Idea's flowing through my mind, connecting external storage for apps? Done through Netbird to an compatible connected storage solution (selfhosted?).
DanTheMan
Posts
-
NetBird - installation and my experience -
NetBird - installation and my experienceFor the moment i only use Netbird for an SMB connection from my Cloudron hosted at Hetzner to home, for backups.
But i think there's more to explore here, like some dns magic with Adguard maybe?
https://docs.netbird.io/how-to/manage-dns-in-your-network
For instance, you connect multiple clients through the dns of Adguard? That way you have some kind of VPN with an Adguard filtering resolution? Also handy for mobile clients on the go, i mean the moments you depend on public wifi anywhere outside your home, you connect to Netbird and voila
Another thing that crossed my mind, but i don't know if that's even possible? Sometimes you want to run an app on Cloudron, but don't want it to be publicly available? You only want it to be available for a certain group of clients. This is where Netbird comes in handy also.
Think of it when installing an Cloudron app, you have the ability to only make it available through Netbird? So that way the app is not publicly available, but only to it's clients connected through Netbird.
-
NetBird - WireGuard based VPN@Adhok Good question actually, but i haven't tried that one. Since i only use Netbird client on Cloudron to run backups from Cloudron to my homelab.
-
NetBird - installation and my experienceHere we go fellow Cloudron enthusiasts!
Just wanted to share my experience with NetBird, and man, it's been quite a journey!
Zerotier:
I use to have Zerotier installed, but it had a BIG learning curve (for me) when it comes to apply the Firewall rules at the Zerotier web-ui (controller-interface).
The whole idea with Zerotier worked well for me a couple of years, but i did not like the fact that clients connecting all together, had full acces all together, in both ways.
Sure, you could make different networks for different clients, but there's gonna be that time when you need some of them together for certain things.Netmaker:
So i tried Netmaker for that particular reason, worked well for my needs.
But after a few updates, it had problems connecting the clients and i had to start all over again, no fun when you have SMB/NFS and so on setup for particular clients!!Netbird
Finally i stumbled across Netbird and thought.... let's give that a go, since it looked promising.
Like Netmaker, Netbird installs the coordination server on a cloud instance. This is the air traffic controller. Netmakerβs setup was easy, but with Netbird βs clear installation instructions, it was even easier to setup.
The initial deployment of NetBird was done on a:
Ubuntu 20.04.6 LTS (Hetzner-CX11)1 VCPU
2GB RAM
20GB DISK
Pricing per month: β¬3.98/mo (as of feb-2024)
The VM should be publicly accessible on TCP ports 80, 443, 33073 and 10000; and UDP ports: 3478, 49152-65535.Netbird-installation:
Install is done through the installer script (shoutout to the Netbird team for that).
source --> https://docs.netbird.io/selfhosted/selfhosted-quickstart#quick-self-hosting-with-zitadel-id-p
Be aware that this is an "single-line setup script" with ZitadelActually i installed Netbird alongside with my existing Keycloak installation, and it was somewhat more advanced to setup.
source --> https://docs.netbird.io/selfhosted/selfhosted-guideIf anyone is really interested about the Keycloak integration with Netbird and how i did it? Just throw your questions here and i shall do my best to answer them.
I thought that my review otherwise would going to be to long, if i would explain that whole setup process with Keycloak.
for anyone interested, the documentation here is a good guide for succesfully installing it.I use NetBird for:
- SNMP monitoring (where i only allow 1 direct connetion from server to client on port:161 UDP)
- Proxying apps that are installed on my homelab, they Proxy there way out through another VPS, also connected with Netbird.
- SMB/NFS for a Cloudron instance deployed on Hetzner (for example), that connects to my homelab and stores it's backups there through Netbird.
- Off-site backups from my Homelab to another location.
- Connecting to applications through mobile (Android) that are not publicly available.
and other things i may forget to mention here.....
Network routes:
Also one really big thing were Netbird shines, is it's capability to use "Network routes".
source-->https://docs.netbird.io/how-to/routing-traffic-to-private-networksNetbird supports egress servers β called network routes in Netbird β that allow you to access devices that donβt have the Netbird client on them, as if you and your computer were transported to wherever the egress server is.
At one time i had an VM at another location where it refused to install the Netbird client on
But "Network routing" in Netbird helped me connecting the desired VM anyway, without the Netbird client installed on there.Another situation i had is that where a Raspbery-pi acting as a dumb energy monitor, without the possibility of opening firewall ports on there, was now acting as my Network Route to all the devices listed on that network. Plus the other network was like 200 miles away from here, and working like it was all locally.
I also made that network route HA (High Availability) and did setup the appropriate ACL rules on it, so the whole network is not exposed to every client assigned to it.
Access Control (Firewall):
This is one of the main choices i did go for Netbird. Because connecting clients all together in a private network over the internet works great.
Still, if one client could get hacked, this has now full access to al private clients on that particular private network. Included access to all services like SMB/NFS and so on.So what i did here is adding clients to groups and from there build my network in that way, only particular clients have particular access with the help of ACL rules on the Netbird main page.
So one example here;
i have a snmp monitoring (master) server and all clients reporting back to that server.
This all happens on port:161 UDP.
Now for the ACL rule i have setup a one way connection from the snmp server to my clients on port 161 UDP.
This way the snmp master server is allowed to connect to the clients for the status reports, but clients could never make an connection back to the master snmp server.
And also the clients together in the same network, can not see or ping each other, because there not allowed to, based on the ACL rulesοΈFinal word:
Overal Netbird is a game-changer for someone like me who doesn't want to spend hours on configurations for setups.
