Netbird - an Open Source, Self Hosted Wireguard based VPN system. Server GUI and client setup ease!
Вставка
- Опубліковано 31 тра 2024
- You can use this code to get a 20% discount on a Netbird Team or Business plan by emailing the discount code AWESOME_OSS to the Netbird team at hello@netbird.io from the email address you use to sign up. Use it, and let them know you love open source, and what they are doing!
=== Links ===
Show Notes
wiki.opensourceisawesome.com/...
Netbird Main Site
netbird.io
Netbird Quick Install
docs.netbird.io/selfhosted/se...
Get the AwesomeOpenSource Merchandise
awesomeopensource.creator-spr...
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
Buy Me a Coffee or Beer
paypal.me/BrianMcGonagill?cou...
=== Timestamps ===
00:00 Beginning
00:50 Discount Code here
09:47 Setup DNS A Record and VPS
15:44 Create a Non-root User with sudo Privileges
19:11 Install the Netbird Server
20:30 Installing the Prerequisite Software
28:00 Install the Netbird Client
30:14 Quick look at user management in Netbird
31:54 Back to adding a client
32:10 Cloudflare needs gRPC enabled
33:16 Set proper host entries
34:34 Add a Netbird client via CLI
=== Contact ===
Twitter: @mickintx
Telegram: @MickInTx
Mastodon: @MickInTx@fosstodon.org
Try out SSDNodes VPS Services! Amazing Specs for incredibly low costs. I'm running a 32 GB RAM / $ CPU Server for only $9 a month! Seriously. FOr long term server usage, this is the way to go!
www.ssdnodes.com/manage/aff.p...
Get a $50.00 credit for Digital Ocean by signing up with this link:
m.do.co/c/a6a61ae55242
Use Hover as your Domain Name Registrar to get some great control over you domains / sub-domains:
hover.com/SHPaiirr
Support my Channel and ongoing efforts through Patreon:
/ awesomeopensource
What does the money go to?
To Pay for Digital Ocean droplets, donations to open source projects I feature, any hardware I may need to purchase for future episodes (which I will then give to a subscriber in a drawing or contest). - Наука та технологія
Just an FYI - Netbird reached out, and I didn't realize it, but the Linux Client install does install a small GUI application. It's still being developed, but has some good functionality, so make sure to check your application menu to find it. I didn't notice it, but when I run it on KDE it gives me a tray icon with settings for the Management URL, Admin URL, Connect / Disconnect, and other info as well.
Looks very promising, will test it out! thanks.
Hope you enjoy it!
Thats funny I had found this Product yesterday and now this Video comes Online 😂
Awesome Timing!
Would love to see more about this, doesn't seem to be a whole lot of info out there yet on youtube
It's really a great setup. I have setup a bunch of machines, have my own Authentik IdP setup, and it is working quite well. I did have to uninstall the tailscale client on a couple of machines as they appear to interfere with each other. Not sure why though.
Great video, thanks
No problem 👍
Thanks for this
My pleasure!
This is pretty cool in terms of simple wireguard self-hosting solution. I can't find anywhere if there is a user / peer limit when self-hosted. I can see that if you use their cloud solution.
Don't believe there is a limit via the software stopping you, but only what your hardware may can handle.
Is there a better answer on this? This is SUPER important
I would have to refer you to the Netbird team for that. I don't have a good answer based on what's on their site. I was looking at a question on Reddit from last year to them about them ever changing the self hosted model. They didn't answer, and honestly, as a business I understand why. They want to make money. As a business that makes their software open source, I appreciate that about them.
@@AwesomeOpenSource Yep, I totally agree. If there is a limit say 10 peers for self hosted without some sort of a license or support subscription I'm perfectly fine with that for home use. If there is no limit then that is even better. If used in a business to support large number of peers and is self hosting I would expect them to get a business support subscription. That's what I did with ProxMox servers for work.
That’s a great! Would you show an OpenWrt setup like the one you mentioned where the whole network is the client?
Let me see if I can get something setup. I'll add it to my list.
Netbird is being released in the official Openwrt repository
That's awesome
Followed your instructions for a self hosted install on Oracle OCI. Everything goes well until it gets to the "Waiting for Zitadel to become ready" part. Then it just prints dots to the screen for like, well ever. It doesn't stop or move on to the next phase of the install. This is the third time I've tried to install on a freshly created Ubuntu VPS. Am I missing a step or does it normally take a few weeks for Zitadel to "become ready"? And thanks for the video/info.
