD_AUTH_CLIENT_SECRET="<OAUTH_CLIENT_SECRET>"

 Explaining like you would to a 6 year old in descriptions to the individual paths and variables will upskill the wider user base much faster than fumbling through documentation that wasn't initially designed for unraid or docker or relies on other software specificly.

Just some suggestions from someone that has what feels like wasted days on this solution of both and never turned up with a working solution.

Now for some of my own questions  Could you please advise if your able to take the docker client you made and segrigate it with its own ip in a vlan not using host for the network type?

Very much appreciate for your time on this in advance.

 

Sorry for the delay answering these. It's hard to build up the motivation sometimes :p.

 

Netbird have explanations in their docs. Check out the "How Netbird Works" page, specifically the "Relay Service" section. To quote:

"The Relay service is a TURN server in WebRTC terminology. In fact, we use an open-source implementation called Coturn. The purpose of this service is to be a "plan B" and relay traffic between peers in case a point-to-point connection isn't possible."

 

I personally self-host Coturn. I originally set it up for "Matrix Synapse" and repurposed it for Netbird. I basically did the bare minimum configuration from stock in the config. The config is one of those 500 line variable things that your eyes glaze over looking at. I'll take a look around and see what I can find in terms of security practices.

 

When I made these templates Netbird was pretty early on and only had auth0 and Keycloak support. I couldn't figure out at the time how to get Authentik working with Netbird so I set up Keycloak instead and followed the docs. Netbird have since added Authentik support so check that out. I may replace my Keycloak instance with Authentik at some point as I'm only using it for Netbird. I'll be sure to write up a guide for that if I do.

 

As for the Environment Variables I'm actually unsure what they mean. It's all OAuth2 nomenclature. I'd have to do some reading and get back to you on that too.

 

In terms of changing the network type of Netbird-Client from host to some vlan. I don't see why not, seems like a good idea to me. "host" is what I chose, as the common use case is remote server access. I haven't tried it though. Let me know how it goes for you.

 

Let me know if there's anything I missed!

 

NOTICE:

The Netbird-Dashboard template will be updated shortly to point to a new docker registry.

When possible update the Netbird-Dashboard container "Repository" from "wiretrustee/dashboard" to "netbirdio/dashboard".

The WebGUI will be updated (and it's very nice in my opinion). No other changes should be required.

 

[jimrummy101]

This is a good introduction video:

 

Edited May 10 by jimrummy101

[Juani]

Hi @jimrummy101

Thank you for the guide.
I have everything working but when I access Netbird, after redirecting Keycloack, it accesses https//netbird.mydomain.com/peers and shows this error.
In my case I use Nginx Proxy Manager, I don't know if I have to add something.

I have not run this , it does not recognize the command inside the Netbird Dashboard Terminal.
netbird up --managementurl https: netbird.mydomain.net:443 --admin-url ""

 

 

[jimrummy101]

2 hours ago, Juani said:

Hi @jimrummy101

Thank you for the guide.
I have everything working but when I access Netbird, after redirecting Keycloack, it accesses https//netbird.mydomain.com/peers and shows this error.
In my case I use Nginx Proxy Manager, I don't know if I have to add something.

I have not run this , it does not recognize the command inside the Netbird Dashboard Terminal.
netbird up --managementurl https: netbird.mydomain.net:443 --admin-url ""

So my understanding is that you're unable to access your dashboard. From the picture it seems you can physically access it but there's possibly a configuration issue due to receiving those 404 errors.

 

I would double check you've set all the URLs correctly. I would also check the logs for each of the parts of Netbird and see if there's any obvious errors. If Keycloak is redirecting alright then that's probably not the issue. I would check your proxy config as well as just double checking any configured variables and domains for spelling mistakes etc.

 

Post the logs in here (you can censor any urls) if you need more help.

 

That last command should use "--management-url" not "--managementurl". The domain is also missing the "//" after the "https:". The domain you use as an example uses ".net" instead of ".com" as was mentioned in the previous url you gave. If you don't want to have an --admin-url you can just omit that part of the command.. The command is also only for netbird clients whether that's the container or PC client etc.

netbird up --management-url https://netbird.mydomain.net:443 

Should work.

[Juani]

On 5/10/2024 at 11:53 PM, jimrummy101 said:

So my understanding is that you're unable to access your dashboard. From the picture it seems you can physically access it but there's possibly a configuration issue due to receiving those 404 errors.

