Netbird (VPN IT Infrastructure mit Wireguard und authentik)

Dieses Tutorial funktioniert noch nicht zu 100%. Ich bleibe immer bei netbird.domain.de/peers mit Ladeloop hängen

Falls netbird up nicht richtig connectet:

sudo systemctl stop netbird
sudo systemctl disable netbird

sudo rm -rf /usr/local/bin/netbird
sudo rm -rf /etc/netbird
sudo rm -rf /var/lib/netbird

sudo apt remove netbird -y

curl -fsSL https://pkgs.netbird.io/install.sh | sudo bash
sudo apt update
sudo apt install netbird -y

sudo netbird up

 

Netbird Cloud auf Unifi-Gateway installieren

https://git.shivering-isles.com/-/snippets/22 

install.sh

#!/bin/bash

set -e

if test $(ubnt-device-info firmware) \< "3.0.0"; then
    echo "Try the other UDM setup script for 1.x: https://git.shivering-isles.com/-/snippets/19" >&2
    exit 1
fi

mkdir -p /data/netbird

cd /data/netbird

if [[ -e ./netbird ]]; then
    mv ./netbird ./netbird.old
fi

NETBIRD_VERSION="$(curl -s https://api.github.com/repos/netbirdio/netbird/releases/latest | jq -r ".tag_name")"
curl -L https://github.com/netbirdio/netbird/releases/download/${NETBIRD_VERSION}/netbird_${NETBIRD_VERSION//v}_linux_arm64.tar.gz | tar xvzf -

./netbird service install || true # ignore error since it'll fail if it's already installed

# Due to outdated kernels by unifi, this is required otherwise newer versions of netbird fail to start
mkdir -p /etc/systemd/system/netbird.service.d/
cat >/etc/systemd/system/netbird.service.d/legacy.conf <<EOF
[Service]
Environment="NB_USE_LEGACY_ROUTING=true"
Environment="NB_DISABLE_CUSTOM_ROUTING=true"
EOF

systemctl daemon-reload

if systemctl is-active netbird.service; then
    systemctl restart netbird.service
fi

if ! systemctl is-enabled netbird.service; then
    systemctl enable --now netbird.service
fi

danach

chmod +x install.sh
./install.sh

curl -fsSL https://pkgs.netbird.io/install.sh | sh

/data/netbird/netbird -k <setup key> up

selbst hosten

Dieses Tutorial funktioniert noch nicht zu 100%. Ich bleibe immer bei netbird.domain.de/peers mit Ladeloop hängen

Links zum Problem:

https://github.com/netbirdio/netbird/issues/3110 Client failed to connect to Self-Hosted NetBird server: failed while getting Management Service public key

https://github.com/netbirdio/netbird/issues/3007 Stuck on loading screen on "/peers" (Authentik)

https://github.com/netbirdio/netbird/issues/3007#issuecomment-2764264829 < hat geholfen

https://github.com/netbirdio/netbird/issues/3007#issuecomment-2564843380 < nginx-pm cfg

https://github.com/netbirdio/netbird/issues/2941 Request failed with status code 401 (Authentik) < scope api access & redirects

https://github.com/netbirdio/netbird/issues/2515 Unable to authenticate with Authentik SSO

https://github.com/netbirdio/netbird/issues/2510 Netbird with NGiNX Proxy Manager and Authentik

https://github.com/netbirdio/netbird/issues/2338 Can't access dashboard - Token Invalid, Authentik

https://github.com/netbirdio/netbird/issues/2043 error: failed while getting Management Service public key

https://github.com/netbirdio/netbird/issues/2043#issuecomment-2384470230 < nginx-pm cfg

https://github.com/netbirdio/netbird/issues/1962 netbird dashboard does not open properly

https://github.com/netbirdio/netbird/issues/1742 NGINX reverse proxy question

https://github.com/netbirdio/netbird/issues/1250 Authentik login not working: Login Error: User state: Unauthenticated

https://github.com/netbirdio/netbird/issues/536 Run netbird behind reverse proxy

https://docs.netbird.io/selfhosted/selfhosted-guide#step-2-prepare-configuration-files

https://docs.netbird.io/selfhosted/identity-providers#authentik

Folge dieser Anleitung: https://docs.netbird.io/selfhosted/selfhosted-guide 
Es wird ein Skript zur Verfügung gestellt, mit dem man eine docker-compose.yml nach eigenen Wünschen aus template Dateien erzeugen kann.
Anleitung ganz genau lesen!
VIDEO DAZU: https://www.youtube.com/watch?v=QQaRB1vL6Q8 

Vorschlag für NGINX Proxy Manager Advanced cfg aus gh issue https://github.com/netbirdio/netbird/issues/3110#issuecomment-2567362588 

# This is necessary so that grpc connections do not get closed early
# see https://stackoverflow.com/a/67805465
client_header_timeout 1d;
client_body_timeout 1d;

proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Scheme $scheme;
proxy_set_header        X-Forwarded-Proto https;
proxy_set_header        X-Forwarded-Host $host;
grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header       Authorization $http_authorization;
grpc_set_header         Authorization $http_authorization;

# Proxy dashboard
location / {
    proxy_pass http://nb-dashboard:80;
}
# Proxy Signal
location /signalexchange.SignalExchange/ {
    grpc_pass grpc://nb-signal:80;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}
# Proxy Management http endpoint
location /api {
    proxy_pass http://nb-management:443;
}
# Proxy Management grpc endpoint
location /management.ManagementService/ {
    grpc_pass grpc://nb-management:443;
    grpc_set_header         Authorization $http_authorization;
    grpc_ssl_verify off;
    grpc_read_timeout 1d;
    grpc_send_timeout 1d;
    grpc_socket_keepalive on;
}