August 22, 20241 yr Hello friends, I have been reading this forum and others with no success so far. I am on the latest Unraid version (6.12.12), running Authelia (v4.38.10) as my identity provider and SWAG for reverse proxy. I am using docker compose method, I attached my docker-compose.yml I am using in Unraid compose manager, all the four containers spin up no problem. Also attached my Authelia configuration.yml and my SWAG netbird.subdomain.conf. I followed the SWAG info in the post, the Authelia I had to figure out a lot on my own and I have it mostly working I think. But when I navigate to netbird.example.com I get this error: error"invalid_request" error_description"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered 'redirect_uris'." So not sure if I just have the wrong redirect_uri or not, I have tried many. Appreciate any feedback. https://docs.netbird.io/selfhosted/identity-providers "NetBird supports generic OpenID (OIDC) protocol allowing for the integration with any IDP that follows the specification." Thanks! edit: forgot to add this as well as further info: https://github.com/authelia/authelia/discussions/7185 edit 2: Ok I have made some progress actually! It still might be a NetBird issue but here is my Authelia logs: https://pastebin.com/6tDHV4WR with netbird.pugnobellum.com I am sent to this screen after successfully logging in. And when I click accept it goes to this for 15-20 seconds then back to the Consent Request Screen: when I hit f12 on firefox I get: The resource at “https://netbird.pugnobellum.com/_next/static/media/7385e8d9d3c5518f-s.p.ttf” preloaded with link preload was not used within a few seconds. Make sure all attributes of the preload tag are set correctly. peers Object { code: 401, message: "token expired" } layout-8d9e50216f3f6630.js:1:38097 Object { code: 401, message: "token expired" } layout-8d9e50216f3f6630.js:1:38097 Object { code: 401, message: "token expired" } layout-8d9e50216f3f6630.js:1:38097 Object { code: 401, message: "token expired" } configuration.yml docker-compose.yml netbird.subdomain.conf Edited August 22, 20241 yr by pugnobellum added github post with related issue
September 22, 20241 yr I gave Netbird a go and everything on the Unraid side seems to have gone smoothly and appeared to be working (using Netbird's own server as coordinator). Unfortunately I couldn't get it to sign in or authorize on my iOS devices (strictly a Netbird issue, nothing to do with the docker containers here). After finding many dozens of people complaining about the same thing, I had to try something else - connecting from iPhones and iPads is 99% of the reason to have this set up. Tailscale was an even easier install and pretty much "just worked." I hate to even call it an install as it was no more than hitting the app-store, clicking on an app and logging in. Repeat for other devices, including Unraid where TS is available as a plugin. If the Netbird folks can get their iOS app working (again?) I'd really like to give this another shot - especially if we might have the possibility of seeing the client as an Unraid plugin in the future. As a comparison, Tailscale is easy to get going, but I'm not a big fan of how convoluted they make their whole management. It's like the first steps are a few dots of sauce on an empty plate, easy to see, easy to understand. Then they throw a giant pot full of spaghetti on top and leave you to sort it out. 🤣 There's apparently no way to even rename your users or put a custom icon on them. If this were an organization account, I have no idea how anyone could possibly manage it. I haven't tried the self-hosted custom coordination server Headscale, hopefully that's cleaner. Edited September 22, 20241 yr by Espressomatic
November 15, 20241 yr Hi, i've NGINX Proxy Manager installed for my proxied servers..... Is there a way to use netbird with NGINX Proxy Manager without it fighting since they both use ports 80 and 443? If I simply change the netbird external ports like 8080:80 and 8443:443 it doesn't seem to work. Are there any settings to change? As long as it can be done..... Thanks in advance to anyone who will answer me!
November 17, 20241 yr Run them on different IPs and there's no port conflict. Put them both on br0 network for example.
November 20, 20241 yr On 5/27/2023 at 1:49 PM, jimrummy101 said: The PDF is uploaded to the Unraid Forums and I just tested it's still available. I'll try uploading it again here for you. If no luck I'll add it to the repo later for you to look at. Netbird-Server Unraid.pdf 61.81 kB · 131 downloads Would you mind to upload the PDF again? I would also try to selfhost the netbird server but a little hint how to set everything up would be quite useful. If I gathered it right I could use the templates in order to get it running via docker. I was tempted to initially set it up from scratch in a separate vm but the dockerized approach might be a bit more familiar to me.
