Installing netbird on a Oracle Cloud VPS (Ubuntu)

[mrmoose0]

Describe the problem I installed self-hosting netbird on OCI using Authentik self-hosted. Authentication works well and installation too but on the dashboard there is the message: "Network Error". Is visible only Peers menù.

How can I solve the problem?

Here is docker logs

artifacts-signal-1 | 2024-01-16T16:26:55Z INFO signal/cmd/run.go:107: running gRPC backward compatibility server: [::]:10000 artifacts-signal-1 | 2024-01-16T16:26:55Z INFO signal/cmd/run.go:129: running gRPC server: [::]:80 artifacts-signal-1 | 2024-01-16T16:26:55Z INFO signal/cmd/run.go:132: started Signal Service artifacts-coturn-1 | 0: (1): INFO: System cpu num is 2 artifacts-coturn-1 | 0: (1): INFO: log file opened: /var/tmp/turn_1_2024-01-16.log artifacts-coturn-1 | 0: (1): INFO: System enable num is 2 artifacts-coturn-1 | 0: (1): INFO: Coturn Version Coturn-4.6.2 'Gorst' artifacts-coturn-1 | 0: (1): INFO: Coturn Version Coturn-4.6.2 'Gorst' artifacts-coturn-1 | 0: (1): INFO: Max number of open files/sockets allowed for this process: 1048576 artifacts-coturn-1 | 0: (1): INFO: Due to the open files/sockets limitation, max supported number of TURN Sessions possible is: 524000 (approximately) artifacts-coturn-1 | 0: (1): INFO: artifacts-coturn-1 | artifacts-coturn-1 | ==== Show him the instruments, Practical Frost: ==== artifacts-coturn-1 | artifacts-coturn-1 | 0: (1): INFO: OpenSSL compile-time version: OpenSSL 3.0.11 19 Sep 2023 (0x300000b0) artifacts-coturn-1 | 0: (1): INFO: TLS 1.3 supported artifacts-coturn-1 | 0: (1): INFO: DTLS 1.2 supported artifacts-coturn-1 | 0: (1): INFO: TURN/STUN ALPN supported artifacts-coturn-1 | 0: (1): INFO: Third-party authorization (oAuth) supported artifacts-coturn-1 | 0: (1): INFO: GCM (AEAD) supported artifacts-coturn-1 | 0: (1): INFO: SQLite supported, default database location is /var/lib/coturn/turndb artifacts-coturn-1 | 0: (1): INFO: Redis supported artifacts-coturn-1 | 0: (1): INFO: PostgreSQL supported artifacts-coturn-1 | 0: (1): INFO: MySQL supported artifacts-coturn-1 | 0: (1): INFO: MongoDB supported artifacts-coturn-1 | 0: (1): INFO: Default Net Engine version: 3 (UDP thread per CPU core) artifacts-coturn-1 | 0: (1): INFO: Domain name: netbird.example.com artifacts-coturn-1 | 0: (1): INFO: Default realm: wiretrustee.com artifacts-coturn-1 | 0: (1): WARNING: cannot find certificate file: /etc/coturn/certs/cert.pem (1) artifacts-coturn-1 | 0: (1): WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly artifacts-coturn-1 | 0: (1): WARNING: cannot find private key file: /etc/coturn/private/privkey.pem (1) artifacts-coturn-1 | 0: (1): WARNING: cannot start TLS and DTLS listeners because private key file is not set properly artifacts-coturn-1 | 0: (1): INFO: Certificate file found: /etc/coturn/certs/cert.pem artifacts-coturn-1 | 0: (1): INFO: Private key file found: /etc/coturn/private/privkey.pem artifacts-coturn-1 | 0: (1): WARNING: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED artifacts-coturn-1 | 0: (1): INFO: ===========Discovering listener addresses: ========= artifacts-coturn-1 | 0: (1): INFO: Listener address to use: 127.0.0.1 artifacts-coturn-1 | 0: (1): INFO: Listener address to use: 192.168.50.32 artifacts-coturn-1 | 0: (1): INFO: Listener address to use: 172.17.0.1 artifacts-coturn-1 | 0: (1): INFO: Listener address to use: 172.23.0.1 artifacts-coturn-1 | 0: (1): INFO: Listener address to use: ::1 artifacts-coturn-1 | 0: (1): INFO: ===================================================== artifacts-coturn-1 | 0: (1): INFO: Total: 3 'real' addresses discovered artifacts-coturn-1 | 0: (1): INFO: ===================================================== artifacts-coturn-1 | 0: (1): WARNING: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED artifacts-coturn-1 | 0: (1): INFO: ===========Discovering relay addresses: ============= artifacts-coturn-1 | 0: (1): INFO: Relay address to use: 192.168.50.32 artifacts-coturn-1 | 0: (1): INFO: Relay address to use: 172.17.0.1 artifacts-coturn-1 | 0: (1): INFO: Relay address to use: 172.23.0.1 artifacts-coturn-1 | 0: (1): INFO: Relay address to use: ::1 artifacts-coturn-1 | 0: (1): INFO: ===================================================== artifacts-coturn-1 | 0: (1): INFO: Total: 4 relay addresses discovered artifacts-coturn-1 | 0: (1): INFO: ===================================================== artifacts-coturn-1 | 0: (1): INFO: pid file created: /var/tmp/turnserver.pid artifacts-coturn-1 | 0: (1): INFO: IO method: epoll (with changelist) artifacts-coturn-1 | 0: (1): WARNING: STUN CHANGE_REQUEST not supported: only one IP address is provided artifacts-coturn-1 | 0: (1): INFO: Wait for relay ports initialization... artifacts-coturn-1 | 0: (1): INFO: relay 192.168.50.32 initialization... artifacts-management-1 | 2024-01-16T16:26:57Z INFO management/cmd/management.go:407: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.example.com/application/o/netbird/.well-known/openid-configuration