I had a couple of times where it did take a long time, and seemingly never started. No logging showing so hard to tell what happens. But, I just followed their instructions to remove it and tried agaon. Essentially, use CTRL + C to stop the process (may have to do it a few times), then use "docker compose down --volumes" to stop all containers and remove the volumes, then run "rm -f docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json" to remove all the files it downloaded and setup, and then I'd just try again. Generally worked fine second time around. Maybe that will help.
Awesome Project! I was looking for something similar. I'm just stuked into the last step: you add a peer in linux by installing with the oneline command and then log in within the brower, but how about linux VM machine with no desktop enviorment? Thanks so much!
On your management page, you will create a setup key, then copy that key immediately. You can set how many times that key can be used (so if you have 5 machines, you can use it 5 times). Next, use that key on each machine you're adding to the network with the command 'netbird up --management-url netbird.yourgreatdomain.com:443 --setup-key your-key'. I have this in my show notes link in the description as well.
Hey is it possible to setup Netbird server togther with a client and nginx proxy manager on one VPS (2core 4gb ram)
So i can point my domain to the proxy manager which then routes all traffic over the client to the sever which is connected to another client installed on my (unraid)homesever so i can access my services from every where without installing the client on every system?
and would u use headscale, netbird or netmaker for this use case?
Maybe, you'd need to make sure you are using their advanced setup, and change the ports that netbird dashboard is using so you can have 80 adn 443 used in NGinX Proxy Manager.
Great video, great channel, thanks!
What i didn't get from this video is why this wireguard implementation might be preferred to other implementations? It seems to have a bigger attack surface, you need to trust that netbird is doing things right in the background plus theres multiple web guis and other additional logic which could be faulty.
This is not a criticism, i just didn't manage to answer those questions from the video
It's the open source way of thinking really. You have the opportunity to see exactly how things are being implemented by Netbird because it's open source. If you find faults, you have the options to help them address the issues. As for whether it's better or worse, I think it's simply another option. We all want options, and I try to let you all know about various options. Tailscale is cool, Headscale makes it self hostable, and with some work you can even setup IdP with it, but Netbird does that for you much easier. So it's another option. Just depends on what you need at the end of the day.
Thank you Brian for your continued help with using open source. Videos are looking very professional now.
Could this be used with opensense like tailscale?
I don't knwo if they officially support OPNSense yet, but maybe in the future. Definitely worth a request on their project pages on github.
NetBird doesn't yet support OPNSense but we will add the support
12:00 digital ocean, linode mentioned as good VPS providers. What do others think of Azure or AWS?
Both are very good but for me the simple online interface, simple (and cheaper I believe) pricing it makes sense to go with providers like Linode, Ocean, OVH. While lots more intergration with infrastrcture as code is great the often have lots of hidden charges and often lead the price increases. E.G. AWS charging for ip4 external address when some services can still only use that. Also just because there is wide intergration does not mean there are not bugs (I'm looking at you AWS terraform).
If you want the cheapest there are websites and subreddit on cheap VPS but be warned, these are often companies trying to get market share and may close down suddenly as they run out of money (shame really as more comptation the better).
All in all don't get hung on the pence/cent per machine like I have done. Chose something with a good dashbored and decent price, the time you spend to find the perfect thing when you can get something good is often never worth it.
Well said!
I was having so much problems setting up netbird and at the end my problem was that I had installed and running in Proxmox VM with wireguard....As soon as I turn it off (and setup everything like in this video) everything started to work!
Glad my video helped.
first, thank you for this awesome channel. one question, can you define a peer as an exit route ? basically meaning that all traffic can be routed through that peer ? tailscale has the ability to do that. thats very important to me, and I'm liking Netbird so far, only this feature is not clear
I haven’t set that up yet, but yes as a I recall you can do all of those things from the server console. You can also set ACLs and so on with it.
Here is a link to their docs on the topic. In this case the route would be out to the internet, but hopefully this helps. docs.netbird.io/how-to/routing-traffic-to-private-networks
Hello Brian, did you see "dockge" uptime kuma devs another project?
I hadn't, but it looks pretty cool! Thanks for pointing it out.
Hi Brian, thanks for your video, it's very helpful. I also tried to install Netbird on Oracle Cloud Infrastructure vps and, as happened to you, once the management interface is opened I get an error message (Network error) and the menu only shows the Peer item. How did you solve the problem? Thank you, Lorenzo.
In Cloudflare, I had to enable gRPC. Not sure how to do that in Oracle Free Tier.