November 26, 20241 yr Author On 11/20/2024 at 8:58 PM, buscopina said: Would you mind to upload the PDF again? I would also try to selfhost the netbird server but a little hint how to set everything up would be quite useful. If I gathered it right I could use the templates in order to get it running via docker. I was tempted to initially set it up from scratch in a separate vm but the dockerized approach might be a bit more familiar to me. I've put it here now too: https://github.com/dannymate/unraid-templates/blob/master/docs/Netbird-Server Unraid.pdf
November 27, 20241 yr Can anyone confirm if the Netbird client for iOS now works for iPhone and iPad? The last two times I tried it, going back a few months now, it was impossible to connect an iOS device.
December 10, 20241 yr On 11/17/2024 at 4:13 PM, Espressomatic said: Run them on different IPs and there's no port conflict. Put them both on br0 network for example. I had already tried but it doesn't work because the 2 servers are on 2 different LAN IPs but my public IP (wan) is only 1 and even if I open ports 80 and 443 on the router for all 2 servers then they still conflict because obviously a request from the outside (from the internet) when it arrives on port 80 or 443 which IP will it go to? It doesn't know..... Edited December 10, 20241 yr by Zippi
December 10, 20241 yr 2 hours ago, Zippi said: I had already tried but it doesn't work because the 2 servers are on 2 different LAN IPs but my public IP (wan) is only 1 and even if I open ports 80 and 443 on the router for all 2 servers then they still conflict because obviously a request from the outside (from the internet) when it arrives on port 80 or 443 which IP will it go to? It doesn't know..... You don't open ports on the router/firewall at all when using wireguard-based VPN like Netbird - everything incoming on your firewall should be closed. You can run 2, 3, 100 different IPs on your LAN, it doesn't matter. The Netbird clients running on each of those machines communicating with the Netbird coordinator establishes a route to each machine using Netbird-specific IP range - that's how you can connect from the outside to any specific machine - your WAN IP doesn't matter and neither does its ports. The local reverse proxy (NPM) works to add certificates and proxy services using domain names that don't rely on your Netbird mesh. IMO, you should consult a few Netbird and Tailscale Youtube videos to brush up on the basics of what they offer and how they work. I think that will clear up a lot of the confusion. Edited December 10, 20241 yr by Espressomatic
December 10, 20241 yr 1 hour ago, Espressomatic said: You don't open ports on the router/firewall at all when using wireguard-based VPN like Netbird - everything incoming on your firewall should be closed. You can run 2, 3, 100 different IPs on your LAN, it doesn't matter. The Netbird clients running on each of those machines communicating with the Netbird coordinator establishes a route to each machine using Netbird-specific IP range - that's how you can connect from the outside to any specific machine - your WAN IP doesn't matter and neither does its ports. The local reverse proxy (NPM) works to add certificates and proxy services using domain names that don't rely on your Netbird mesh. IMO, you should consult a few Netbird and Tailscale Youtube videos to brush up on the basics of what they offer and how they work. I think that will clear up a lot of the confusion. I think you're causing a bit of confusion because NETBIRD needs the ports open on your router otherwise it won't work: Open TCP ports 80, 443, 33073, 10000, 33080 (Dashboard HTTP & HTTPS, Management gRCP & HTTP APIs, Signal gRPC API, Relay respectively) on your server. Coturn is used for relay using the STUN/TURN protocols. It requires a listening port, UDP 3478, and range of ports, UDP 49152-65535, for dynamic relay connections. These are set as defaults in setup file, but can be configured to your requirements. https://docs.netbird.io/selfhosted/selfhosted-guide
December 11, 20241 yr 19 hours ago, Zippi said: I think you're causing a bit of confusion because NETBIRD needs the ports open on your router That is incorrect. You're confusing server with router. In your example it's talking about self-hosting the management component, which is done on a server outside your network - it doesn't make any sense to do it on a server inside. That server needs those ports open. Your LAN definitely does not need to be open or have any permissive firewall rules. This zero-config property for the LAN is one of the primary selling features behind Netbird and similar solutions.