 

I would double check you've set all the URLs correctly. I would also check the logs for each of the parts of Netbird and see if there's any obvious errors. If Keycloak is redirecting alright then that's probably not the issue. I would check your proxy config as well as just double checking any configured variables and domains for spelling mistakes etc.

 

Post the logs in here (you can censor any urls) if you need more help.

 

That last command should use "--management-url" not "--managementurl". The domain is also missing the "//" after the "https:". The domain you use as an example uses ".net" instead of ".com" as was mentioned in the previous url you gave. If you don't want to have an --admin-url you can just omit that part of the command.. The command is also only for netbird clients whether that's the container or PC client etc.

netbird up --management-url https://netbird.mydomain.net:443 

Should work.

Thanks for your reply,

 

I think the problem may be this. I have not entered this command in any docker. It doesn't recognize me "netbird up". inside which container is it entered?
Maybe this is the error.
Thanks

[jimrummy101]

3 hours ago, Juani said:

Thanks for your reply,

 

I think the problem may be this. I have not entered this command in any docker. It doesn't recognize me "netbird up". inside which container is it entered?
Maybe this is the error.
Thanks

Well you would in theory run it inside the NetBird-Client container, but you shouldn't need to. It should try to connect for you but you can give it a shot if you want to.

[Onotsky]

Hi,

 

Has anyone been successful with netbird and authentik in the meantime?

 

Thanks

Michael

[Dantheman]

Maybe some pointers to install Authentik alongside Netbird in this video?

 

Should work i think 🤔

 

https://youtu.be/Vi2UqOFqDGU?si=tQnzuibyrmuog1Yg

 

Edited May 13 by Dantheman

[Juani]

On 5/10/2024 at 11:53 PM, jimrummy101 said:

So my understanding is that you're unable to access your dashboard. From the picture it seems you can physically access it but there's possibly a configuration issue due to receiving those 404 errors.

 

I would double check you've set all the URLs correctly. I would also check the logs for each of the parts of Netbird and see if there's any obvious errors. If Keycloak is redirecting alright then that's probably not the issue. I would check your proxy config as well as just double checking any configured variables and domains for spelling mistakes etc.

 

Post the logs in here (you can censor any urls) if you need more help.

 

That last command should use "--management-url" not "--managementurl". The domain is also missing the "//" after the "https:". The domain you use as an example uses ".net" instead of ".com" as was mentioned in the previous url you gave. If you don't want to have an --admin-url you can just omit that part of the command.. The command is also only for netbird clients whether that's the container or PC client etc.

netbird up --management-url https://netbird.mydomain.net:443 

Should work.

Hi!

I continue with the 404 error problem when accessing the Dashboard.
I attach my "management.json" and screenshots of the templates. management.json

 

https://vpn.domain.dev refers to my NetBird instance.

https://key.domain.dev refers to my KeyCloack instance.

Keycloack must be all right, since it redirects me correctly to the NetBird Dashboard.

 

NETBIRD MANAGEMENT TEMPLATE

 

Aditionals arguments: 

--port 443 --log-file console --disable-anonymous-metrics=false --single-account-mode-domain=vpn.domain.dev --dns-domain=netbird.selfhosted

 

NETBIRD DASHBOARD TEMPLATE

 

Edited May 14 by Juani

[jimrummy101]

4 hours ago, Juani said:

Hi!

I continue with the 404 error problem when accessing the Dashboard.
I attach my "management.json" and screenshots of the templates. management.json

 

https://vpn.domain.dev refers to my NetBird instance.

https://key.domain.dev refers to my KeyCloack instance.

Keycloack must be all right, since it redirects me correctly to the NetBird Dashboard.

 

NETBIRD MANAGEMENT TEMPLATE

 

Aditionals arguments: 

--port 443 --log-file console --disable-anonymous-metrics=false --single-account-mode-domain=vpn.domain.dev --dns-domain=netbird.selfhosted

 

NETBIRD DASHBOARD TEMPLATE

 

Your templates look fine to me. My management.json was configured before some of the options in the example provided by netbird were available.

 

I have attached my management.jsonwith domains and secrets stripped. Your config will look slightly different to mine but it should be useful as a known working example. As a note any "" values are actually empty strings. Anything with a value that I censored has been replaced with a different string.