artifacts-coturn-1 | 0: (1): INFO: relay 192.168.50.32 initialization done artifacts-coturn-1 | 0: (1): INFO: relay 172.17.0.1 initialization... artifacts-dashboard-1 | + LETSENCRYPT_DOMAIN=netbird.example.com artifacts-dashboard-1 | + LETSENCRYPT_EMAIL=user@example.com artifacts-dashboard-1 | + NGINX_SSL_PORT=443 artifacts-dashboard-1 | + '[' netbird.example.com-x == none-x ']' artifacts-dashboard-1 | NetBird latest version: artifacts-dashboard-1 | + certbot -n --nginx --agree-tos --email user@example.com -d netbird.example.com --https-port 443 artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:412: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.example.com/application/o/netbird/.well-known/openid-configuration artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:414: overriding HttpConfig.AuthIssuer with a new value https://authentik.example.com/application/o/netbird/, previously configured value: https://authentik.example.com/application/o/netbird/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:418: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://authentik.example.com/application/o/netbird/jwks/, previously configured value: https://authentik.example.com/application/o/netbird/jwks/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:423: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.com/application/o/token/, previously configured value: https://authentik.example.com/application/o/token/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:426: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://authentik.example.com/application/o/device/, previously configured value: https://authentik.example.com/application/o/device/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:434: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: authentik.example.com, previously configured value: authentik.example.com artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:444: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.com/application/o/token/, previously configured value: https://authentik.example.com/application/o/token/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/cmd/management.go:447: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://authentik.example.com/application/o/authorize/, previously configured value: https://authentik.example.com/application/o/authorize/ artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/server/store.go:74: using JSON file store engine artifacts-management-1 | 2024-01-16T16:26:59Z INFO management/server/account.go:828: single account mode enabled, accounts number 0 artifacts-dashboard-1 | NetBird latest version: artifacts-coturn-1 | 0: (1): INFO: relay 172.17.0.1 initialization done artifacts-coturn-1 | 0: (1): INFO: relay 172.23.0.1 initialization... artifacts-management-1 | 2024-01-16T16:27:01Z INFO management/server/account.go:1009: 1 entries received from IdP management artifacts-management-1 | 2024-01-16T16:27:01Z INFO management/server/account.go:1038: warmed up IDP cache with 0 entries artifacts-management-1 | 2024-01-16T16:27:02Z INFO management/cmd/management.go:249: running gRPC backward compatibility server: [::]:33073 artifacts-management-1 | 2024-01-16T16:27:02Z INFO management/cmd/management.go:281: running HTTP server and gRPC server on the same port: [::]:443 artifacts-dashboard-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log artifacts-coturn-1 | 0: (1): INFO: relay 172.23.0.1 initialization done artifacts-coturn-1 | 0: (1): INFO: relay ::1 initialization... artifacts-dashboard-1 | Certificate not yet due for renewal artifacts-dashboard-1 | Deploying certificate artifacts-dashboard-1 | Successfully deployed certificate for netbird.example.com to /etc/nginx/http.d/default.conf artifacts-coturn-1 | 0: (1): INFO: relay ::1 initialization done artifacts-coturn-1 | 0: (1): INFO: Relay ports initialization done artifacts-coturn-1 | 0: (1): INFO: Total General servers: 2 artifacts-coturn-1 | 10: (9): DEBUG: turn server id=0 created artifacts-coturn-1 | 10: (10): DEBUG: turn server id=1 created artifacts-coturn-1 | 10: (1): INFO: Total auth threads: 3 artifacts-coturn-1 | 10: (1): INFO: prometheus collector disabled, not started artifacts-dashboard-1 | Congratulations! You have successfully enabled HTTPS on https://netbird.example.com artifacts-dashboard-1 | artifacts-dashboard-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - artifacts-dashboard-1 | If you like Certbot, please consider supporting our work by: artifacts-dashboard-1 | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate artifacts-dashboard-1 | Donating to EFF: https://eff.org/donate-le artifacts-dashboard-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - artifacts-dashboard-1 | + cat artifacts-dashboard-1 | + supervisorctl start cron artifacts-dashboard-1 | crond: crond (busybox 1.33.1) started, log level 8 artifacts-dashboard-1 | cron: started