December 11, 20241 yr 1 hour ago, Espressomatic said: That is incorrect. You're confusing server with router. In your example it's talking about self-hosting the management component, which is done on a server outside your network - it doesn't make any sense to do it on a server inside. That server needs those ports open. Your LAN definitely does not need to be open or have any permissive firewall rules. This zero-config property for the LAN is one of the primary selling features behind Netbird and similar solutions. I can also agree with you that if you host NETBIRD on a server outside your LAN it is better for security and in that case you don't have to open anything on your router, OK. But I just wanted to experiment something like how this gentleman does it in this video where self-hosted manages to make NETBIRD + TRAEFIK + AUTHENTIK work I just wanted to try to see if it's possible to do it with NGINX Proxy Manager, that's all..... Edited December 11, 20241 yr by Zippi
December 11, 20241 yr It is possible. But if you don't intend to run an outside server, you should not self-host the Netbird management component. Use Netbird's own server for this, they have a generous client limit allowed for free. Jim makes good videos, but IMO, this one is a little convoluted. Adding Authentik is an unnecessary step because it adds no extra security if you don't open ports - no one can access those services without Netbird and your keys. By opening ports on your router you are making a big hole around Netbird's VPN and and open yourself up to unnecessary attack vectors. And I would never trust Authentik to the hammering your LAN will receive 24/7 with open ports and services. Since we're here in the Unraid forum, I strongly suggest a much better approach is to use Tailscale which is built into Unraid with Plugin and direct Docker support. It is easier to set up than Netbird, IMO, and doesn't additionally rely on a third party component like Coturn (which Nebird itself is going to try to replace eventually). Just my 2 cents. Tailscale is pretty easy to set up and works well with NPM.
December 12, 20241 yr 17 hours ago, Espressomatic said: It is possible. But if you don't intend to run an outside server, you should not self-host the Netbird management component. Use Netbird's own server for this, they have a generous client limit allowed for free. Jim makes good videos, but IMO, this one is a little convoluted. Adding Authentik is an unnecessary step because it adds no extra security if you don't open ports - no one can access those services without Netbird and your keys. By opening ports on your router you are making a big hole around Netbird's VPN and and open yourself up to unnecessary attack vectors. And I would never trust Authentik to the hammering your LAN will receive 24/7 with open ports and services. Since we're here in the Unraid forum, I strongly suggest a much better approach is to use Tailscale which is built into Unraid with Plugin and direct Docker support. It is easier to set up than Netbird, IMO, and doesn't additionally rely on a third party component like Coturn (which Nebird itself is going to try to replace eventually). Just my 2 cents. Tailscale is pretty easy to set up and works well with NPM. Yes, I've been using Tailscale for a while now and I'm very satisfied, it works well. It was just a test that I wanted to do with Netbird which works substantially in a similar way but with the risk that if you host the server on your LAN it becomes more dangerous because rightly, as you say, you compromise the security for which Netbird was created, i.e. do not open anything to the outside. Netbird, among other things, is quite "complicated" to make it work with a proxy and authentik, while the installation "alone" works well straight away. I just wanted to try it but I'll hold onto Tailscale! Thanks for sharing ideas!
January 23, 20251 yr Has anyone actually gotten Netbird to work at all in a secure way? Hosting a Coturn server with ports open is kind of counter intuitive imo unless there is a way to sit it behind something like cloudflare tunnel and traefik. I would love if someone could point me in direction of a guide of sorts as I have authentik configured for the dashboard but after that point the managment.json and the coturn.conf file have me stumped. The docker version seems to have ./configure.sh which does it all for you apparently is that not a thing in unraid?
January 23, 20251 yr My recommendation remains: Tailscale Netbird, IMO, isn't ready for prime-time until they remove the reliance on third party software. And to top it off, I've yet to see the iOS client work. At all. Edited January 23, 20251 yr by Espressomatic
August 3, 2025Aug 3 Hi everyone,has anyone successfully set up NetBird with Keycloak SSO and cloudflared as a reverse proxy on Unraid?I've followed all guides I could find (NetBird docs, Matrix/Synapse TURN, forum posts, etc.), but after logging in via Keycloak the NetBird dashboard always throws a "Request failed with status code 404" error. The login window from Keycloak appears as expected, authentication works, but after login the dashboard cannot load user or peer data.NetBird-Signal, NetBird-Management and NetBird-Dashboard containers are running on Unraid.Keycloak configuration (clients, scopes, redirects etc.) matches all tutorialscloudflared tunnel to my domain is up and working – I get the Keycloak login via my domain.I spent hours on this and am stuck – has anyone managed to get NetBird + Keycloak + cloudflared to work on Unraid, and can share their working config/routing or spot my mistake?Here are my templates.NetBird-Dashboard<?xml version="1.0"?> <Container version="2"> <Name>NetBird-Dashboard</Name> <Repository>netbirdio/dashboard</Repository> <Registry>https://hub.docker.com/r/wiretrustee/dashboard/</Registry> <Network>bridge</Network> <MyIP/> <Shell>bash</Shell> <Privileged>false</Privileged> <Support>https://forums.unraid.net/topic/133241-support-netbird/</Support> <Project>https://netbird.io</Project> <Overview>NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
 
 The Dashboard service provides a user friendly interface for management of peers and the overall network.