 

The management.json file is one of my blindspots in terms of knowledge as it was mostly generated for me following steps 1, 2 & 5 from the Advanced Guide page, with some modifications.

 

Let me know if you get it working or if you need anything. I may need to change the management.json I provided in my github repo if it's ended up out of date.

[Juani]

7 hours ago, jimrummy101 said:

Your templates look fine to me. My management.json was configured before some of the options in the example provided by netbird were available.

 

I have attached my management.jsonwith domains and secrets stripped. Your config will look slightly different to mine but it should be useful as a known working example. As a note any "" values are actually empty strings. Anything with a value that I censored has been replaced with a different string.

 

The management.json file is one of my blindspots in terms of knowledge as it was mostly generated for me following steps 1, 2 & 5 from the Advanced Guide page, with some modifications.

 

Let me know if you get it working or if you need anything. I may need to change the management.json I provided in my github repo if it's ended up out of date.

 

 

Now yes! NGINX PROXY MANAGER is the problem. "custom locations" must be configured. Thanks!

Edited May 14 by Juani

[Juani]

Another things, can you share your turnserver.conf please? mine gives error.

 

And.. Can you access to your Local Network? I can't. Can you try?

 

 

 

Thanks for all!!

Edited May 14 by Juani

[jimrummy101]

1 hour ago, Juani said:

Another things, can you share your turnserver.conf please? mine gives error.

 

And.. Can you access to your Local Network? I can't. Can you try?

 

Thanks for all!!

You can see my example turnserver.conf here: https://github.com/dannymate/unraid-templates/blob/master/Conf Samples/Coturn/turnserver.conf.sample (line 252?). I think I mention it in my guide too.

 

I can access my local network using an exit node. In fact I've done it for two different networks. You may need to enable "masquerade". Edit: I would fix your turnserver first if it isn't working because it's also kinda used for routing. I vaguely remember having issues when my coturn server wasn't configured properly.

 

I'm not sure if this affects it but as of unraid 6.12 there's a little bit of extra config (Settings > NetworkSettings):

You need this to access the Unraid WebGUI through netbird dns (unraid.netbird.com for example). I don't include it because you technically need to do it every time you reboot and it's not great. But I'll put this here for posterity.

Edited May 15 by jimrummy101

[Juani]

26 minutes ago, jimrummy101 said:

You can see my example turnserver.conf here: https://github.com/dannymate/unraid-templates/blob/master/Conf Samples/Coturn/turnserver.conf.sample (line 252?). I think I mention it in my guide too.

 

I can access my local network using an exit node. In fact I've done it for two different networks. You may need to enable "masquerade". Edit: I would fix your turnserver first if it isn't working because it's also kinda used for routing. I vaguely remember having issues when my coturn server wasn't configured properly.

 

I'm not sure if this affects it but as of unraid 6.12 there's a little bit of extra config (Settings > NetworkSettings):

You need this to access the Unraid WebGUI through netbird dns (unraid.netbird.com for example). I don't include it because you technically need to do it every time you reboot and it's not great. But I'll put this here for posterity.

 

I have added wt0 to Unraid. OK
I downloaded your turn.conf file, activated line 252 and generated a password, OK.
Then in line 625 I put: allowed-peer-ip=192.168.10.0/24
Coturn container does not start. It gives error.

 

I have masquerade enabled but I cannot access my LAN with NetBird. 
Maybe it's because of Coturn giving me error.
I don't know if in this picture everything is configured correctly.

[jimrummy101]

12 hours ago, Juani said:

 

I have added wt0 to Unraid. OK
I downloaded your turn.conf file, activated line 252 and generated a password, OK.
Then in line 625 I put: allowed-peer-ip=192.168.10.0/24
Coturn container does not start. It gives error.

 

I have masquerade enabled but I cannot access my LAN with NetBird. 
Maybe it's because of Coturn giving me error.
I don't know if in this picture everything is configured correctly.

When I first set up Coturn I followed this guide for Matrix Synapse server: https://element-hq.github.io/synapse/latest/setup/turn/coturn.html#configuration

I recommend following that, getting Coturn booting then making the Netbird modifications.

 

Your dashboard config looks fine. I would focus on getting Coturn working.