👍 on the gui
Agree, it's super nice.
Why self-hosting this on a VPS? Would it be better to host it locally in your homelab?
I do it so that I get the better up time, and so I don't have to open a bunch of ports on my home network to allow traffic through.
Hey Sir,
Needed some help
i was trying to set that up on my machine inside pfsense firewall network with a public IP. I have pointed the domain as well
Where as I managed to setup the netbird as well, as it shows the credential towards where process ends
but can't see the dashboard online.
When tried with Static IP, it just shows
Login Error: User state: Unauthenticated
;
Please help!!!!!!1
Are you authenticating with the username and password provided in the terminal when the install finishes? Did you forward all ports as detailed in their documentation?
I found the Android client did not transition between WiFi and cell service. Lost connectivity. After disconnecting I could continue. Hopefully this issue is fixed. I wish they would work with the existing WireGuard client. Otherwise it works great, and I appreciate the SSO authentication with Azure AD
Definitely let them know about the bug on their github Issues page. That's the best way to get them to fix it.
I like your videos, they are excellent.
openvpn and wireguard protocols can be identify and therefor neutralize by ISP.
openconnect does not have that vulnerability.
i like something like this based on openconnect.
Indeed, and that could happen, but good to know there are alternatives out there.
how do you handle the tls certificate on the VPS? it kinda poses a security risk to login without a signed certificate in this case, i believe
You can add your own certificate if you wish, it's in their more advanced documentation. Self signed certs aren't inherently risky, because they are your cert. If you are trusting a site you don't know, and who's owner / maintainer you don't know, then trusting their self-signed cert is risky indeed.
@@AwesomeOpenSource thanks so much for your reply! i thought self signed certs were susceptible to man in the middle attacks
I just ran through this setup an hour or so ago on an Oracle VPS, and it got a trusted cert--there weren't any cert warnings or other issues. But in principle, a self-signed cert (that you control) is even safer than a publicly-trusted cert, in that you can verify for yourself that it's the right cert. The problem is that very few people do that.
Does the self-hosted netbird coordination server is for single-tenancy ?
It can be configured for Single, or multi-tenant. Up to you to decide which. This is a setting in the setup.env file.
I followed the steps and is met with Zitadel's introduction screen when login in with the credentials provided. I don't see any way to get to peers whatsoever.
I have to ask, have you added peers to the system? Where are you looking for peers? I'm just not following your issue as described.
i've been trying to host this locally but it always hangs on the zitadel part.
Sorry to hear that. Not sure why that would happen, but maybe the project folks can help if you post an issue and some logging.
Hi Brian, netbird seems to be a nice solution for self hosting, but it seems that ios support is still not implemented - I found forum comments from 2021, that ios support is planed, so what happened in the last 2 years? It seems that this product is not maintained really regularly.
I believe I said it in the video, but they have their iOS client in Beta right now, so will be released after beta is done.
@@AwesomeOpenSource I am looking forward. Then this app will be my favorite VPN-Solution.
The quick install script use specific version of docker container for zitadel:v2.31.3 and cockroach:v22.2.2 and when you update Netbird according to the official doc they will never be updated. What is the best way for this can I update Zitadel safely its almost 7 months old...
You'd have to ask the folks at Netbird about that. Not sure.
@@AwesomeOpenSource I updated the container to the latest version of Zitadel and encountered an error during the database update process. To resolve this issue, I had to first update to an older version before proceeding to the latest one. The system is now functioning perfectly, and it's more secure, considering that Zitadel in the QuickStart script is now seven months old.
@@x1dzerohow do you do this? i’m not so familiar with docker so idk how or where in the file system to run the commands
@@x1dzeroalso, what versions of everything were you on before and then after your updates?
Did we talk about the ports earlier? 10:13
I may have edited our my earlier discussion on the number of ports that would need to be open. sometimes I talk about things a few times, but edit it down.
Can i make a site to site VPN with netbird? and is it better than netmaker?
Can't say it's better than Netmaker. I'd say it's on par with it. The SSO integration with their quick start is a definite plus, and yes, you should be able to make a site to site setup. I haven't done it yet myself, so you may need to dig through their docs a bit.
The vps setup mentioned opening ports 80, 443 and one other. A comment was made that this would be a bad idea on your home network. Why is this? Isn't it this what would be necessary to self host this stuff?