 
 Look at the "Additional Requirements" for the other two parts of the server stack.</Overview> <Category>Network:DNS Network:Management Network:VPN</Category> <WebUI/> <TemplateURL>https://raw.githubusercontent.com/dannymate/unraid-templates//tmp/GitHub/repositoryClone/dannymate/unraid-templates/netbird-dashboard/netbird-dashboard.xml</TemplateURL> <Icon>https://raw.githubusercontent.com/dannymate/unraid-templates/master/icons/netbird-dashboard-icon-256px.png</Icon> <ExtraParams/> <PostArgs/> <CPUset/> <DateInstalled>1754218464</DateInstalled> <DonateText/> <DonateLink/> <Requires>NetBird-Management
 brNetBird-Signal</Requires> <Config Name="HTTP" Target="80" Default="" Mode="tcp" Description="" Type="Port" Display="always" Required="true" Mask="false">8089</Config> <Config Name="HTTPS" Target="443" Default="" Mode="tcp" Description="" Type="Port" Display="always" Required="true" Mask="false">7443</Config> <Config Name="AUTH_AUDIENCE" Target="AUTH_AUDIENCE" Default="" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">netbird-client</Config> <Config Name="AUTH_CLIENT_ID" Target="AUTH_CLIENT_ID" Default="" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">netbird-client</Config> <Config Name="AUTH_AUTHORITY" Target="AUTH_AUTHORITY" Default="" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">https://auth.mydomain.cloud/realms/netbird</Config> <Config Name="USE_AUTH0" Target="USE_AUTH0" Default="false" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">false</Config> <Config Name="AUTH_SUPPORTED_SCOPES" Target="AUTH_SUPPORTED_SCOPES" Default="openid profile email offline_access api" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">openid profile email offline_access</Config> <Config Name="NETBIRD_MGMT_API_ENDPOINT" Target="NETBIRD_MGMT_API_ENDPOINT" Default="" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">https://connect.mydomain.cloud</Config> <Config Name="NETBIRD_MGMT_GRPC_API_ENDPOINT" Target="NETBIRD_MGMT_GRPC_API_ENDPOINT" Default="" Mode="" Description="" Type="Variable" Display="always" Required="true" Mask="false">https://connect.mydomain.cloud</Config> <Config Name="AUTH_REDIRECT_URI" Target="AUTH_REDIRECT_URI" Default="" Mode="" Description="" Type="Variable" Display="advanced" Required="false" Mask="false"/> <Config Name="AUTH_SILENT_REDIRECT_URI" Target="AUTH_SILENT_REDIRECT_URI" Default="" Mode="" Description="" Type="Variable" Display="advanced" Required="false" Mask="false"/> <TailscaleStateDir/> </Container>NetBird-Management<?xml version="1.0"?> <Container version="2"> <Name>NetBird-Management</Name> <Repository>netbirdio/management</Repository> <Registry>https://hub.docker.com/r/netbirdio/management/</Registry> <Network>bridge</Network> <MyIP/> <Shell>sh</Shell> <Privileged>false</Privileged> <Support>https://forums.unraid.net/topic/133241-support-netbird/</Support> <Project>https://netbird.io</Project> <Overview>NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
 
 The Management service is the central coordination component for NetBird. It keeps the network state, public Wireguard keys of the peers, authenticates and distributes network changes to peers.
