Build an MSP on Open Source Part 2: Netbird VPN with Authentik as the IdP. Access and Security.
Вставка
- Опубліковано 31 тра 2024
- This is a longer episode than normal, even for me, but I think the content here will give us a huge kickstart in the right direction for this venture. I wanted to provide something that you could start utilizing for anything, not just a business, so here is a full install of Docker, Docker Compose, NGinX Proxy Manager, Authentik, and Netbird. The next videos should be shorter now that we've laid our groundwork.
=== Links ===
Show Notes
Authentik (original show notes)
wiki.opensourceisawesome.com/...
Netbird (original show notes)
wiki.opensourceisawesome.com/...
This Episode (changes / additions)
wiki.opensourceisawesome.com/...
Get the AwesomeOpenSource Merchandise
awesomeopensource.creator-spr...
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
Buy Me a Coffee or Beer
paypal.me/BrianMcGonagill?cou...
=== Timestamps ===
00:00 Beginning
00:08 Introduction
05:02 Thank You to my Patrons at Patreon
06:09 Get a Domain Name
06:42 Setup a Server
08:51 From Self Hosted to Hosted as we Grow
12:12 Add a Non-root User with sudo privileges
15:02 Install Docker-CE, Docker Compose, and NGinX Proxy Manager
24:05 Install and Configure Authentik
32:28 Create a Virtual LAN for ou Servers in Digital Ocean
37:40 Create a Proxy to Authenti in our Virtual LAN (VPC)
38:28 Setup our Admin for Authentik
41:11 Setup Netbird VPN with Authentik
47:28 Setup an Auth Provider in Authentik for Netbird
59:54 Check our Netbird Configuration Files for Accuracy
01:01:30 Fix an Error I Made in the Setup
01:03:24 Update our Hosts file for Netbird
01:06:49 One Warning about NEtbird vs Tailscale Clients
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: @MickInTx@fosstodon.org
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest).
=== Attributions ===
Intro and Outro music provided by www.bensound.com - Наука та технологія
Absolutely love it! Thank you for this video :)
The part where Brian configures NetBird with Authentik is just brilliant. It is very detailed and highlights the caveats people might have (e.g., the hosts file point). We will link it to our docs 👍
Glad you guys like it, and thank you so very much for such an awesome open source project!
Great content Brian! Thanks. For better security, you should enable 2FA for Authentik and then add a provider (proxy provider) and application for nginx proxy manager itself, so that the access is protected with 2FA of Authentik, too 🙂
It seems, that npm can not be configured for authentik... Has anybody an idea, how to get 2FA for npm?
100%. Just didn't show it yet. But, I'd point folks to @Cooptonian as his Authentik videos are gold!
I think if you set NPM to Basic Auth (if possible), then you can use Authentik to login through that (again, just saw an @Cooptonian video that showed something like this).
Dear AOS, this is really at the moment (trust me, been following bunch of well known and quite wholesome homelab enthusiasts) one of the most effective list of resources and tools for IT power-users who want to start something like a business on a budget, very small budget, but are not sure they want to leave everyday job. Also for unemployed (what ever the reason might be) to maybe earn some income. Even for those who aren't in a pinch for money (hard to find, but who knows...) to keep up with the ever changing and evolving tech. I mean, lately, every few months something crazy good comes out. Netbird with free 5/100 tier is amazing for practice as well as small home bizz. Anyways, I am packing 3 laptops and a Pi and right afer installing Netbird time to figure out Authentik - and here comes ... your video. Thx a bunch
Absolutely my pleasure!
Priceless content
Thank you so much!
Great video and explanation as always! Just a little tip about the authentik setup: you dont need to specify the version of image to pull in both .env and compose file, you just need to match the variable name which is different in this case. When the variable is the same docker will matches the version specified in .env file and use the other one in compose as fallback.
Yeah, I don't recall at this point if I messed up that tag, or if that's how it was copied from therm, but you're 100% right.
Thank you so much for this tutorial! You have no idea how much I have been looking forward to this! Thank you, you really a great at giving instructions, these videos are valuable ressources!
Glad you like it my friend!
Great has been waiting for this video. Thanks for the video ❤
You are so welcome!
Thanks for the great video Brian, It took me a few hours to get through this one. I followed a long the whole way. I had a few difficulties as I used a local provider for my servers and the settings were a bit different. Got there in the end. Looking forward to the next one greatly and starting to integrate some of the solutions into my own business I am just starting.
Super glad you were able to work though it. Excited that you are coming along with me.
You make great content Brian, thanks for your hard work! Excited to see the next video
I appreciate that!
Great content, Brain. I'm longtime fan of the show, and right now I'm trying to create a similar thing as an MSP in my home country. and this series was a great resource for me. I wanted to ask though what if you're trying to create something like what Microsoft did with Azure and Intune for both device and user management but with OSS. where you use one account to access everything, and all service play nicely with each other. thanks for all the efforts you're going through to put this knowledge out for the world
I think SSO is definitely possible. The services playing nicely, is a different story. We are essentially pulling a bunch of different software together. I don't use Microsoft or Intune, but it's one thing to pull a bunch of things together, it's different to own all of it.