Also in terms of security, simplicity, and a bit of tech exploration, it's been a solid and steady choice for the last year.Sure, i had one problem after an update of Netbird in the past, but when i noted this on their Github page, they were very helpful and motivated to catch the cause and solve that in a future update.
Like i said, this is probably one of the thirst ever review that i wrote in my whole tech savy life, but i hope it helps a bit to give you guys my experience about using Netbird....
-
NetBird - WireGuard based VPN@timka Thanks!! i appreciate that
-
NetBird - WireGuard based VPNBecause there's a interest for a write up about my experience with Netbird, i shall try to write something about it here in the forum in the upcoming time.
I never did a write up before, so a bit challenging but also fun and exciting to do for me -
NetBird - WireGuard based VPNI am using Netbird for almost a year now and I must say it's rock steady.
Am using it for snmp monitoring and smb/nfs acces to allow only specific servers and or ports together.
This can be achieved by setting up the ACL's on the main page of Netbird (selfhosted).I say this would be a very interesting potential app for Cloudron
-
Am i doing the right (safe) thing here?........Getting back to the strange authentication logs I saw in turn at the cloudron instance on Hetzner.
They disappeared after I added the following to the config of my matrix installation at home..."turn_user_lifetime: 2h"
Video calling and voice calling still work great and I have had no problems with them in the meantime.
Now my only question remains, is this a correct and safe way? -
Am i doing the right (safe) thing here?........Dear Cloudron team and forum members,
Because I host my Cloudron at home, i depend on my Internet Service Provider (ISP) and their decisions regarding opening ports to the Internet.
Now unfortunately they have blocked turn/stun ports 3478 and 5349 TCP/UDP to the internet.No problem i thought, because I still have another Cloudron instance installed on Hetzner, wich i can (maybe) use for my turn server at home.
Now comes my BIG QUESTION...
I transferred (copied) the turn settings included the "turn_shared_secret" from the Cloudron instance installed on Hetzner, to my own self-hosted instance of Cloudron at home.
So that way my Matrix synapse installation at home is now using an external Turn server, my Cloudron instance on Hetzner.I copied these settings into the turn settings of Matrix synapse (homeserver.yml) and everything (calls and videocalls) seem to work perfectly again, maybe even better than before.
I do see some weird complaining logs about credentials, in the turn logs on Hetzner instance ....
Like i said, video calls and normal calls through Matrix synapse are working prefectly.
However, it does worry me whether this is the correct and safe way to do it? -
Turn domain Matrix-Synapse not changing after moving to another my.domainGreat
then we have at least tackled this bug for the upcoming future. -
Turn domain Matrix-Synapse not changing after moving to another my.domainEverything worked out really good and calling through the Elements app is working again.
Thanks for the great and fast support GirishWe can close this one as solved!!
-
Turn domain Matrix-Synapse not changing after moving to another my.domain@girish I'm a little stuck (not sure) with step 3 and maybe 4:
- 3: Move synapse to another domain. For example, move it to synapse2.domain.com. The reason for this is to free up synapse.domain.com
How do we move Synapse exactly? By just going to the location of the existing install and change the synapse.domain.com to synapse2.domain.com?
Or do we have to install a second app with synapse2.domain.com pointed to it? -
Turn domain Matrix-Synapse not changing after moving to another my.domain@girish
In the meantime I was thinking about the domain change (move) for cloning, like you described.But doesn't this interfere with the rules that Synapse has/depends on?
I read this (old) article somewhere:
Why can't I rename my homeserver?
Currently, the homeserver name is assumed never to change. This means that if you rename your server, other servers will think it's a different server.Perhaps in the future we will add an API for changing the homeserver name, but for now this is not supported.
https://matrix.org/docs/older/faq/
It's an old documentation, but I just want to be on the safe side....
-
Turn domain Matrix-Synapse not changing after moving to another my.domainThanks a lot for that Girish
I will check on it tommorow and report back when successfully accomplished.... -
Turn domain Matrix-Synapse not changing after moving to another my.domainThanks for checking that Girish
-
Turn domain Matrix-Synapse not changing after moving to another my.domainI have checked that one but I think federation still works. It is only the turn server that points to the old domain and will not change to the new one....
-
Turn domain Matrix-Synapse not changing after moving to another my.domainHi there,
I recently moved the Cloudrons my.domain (Dashboard) to another domain of mine.
Now after a while i could not connect new calls through Matrix-Synapse so i checked the Turn settings in the config (homeserver.yaml).I discovered that it was still pointing to the old my.domain address so i changed it to the new one, but after rebooting Matrix it came back to the old one......
What to do now.....?
-
Is it safe to upgrade my Cloudron?Thanks a lot Nebulon for the clear answer
-
Is it safe to upgrade my Cloudron?Thanks for thinking with me
I also thought it would be no problem, just want to be on the safe side.
at least im on Ubuntu 20.04, so that should be good...maybe I'll wait a little longer until someone from the Cloudron team can give me a definitive answer to this?
Don't wanna revert to a backup, when it's not neccesary.... -
Is it safe to upgrade my Cloudron?Please some advice!!
I have been out for work since June this year and disabled automatic updates just in case.
Now finally back again at my Cloudron instance and ready to catch up with things, like updating my Cloudron version.
I noticed that when i want to upgrade, it wants to upgrade to an unstable version (See attachment)
My question...... Is it safe to update from this point? And will it finally catch up to the latest version?