NetBird - installation and my experience
-
Here we go fellow Cloudron enthusiasts!
Just wanted to share my experience with NetBird, and man, it's been quite a journey!
Zerotier:
I use to have Zerotier installed, but it had a BIG learning curve (for me) when it comes to apply the Firewall rules at the Zerotier web-ui (controller-interface).
The whole idea with Zerotier worked well for me a couple of years, but i did not like the fact that clients connecting all together, had full acces all together, in both ways.
Sure, you could make different networks for different clients, but there's gonna be that time when you need some of them together for certain things.Netmaker:
So i tried Netmaker for that particular reason, worked well for my needs.
But after a few updates, it had problems connecting the clients and i had to start all over again, no fun when you have SMB/NFS and so on setup for particular clients!!Netbird
Finally i stumbled across Netbird and thought.... let's give that a go, since it looked promising.
Like Netmaker, Netbird installs the coordination server on a cloud instance. This is the air traffic controller. Netmakerโs setup was easy, but with Netbird โs clear installation instructions, it was even easier to setup.
The initial deployment of NetBird was done on a:
Ubuntu 20.04.6 LTS (Hetzner-CX11)1 VCPU
2GB RAM
20GB DISK
Pricing per month: โฌ3.98/mo (as of feb-2024)
The VM should be publicly accessible on TCP ports 80, 443, 33073 and 10000; and UDP ports: 3478, 49152-65535.Netbird-installation:
Install is done through the installer script (shoutout to the Netbird team for that).
source --> https://docs.netbird.io/selfhosted/selfhosted-quickstart#quick-self-hosting-with-zitadel-id-p
Be aware that this is an "single-line setup script" with ZitadelActually i installed Netbird alongside with my existing Keycloak installation, and it was somewhat more advanced to setup.
source --> https://docs.netbird.io/selfhosted/selfhosted-guideIf anyone is really interested about the Keycloak integration with Netbird and how i did it? Just throw your questions here and i shall do my best to answer them.
I thought that my review otherwise would going to be to long, if i would explain that whole setup process with Keycloak.
for anyone interested, the documentation here is a good guide for succesfully installing it.I use NetBird for:
- SNMP monitoring (where i only allow 1 direct connetion from server to client on port:161 UDP)
- Proxying apps that are installed on my homelab, they Proxy there way out through another VPS, also connected with Netbird.
- SMB/NFS for a Cloudron instance deployed on Hetzner (for example), that connects to my homelab and stores it's backups there through Netbird.
- Off-site backups from my Homelab to another location.
- Connecting to applications through mobile (Android) that are not publicly available.
and other things i may forget to mention here.....
Network routes:
Also one really big thing were Netbird shines, is it's capability to use "Network routes".
source-->https://docs.netbird.io/how-to/routing-traffic-to-private-networksNetbird supports egress servers โ called network routes in Netbird โ that allow you to access devices that donโt have the Netbird client on them, as if you and your computer were transported to wherever the egress server is.
At one time i had an VM at another location where it refused to install the Netbird client on
But "Network routing" in Netbird helped me connecting the desired VM anyway, without the Netbird client installed on there.Another situation i had is that where a Raspbery-pi acting as a dumb energy monitor, without the possibility of opening firewall ports on there, was now acting as my Network Route to all the devices listed on that network. Plus the other network was like 200 miles away from here, and working like it was all locally.
I also made that network route HA (High Availability) and did setup the appropriate ACL rules on it, so the whole network is not exposed to every client assigned to it.
Access Control (Firewall):
This is one of the main choices i did go for Netbird. Because connecting clients all together in a private network over the internet works great.
Still, if one client could get hacked, this has now full access to al private clients on that particular private network. Included access to all services like SMB/NFS and so on.So what i did here is adding clients to groups and from there build my network in that way, only particular clients have particular access with the help of ACL rules on the Netbird main page.
So one example here;
i have a snmp monitoring (master) server and all clients reporting back to that server.
This all happens on port:161 UDP.
Now for the ACL rule i have setup a one way connection from the snmp server to my clients on port 161 UDP.