80 and 443 are attractive for botnets as they're well known ports and there are plenty! Of misconfigured Web Servers out there. Plus you can't trust the software you're running isn't vulnerable to any exploit... For a home lab environment you usually don't follow all the good practices and security policies you'll normally follow on an enterprise/professional level.
In other words because we tend to neglect things and because there are bad actors out better expose the least amount of ports possible especially! Well known ports when you can.
@@geogmz8277 thanks but how can you do anything without those ports exposed? He says to do it on a VPS rather than your home network but what is the difference? You still have to secure it somewhere
Netbird offers their SaaS for free. For home use, you are better off using it than hosting the control server yourself. If you do self-host, you are better off using a VPS so you are not messing with NAT
The idea behind services like these are that you run the server in a VPS, then the client on your home network machines. Those machines can reach out and connect through the encrypted tunnel, and no firewall ports are required to be opened on your home network. It's a more secure way to run, but nothing is perfect, so keep adding layers of security where you can.
Great questions. but it's not just 80 and 443, there is a whole range of ports required for this to run properly, and opening that many ports on your home network really expands the attack surface.
Could you please do a video about the assetmanagement open source shelf? Its "new" and looks nice but i dont know how to install xD
is it called "Open Source Shelf"? If so, I'll look into it and add it to my list.
Netbird is something like tailscale? Please explain
It is similar in concept, but in my opinion a bit easier to install self hosted, and get SSO setup using Zitadel as part of their installer. So, like Tailscale, but IMO better.
@@AwesomeOpenSource tailscale for personal use and this for team, I will watch again like single computer shared with my team?
This can be for singlue user, or Team. It's up to you how you use it.
@@AwesomeOpenSourceand Netbird have awesome features like groups and ACLs in a very very simple way to configure. Before NB, I used a self-hosted version os Zerotier and it is great too, but ACLs in Netbird is another level. The ideia os the setup-keys ('one-shot' or multiple use) , attaching a host automatically to a group is great.
You only used cloudflare to create a DNS entry that pointed directly to your droplet, without being proxied. It is not very clear why you had to enable this grpc option when you're not using something like a cloudflare tunnel.
I was having issues getting the client to connect, and one of the things they said was it needs gRPC enabled if using cloudflare for DNS. They told me thins without me telling them I was using Cloudflare, so I enabled it, and it started working properly. You can ask them why it's required if you're looking for a more technical answer. I"m sure they'd be happy to explain.
I got it setup through a cf tunnel. I just set the domain to http in cloudflare and everything is working perfectly
When I had setup my DDNS and inturn VPN Access via Cloudflare. I had to disable the Cloudflare Proxy to make it work. If you read the Cloudflare documentation VPN does not work well with CLoud Flare's proxy enabled.
Amazing video & wiki... Cheers
Thank you!
@@AwesomeOpenSource Do you think it is safe to use this Docker in production environments or would it be preferable to do a more secure installation of each component?
Thank you for the tutorial.. I can get to about 90%. :( , then I get the error when it wants to start the coturn part. >> Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: open /proc/sys/kernel/domainname: permission denied: unknown.
Any Idea pls? I am on proxmox , a lxc container with ubuntu 22.04.04 LTS .
I would really like to set this up behind nginx if you can maybe make a tutorial on this?
Thank you.
Running docker on LXC can sometimes be a bit tricky. I'd say, just to start see if you can spin up a VM, and do the setup there just to see if it works, then you'll know if it's the Netbird side, or the LXC causing the issue. Also, Wireguard on Proxmos in LXC requires you to set some stuff on the host system so it will all function correctly, or at least I had to do that for the client to run in an LXC container. Do make sure you've enabled nesting in the LXC at the very least.
is this similar with tailscale?
Similar to it, but a bit easier in my opinion.
How to make this work with Nginx? As a noob, this is all frustrating. The Netbird documentation is so vague...
When you say NGinX, what do you mean specifically? To use as a web-server, or as a reverse proxy?
@@AwesomeOpenSource Reverse proxy for the web management. From my understanding, If I want to use this on my server at home, I would need to open ports 80, 443, and whatever UDP port that wireguard needs. I just want a self hosted wireguard VPN that has a web interface!
And what about iOS clients?
I’ve been keeping an eye and the iOS client is now available as well from the App Store.
@@AwesomeOpenSource it’d be nice to have a video about it
Thx and Happy New Year 🎆
Does it support LDAP ?