[lixmal]

Hi @mrmoose0,

it seems like the management server is not accessible from your browser. Can you please run a curl https://yourdomain/api/users -v on the CLI and post the output here?

[mrmoose0]

Hi @mrmoose0,

it seems like the management server is not accessible from your browser. Can you please run a curl https://yourdomain/api/users -v on the CLI and post the output here?

• Trying 0.0.0.0:443...
• Connected to netbird.example.com (0.0.0.0) port 443
• schannel: disabled automatic use of client certificate
• ALPN: curl offers http/1.1
• ALPN: server accepted http/1.1
• using HTTP/1.1

  GET /api/users HTTP/1.1 Host: netbird.example.com User-Agent: curl/8.4.0 Accept: /

  < HTTP/1.1 200 OK < Server: nginx < Date: Wed, 24 Jan 2024 13:04:25 GMT < Content-Type: text/html < Content-Length: 602 < Last-Modified: Thu, 04 Jan 2024 17:52:14 GMT < Connection: keep-alive < Vary: Accept-Encoding < ETag: "6596f04e-25a" < Accept-Ranges: bytes < <!doctype html>

  * Connection #0 to host netbird.example.com left intact

[lixmal]

The output indicates that your requests end up on the dashboard and not the API.

It seems the reverse proxy is not configured correctly. https://docs.netbird.io/selfhosted/selfhosted-guide#configuration-for-your-reverse-proxy

Could you share your docker-compose.yml as well?

[mrmoose0]

I don't use reverse proxy, only Authentik as authenticator configured as described. The same configuration works well using self-hosting site. Only OCI give me this problem.

Here the docker-compose file

version: "3" services:

UI dashboard

dashboard: image: wiretrustee/dashboard:latest restart: unless-stopped ports:

• 80:80
• 443:443 environment:

  Endpoints

• NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:33073
• NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:33073

  OIDC

• AUTH_AUDIENCE=54hf549kfPAg8lC3edcZ0F6m9hrMVbfisFkOr
• AUTH_CLIENT_ID=54hf549kfPAg8lC3edcZ0F6m9hrMVbfisFkOr
• AUTH_CLIENT_SECRET=
• AUTH_AUTHORITY=https://authentik.example.com/application/o/netbird/
• USE_AUTH0=false
• AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
• AUTH_REDIRECT_URI=
• AUTH_SILENT_REDIRECT_URI=
• NETBIRD_TOKEN_SOURCE=accessToken

  SSL

• NGINX_SSL_PORT=443

  Letsencrypt

• LETSENCRYPT_DOMAIN=netbird.example.com
• LETSENCRYPT_EMAIL=user@example.com volumes:
• netbird-letsencrypt:/etc/letsencrypt/ networks:
• netbird

  Signal

  signal: image: netbirdio/signal:latest restart: unless-stopped volumes:

• netbird-signal:/var/lib/netbird ports:
• 10000:80

  port and command for Let's Encrypt validation

  - 443:443

  command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"]

  networks:

• netbird

  Management

  management: image: netbirdio/management:latest restart: unless-stopped depends_on:

• dashboard volumes:
• netbird-mgmt:/var/lib/netbird
• netbird-letsencrypt:/etc/letsencrypt:ro
• ./management.json:/etc/netbird/management.json ports:
• 33073:443 #API port

  command for Let's Encrypt validation without dashboard container

  command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"]

  command: [ "--port", "443", "--log-file", "console", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.example.com", "--dns-domain=cloud72.netb" ] networks:

• netbird

  Coturn

  coturn: image: coturn/coturn:latest restart: unless-stopped domainname: netbird.example.com volumes:

• ./turnserver.conf:/etc/turnserver.conf:ro

  - ./privkey.pem:/etc/coturn/private/privkey.pem:ro

  - ./cert.pem:/etc/coturn/certs/cert.pem:ro

  network_mode: host command:

• -c /etc/turnserver.conf volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: networks: netbird: external: true