[Juani]

11 hours ago, jimrummy101 said:

When I first set up Coturn I followed this guide for Matrix Synapse server: https://element-hq.github.io/synapse/latest/setup/turn/coturn.html#configuration

I recommend following that, getting Coturn booting then making the Netbird modifications.

 

Your dashboard config looks fine. I would focus on getting Coturn working.

Ok!

 

I got the Coturn docker to start. Attached is the Docker template and the Logs.
In whitelist I have added 0.0.0.0.0-255.255.255.255 to test that it approves all IP's.
It shows several errors in yellow.
I have tried to access to my LAN with NetBird and I can NOT access...

 

I have configured the turnserver.conf with your option 2 (user:test // password:test123).

 

 

 

I have checked the TURN server on this site https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ and it SEEMS to be working fine.

 

 

I attach my current "management.json" with the data entered from my TURN.

"Secret": "secret", is as it is in the file. I don't know if anything needs to be specified in Secret.

management-3.json

 

My NETBIRD conf.

 

I have added Netbird Client in Unraid. Inside my management panel I add it to have access to my Local Network 192.168.10.0/24 and to act as exit node.
With Exit Node enabled, I can NOT access the Internet or LAN.
With Exit Node off, I CAN access the Internet but NOT LAN.

 

In the "All" group there is the Peer Netbird Client and my iPhone. In no case can I access the rest of the LAN. From the iPhone I try to access my UNRAID (192.168.10.165) and it does not access.

 

 

Edited May 15 by Juani

[jimrummy101]

20 hours ago, Juani said:

Ok!

 

I got the Coturn docker to start. Attached is the Docker template and the Logs.
In whitelist I have added 0.0.0.0.0-255.255.255.255 to test that it approves all IP's.
It shows several errors in yellow.
I have tried to access to my LAN with NetBird and I can NOT access...

 

I have configured the turnserver.conf with your option 2 (user:test // password:test123).

 

I have checked the TURN server on this site https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ and it SEEMS to be working fine.

 

 

I attach my current "management.json" with the data entered from my TURN.

"Secret": "secret", is as it is in the file. I don't know if anything needs to be specified in Secret.

I think you can probably get rid of the Secret line if you're not using it. Otherwise I'm honestly not sure. I'm not a Coturn expert sadly, I got mine working as I mentioned in the guide and in a previous comment. I wouldn't recommend using the Unraid WebGUI as a test as it can be finicky. Though if you're not getting internet at all that's not a great sign. It does seem to me that it's a Coturn configuration/management.json issue though. It may be worth checking the logs of the NetBird-Management container in case there's anything obvious that can give you an idea of what's causing the issue or possibly following a guide for Coturn configuration instead.

 

The NetBird docs are pretty good but they don't go in on explaining what each variable does in the management.json so it's hard to figure that all out.

 

[Juani]

On 5/16/2024 at 9:23 PM, jimrummy101 said:

I think you can probably get rid of the Secret line if you're not using it. Otherwise I'm honestly not sure. I'm not a Coturn expert sadly, I got mine working as I mentioned in the guide and in a previous comment. I wouldn't recommend using the Unraid WebGUI as a test as it can be finicky. Though if you're not getting internet at all that's not a great sign. It does seem to me that it's a Coturn configuration/management.json issue though. It may be worth checking the logs of the NetBird-Management container in case there's anything obvious that can give you an idea of what's causing the issue or possibly following a guide for Coturn configuration instead.

 

The NetBird docs are pretty good but they don't go in on explaining what each variable does in the management.json so it's hard to figure that all out.

 

 

It works now! The problem was the turnserver.conf.
I can access my LAN and the Internet. Without the need to use an EXIT NODE 👌

[IronBeardKnight]

I have to say guys I'm super lost trying to set this up with anything other than keycloak as the different docker containers make it quite confusing to push through traefik not to mention that the management container does not generate the managment.json file at all it just creates a folder I seem to get nothing but some type of html error in the logs from the managment container. 

When I try pass env variables like the normal container would take and then pass to the setup.env it does nothing and to be honest configuring the managment.json manually is confusing to say the least when trying to figure out

I have tried following your guide to the best of my ability but but it leaves quite a bit to be desired as the coturn container also does not generate a config sample file so you have to get it from the git repo.

Feeling more than a bit lost to be honest with these containers. Would love to see a youtube  video on someone setting it up or something especially with Authentik