I believe Zitadel does support LDAP. Here's a link to the Zitadel site on configuring LDAP as an identity provider. zitadel.com/docs/guides/integrate/identity-providers/ldap
@@AwesomeOpenSource Wow thank you :)
Is it better Than net maker
I answered this before, but I think it's on par with netmaker. The setup is a bit easier, and you get SSO with Zitadel with this one, but functionality -wise, they are really close I think.
hello
thanks man
i have this error
root@free:~# netbird up
Error: unable to get daemon status: rpc error: code = FailedPrecondition desc = failed while getting Management Service public key: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); transport: received unexpected content-type "text/html; charset=UTF-8"
Maybe you ran it as root, or the Zitadel server didn't come up fast enough? Maybe just do a docker compose down, then docker compose up again and see if that resolves it. It's a forbidden access error.
netbird is solution for tailscale
I find Netbird a bit easier for self hosting for sure.
This actually seems more complicated than to simply use wireguard directly😂. In addition it requires alot of dependencies and a fairly potent VPS. I don't see the benefit here.
The benefit is that a lot of olks are better with a GUI. Not strictly a requirement. You can absolutely do all of this in Wireguard with configuration files, but sometimes a control system like this makes it easier.
3:20 they the opposite of redis
First viewer
Glad you're here.
I appreciate your content but you're seemingly an advocate for "Big Cloud" services rolled out by Big Tech- Cloudflare, Digital Ocean, Vultr.
$144/year ($12 x 12mos) to host that Netbird instance with Digital Ocean or some budget providers who can do a VPS service with similar specs for $48/year with the upcoming holidays?
So?
@@roucharHe has a point. why build big companies up if youre an “open source advocate”? Do as a i say, not as I do…
@@magog6852 that's not how it works...
Or get a free ARM instance from Oracle OCI... 😊 I'm running Wireguard in Phoenix Data Center for 2 years now...
4 cores, 24GB of RAM, and 200GB SSD... for free.. (of course nothing is free so privacy isn't something you should expect but I can live with) I only use it to tunnel back home via reverse proxy.
@@magog6852 or have freedom to choose whatever you wanna do. curious how you're going to scale with 3 raspberry pi's
When they monitor and steal all your trafic data, that is free?
Also they are breaking EU rules on cookie usage and user choice on their homepage.
If you don't want to use their hosted offering, then you can run it self hosted, as I show in the video. As for the cookies, you can let them know that there's an issue, and I'm sure they'd be happy to update it. I don't think it's a European company, so they may simply not realize they arent compliant with GDPR.
@@AwesomeOpenSource It's darn hard to make sure one complies with laws in every country haha
@@mrmotofyseems that it is just easier to say that your company is not GDRP complaint and EU users should not use the software!
If there are limits to use the software, it's not open source, it's bullshit.
I don't guess I understand where this comment is coming from. The limits are on a hosted plan by Netbird, not the self hosted version. The software is open source, and Licensed with BSD-3.
Yea it is open source. If I make the source malicious (ie selling your data , extreme telemetry, DRM) itself but you’re free to do as you wish with the program, it is still open source. What you’re thinking about is the term ‘free software’ by the FSF.
You should never have a non root user ffs
Did I say this by mistake? I'm not understanding the comment.
Russia already blocked the whole wireguard protocol. There is no reason for use this solutions. Teach on our examples. Modern governments can block it in one day.😢
I'm curious to know what examples. How do they achieve that level of blocking? Or is it simply banned and not permitted for use?
@@kenny45532 This works in the DPI method. All providers have equipment installed that analyzes traffic. The whole protocol is blocked, it is physically impossible to connect to any server.
Well. It’s going to use turn relay, right? So it should still somewhat work.
Sorry to hear this. It sucks when a government won't allow the citizens the freedom to choose how they communicate securely with others. Maybe someone will come up with a way to bypass it someday.
Actually Wireguard does work between peers inside Russia. I am using it every day in my work, and have no problem except shitty Rostelecom routers sometimes refusing to work properly (they brake Wireguard and OpenVPN UDP handshakes until you reboot them).
And Netbird does work too. But I didn't test peers outside Russia.
This is BAD , you dont want a third party in managing your vpn.
It's okay to not trust others with your networking, that's why they made it open source, and allow you to run it yourself. But others find value in a cloud hosted offering.
Burken your comments suck. Elaborate on your points like an adult
At least when deciding to make a comment, kindly elaborate so it's contains more information. Your comments suck.
There are lots of companies that offer this as a service, including companies that open source and companies that don't. For instance, lots of companies pay for zScaler, Azure WAN, and commercial Tailscale or Zerotier for instance.