This way the snmp master server is allowed to connect to the clients for the status reports, but clients could never make an connection back to the master snmp server.
And also the clients together in the same network, can not see or ping each other, because there not allowed to, based on the ACL rules๏ธFinal word:
Overal Netbird is a game-changer for someone like me who doesn't want to spend hours on configurations for setups.
Also in terms of security, simplicity, and a bit of tech exploration, it's been a solid and steady choice for the last year.Sure, i had one problem after an update of Netbird in the past, but when i noted this on their Github page, they were very helpful and motivated to catch the cause and solve that in a future update.
Like i said, this is probably one of the thirst ever review that i wrote in my whole tech savy life, but i hope it helps a bit to give you guys my experience about using Netbird....
-
-
For the moment i only use Netbird for an SMB connection from my Cloudron hosted at Hetzner to home, for backups.
But i think there's more to explore here, like some dns magic with Adguard maybe?
https://docs.netbird.io/how-to/manage-dns-in-your-network
For instance, you connect multiple clients through the dns of Adguard? That way you have some kind of VPN with an Adguard filtering resolution? Also handy for mobile clients on the go, i mean the moments you depend on public wifi anywhere outside your home, you connect to Netbird and voila
Another thing that crossed my mind, but i don't know if that's even possible? Sometimes you want to run an app on Cloudron, but don't want it to be publicly available? You only want it to be available for a certain group of clients. This is where Netbird comes in handy also.
Think of it when installing an Cloudron app, you have the ability to only make it available through Netbird? So that way the app is not publicly available, but only to it's clients connected through Netbird.
-
@DanTheMan said in NetBird - installation and my experience:
Another thing that crossed my mind, but i don't know if that's even possible? Sometimes you want to run an app on Cloudron, but don't want it to be publicly available? You only want it to be available for a certain group of clients. This is where Netbird comes in handy also.
Think of it when installing an Cloudron app, you have the ability to only make it available through Netbird? So that way the app is not publicly available, but only to it's clients connected through Netbird.
Thatโs what I meant to ask - is it possible to run something like Bitwarden, Nextcloud, Plex through Netbird, only?
-
@DanTheMan, Could you share your setup.env file? I'm trying to setup Netbird and it keeps failing, I have tested with the 3 latest releases, I have tried the one-liner install on Ubuntu and Rocky9 and it never worked, it get's stuck waiting for the dashboard to become online, the manual setup have issues as well, the further that I have gotten to setting it up is to get a "There was an error logging you in. Error: Unauthenticated" error, the network traffic shows that netbird tried to do a call to "/.well-known/openid-configuration" on localhost for some reason.
I have set it up according to the official documentation but it doesn't work. Any help would be greatly appreciated!
-
It's been a while since I have set it up, but this guy does a good job by explaining how to set it up with Authentik...
Setup Authentik:
https://wiki.opensourceisawesome.com/books/authentik/page/install-and-setup-authentikSetup Netbird:
https://wiki.opensourceisawesome.com/books/netbird-with-wireguard/page/install-and-setup-the-netbird-wireguard-system -
@DanTheMan Unfortunately I still face a lot of issues, I have also found a lot of issues with how the management.json file is created, some of the variables are missing or incorrect, could you share a sanitized version of your setup.env and management.json files? it would help a lot.
I'm also using Keycloak as the authentication mechanism, the official documents don't look good enough as when I follow them I get a broken installation.
-
@mpapamichalis
Have you tried upstream already? They have the knowledge to solve this quickly and are really helpfull in many ways to support you with setting it up.It's not that i don't want to help you out, but this forum is not related to Netbird in any way.
-
@DanTheMan : Thank you for your post. Got netbird-server running on a VPS. Now I wanted to install it on a VM with docker running in Proxmox. Nating to the reqired ports is set, firewallports are open and even in one trial switched off. Same error. The public-domain was reachable < 45sec. Therefore no installation.
Now my questions: does anyone have netbird running in a LXC with docker in Proxmox and could help me out with some idea? Or does netbird have a problem with nating in general? I couldn't find any information on nating and netbird.
Thank you for your help.
Anton