Hey Brian, Great series. Can you add the notes when you have a minute? I have been wrestling with this exact install. Question: I didn't see the Netbird FQDN being routed via the NPM Proxy. Is that correct? I have all these on the same network, so I was going to route my FQDN via my proxy to the Netbird IP Address internally and then use Authentik to secure it.
I'm adding them now, might take a bit to get it all in, but I'll be referencing my original video notes as well. I updated those links in the description already. Just need to finish the show notes specific to this video.
Great video...but I am kind of stuck. I use HAProxy (pfSense package), Authentik and I would like to setup NetBird. I am missing how to setup Netbird behind the HAProxy... any ideas?
You'll have to forward the web admin ports to your server, and also all of the ranges of ports it needs to that server. Not sure how well it will work. Not used HAProxy, so just not familiar with its setup.
Thank you for the video. The links section seems to be missing for the show notes
Working on the show notes now. I'll have them by the end of day (if all goes better than yesterday anyway).
Thank you for the update; hopefully everything goes well for you
So would pika backup, that you showed in your last video, be a good backup solution for these servers?
I would recommend something like Borg Backup with BorgWarehouse, as these service don't have a desktop environment, which is needed for PikaBackup to work. The other option that I'll be looking at is URBackup, which is also a nice solution.
@@AwesomeOpenSource Thanks for the information!
Did this setup allow a client to connect? I've setup the same thing using Caddy because I read the Nginx Proxy Manager doesn't support gRPC and as a result doesn't allow me to connect clients with whining about expecting an gRPC connection and getting a html/text 1.1 connection.
I even ran the script version to find out how it sets up the CaddyFile to make gRPC work, still not working.
Let me know when you do the episode showing it connecting to the clients
I can connect, but yes, you may have gRPC issues. It is something they use in Netbird for sure.
Can you setup the Authentik and Netbird with purchasing two VPS instances? It'd also be nice to be able to use the VPS's for other things like email or website etc.. We're not all made of money
You can. You just need to adjust the ports they run on and adjust the proxy settings for them. It's a bit easier to do it the way I have, but I completely understand.
Hello there! Could you please create a video that talks about open-source email validation system ? Bulk Email Verification Recher mail, AfterShip /email-verifier, truemail
Let me see what I can dig up.
Amazing guide! Thank you. Do you have a shownotes available?
Working on the shownotes now. I got tied up yesterday with a multitude of unexpected issues, and am just now getting to add them.
Thank you and I really appreciate your hard work! I just followed everything in the video and all is working as indented. Only issue I have is connecting do Win Server via RDP through Netbird network.. Maybe you have some information about it?@@AwesomeOpenSource
Well, I'm not sure. Can you reach it via RDP through LAN?
I was wondering if there was an open source tool to basically post ideas (like a PasteBin+Forumn combo of sorts)
It would be like an Adventure Guild quest board that you see in Fantasy Animes, putting bounties on tasks
Except here you could post ideas or a "wanted" list on what FOSS tools/apps are needed in this world to further help the cause of FOSS
This is just me thinking out aloud
I think you could use something like Lemmy for this ut there are some borads I've com across in the past that are more specifically for voting on certaint hings. I'll see what I can find.
Hi , great videos... but im stuck. :(
Getting this error when starting the netbird Docker... >> Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /proc/sys/kernel/domainname: permission denied: unknown
Seems like it's hitting a permission error. Is your user in the docker group? If so, make sure not to bring up docker with sudo, you shouldn't need it. It's talking about the domain specifically, so maybe there's some issue with the domain name you've setup. Make sure it's typed in correctly.
@@AwesomeOpenSource I gave up... could not get this to work. switched from nginx to caddy.. and then the quick start from Netbird worked. I guess the biggest problem was/is to get NGINX to work. The above error is when you use a container and not a VM...
Very well done, Brian. Thank you a lot, this is good to reproduce, but I miss in general the IPv6 consideration a little bit in parallel to IPv4. I would assume Digital Ocean also provides IPv6 addresses in parallel, don't they? I think, it should not be skipped as many parts in the internet go IPv6 today and also to be future prepared, I would appreciate if you consider IPv6 in parallel within your setups as some things might be slightly different. So please move on as you are doing and thank you!
DO allows you to enable IPv6, but not on by default as I recall. I haven't mastered IPv6 yet for sure, but maybe that's an opportunity for me to get @scottibyte and @ibracorp involved in my series...they can school me on it a bit.
Hey bro
Please make one video on zammad ticketing System installation
It's on my list for this series.
It's on my list for this series my friend.
My man i would advice you to not show the IPs in a yt video. Some script kiddie might decide do ddos your stuff.
He just kills the machines when he's done
@@medinarick3I doubt it, since the IPs at 1:57 didnt have anything to do with this video.
yea, I hope it's just for demo because all the services are still available on HTTP.
Who cares? There's a reason we call these "Public IPs" The IPv4 space isn't very large. All public IPv4 addresses are scanned every day for open ports. No point pretending they are hidden.
Once he’s registered a domain name and pointed DNS records to his IP addresses, those IPs are published for the whole world to see. That’s just how DNS works. Security through obscurity is no security at all.
Along with starting a MSP, you should offer documentation services.
100%
@@AwesomeOpenSource You have the best show notes on UA-cam.