 
 Look at the "Additional Requirements" for the other two parts of the server stack.</Overview> <Category>Network:DNS Network:Management Network:VPN</Category> <WebUI/> <TemplateURL>https://raw.githubusercontent.com/dannymate/unraid-templates/master/netbird-management/netbird-management.xml</TemplateURL> <Icon>https://raw.githubusercontent.com/dannymate/unraid-templates/master/icons/netbird-management-icon-256px.png</Icon> <ExtraParams/> <PostArgs>--port 443 --log-file console --disable-anonymous-metrics=false --single-account-mode-domain=connect.mydomain.cloud --dns-domain=netbird.selfhosted</PostArgs> <CPUset/> <DateInstalled>1754218720</DateInstalled> <DonateText/> <DonateLink/> <Requires>NetBird-Dashboard
 brNetBird-Signal</Requires> <Config Name="HTTPS" Target="443" Default="" Mode="tcp" Description="" Type="Port" Display="always" Required="true" Mask="false">33073</Config> <Config Name="Config" Target="/etc/netbird/management.json" Default="" Mode="rw" Description="" Type="Path" Display="always" Required="true" Mask="false">/mnt/appdata_cache/appdata/netbird-server/management/management.json</Config> <Config Name="Appdata" Target="/var/lib/netbird" Default="" Mode="rw" Description="" Type="Path" Display="always" Required="false" Mask="false">/mnt/appdata_cache/appdata/netbird-server/management/data</Config> <Config Name="TZ" Target="" Default="" Mode="" Description="" Type="Variable" Display="always" Required="false" Mask="false">Europe/Berlin</Config> <TailscaleStateDir/> </Container>Here is my mangement.json:{ "Stuns": [ { "Proto": "udp", "URI": "stun:connect.mydomain.cloud:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:connect.mydomain.cloud:3478", "Username": "username", "Password": "password" } ], "CredentialsTTL": "12h", "Secret": "hereismysecret", "TimeBasedCredentials": true }, "Signal": { "Proto": "https", "URI": "connect.mydomain.cloud:443", "Username": "", "Password": null }, "Datadir": "", "HttpConfig": { "Address": "0.0.0.0:33073", "AuthIssuer": "https://auth.mydomain.cloud/realms/netbird", "AuthAudience": "netbird-client", "AuthKeysLocation": "https://auth.mydomain.cloud/realms/netbird/protocol/openid-connect/certs", "OIDCConfigEndpoint":"https://auth.mydomain.cloud/realms/netbird/.well-known/openid-configuration" }, "IdpManagerConfig": { "Manager": "none" }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "netbird-client", "Domain": "", "ClientID": "netbird-client", "TokenEndpoint": "https://auth.mydomain.cloud/realms/netbird/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://auth.mydomain.cloud/realms/netbird/protocol/openid-connect/auth/device" } }}And this is my turnserver.conf:listening-port=3478tls-listening-port=5349listening-ip=0.0.0.0min-port=49152max-port=65535realm=connect.mydomain.cloudserver-name=connect.mydomain.cloudfingerprintlt-cred-mechuse-auth-secretstatic-auth-secret=thisismysecrettotal-quota=100bps-capacity=0stale-nonceno-loopback-peersno-multicast-peers# Optional für TLS:# cert=/etc/coturn/cert.pem# pkey=/etc/coturn/private.key# Logging:syslogAny help or even working config examples would be much appreciated!Thanks a lot,Dominik
August 3, 2025Aug 3 I've since tried again and have never so much as been able to get Netbird working alone on all my systems.
February 5Feb 5 How Netbird is today ? Using Headscale for now on VPS but planning for a long time ago to move to Netbird , i saw they have many updates last time ...How it work with docker client on Unraid , wish we have plugin for NetBird like we got for Tailscale
February 16Feb 16 So, i was looking for a way to use netbird with unraid in much the same way tailscale is supported. After reading through this thread I have come to the conclusion that THIS is not it. What I am looking for is a a way to add a netbird client to each of the docker containers. If anyone has come across a docker mod, for example, that would be a start toward what I would like to try. I have never created a docker mod, but when I have some time I will look into it if one does not already exist. Much thanks, and great work!
February 21Feb 21 Hello good peopleI have now installed this container, but i have a problem.. When it's active, i cant update any of my docker containers.. But if i deactivate it again, it all works flawlesssly.. It is installed as host.. Anyone with a suggestion??Thank you:)
February 24Feb 24 Hello again..I tried to change network and ip-address and change dns servers, but still no luck For now it looks like i can update by doing it manually. for each container.. But it would be nice if anyone had a fix??Thank you!Regards
March 3Mar 3 I having a issue where overtime the container updates it create a new peer on my host - Any idea why this would be happening?
March 27Mar 27 Has this been updated at all we're now near 2026. Looking at the videos online and the website apparently this is a piece of cake except in unraid... Edited March 28Mar 28 by ap90033
March 27Mar 27 Besides dialing up psychics r Us is there an how to or a detailed video on how to get this installed a working correctly? Seems like there's lots of info on how to set this up in Linux or Mac or Windows but if you're an unraid screw you? For us morons who can't figure it out are there any actual I don't know instructions to get this working?
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.