netbird dashboard does not open properly

linkinuul commented 1 month ago

Describe the problem

When I netbird web homepage, the zitadel login page pops up, I entered “zitadel-admin@zitadel.192.168.1.4” (my domain name is 192.168.1.4), then clicked login, it redirects back to the It redirected me back to the netbird page, and after waiting for 5 seconds, it said “Oops, something went wrong! There was an error logging you in. Error: Unauthenticated", which confused me.

Are you using NetBird Cloud? no

NetBird version

0.27.4

NetBird smanagement logs

2024-05-11T02:04:02Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint http://192.168.1.4:8080/.well-known/openid-configuration
2024-05-11T02:04:02Z INFO management/cmd/management.go:460: loaded OIDC configuration from the provided IDP configuration endpoint: http://192.168.1.4:8080/.well-known/openid-configuration
2024-05-11T02:04:02Z INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value http://192.168.1.4:8080, previously configured value: http://192.168.1.4:8080
2024-05-11T02:04:02Z INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value http://192.168.1.4:8080/oauth/v2/keys, previously configured value: http://192.168.1.4:8080/oauth/v2/keys
2024-05-11T02:04:02Z INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/token, previously configured value: http://192.168.1.4:8080/oauth/v2/token
2024-05-11T02:04:02Z INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/device_authorization, previously configured value: http://192.168.1.4:8080/oauth/v2/device_authorization
2024-05-11T02:04:02Z INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: 192.168.1.4:8080, previously configured value: 192.168.1.4:8080
2024-05-11T02:04:02Z INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/token, previously configured value: http://192.168.1.4:8080/oauth/v2/token
2024-05-11T02:04:02Z INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: http://192.168.1.4:8080/oauth/v2/authorize, previously configured value: http://192.168.1.4:8080/oauth/v2/authorize
2024-05-11T02:04:02Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-05-11T02:04:02Z INFO management/server/store.go:95: using SQLite store engine
2024-05-11T02:04:02Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-11T02:04:02Z INFO management/server/migration/migration.go:128: No records in table peers, no migration needed
2024-05-11T02:04:02Z INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird/
Error: failed to build default manager: invalid domain "192.168.1.4" provided for a single account mode. Please review your input for --single-account-mode-domain
root@debian:~#
.

Screenshots

Snipaste_2024-05-10_17-54-53 Snipaste_2024-05-10_17-55-10

Additional context setup.env

root@debian:/opt/netbird/infrastructure_files# cat setup.env 

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="192.168.1.4"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="http://192.168.1.4:8080/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="266484708244783107@netbird"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="266484708244783107@netbird"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="266484708244783107@netbird"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="266484708244783107@netbird"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="zitadel"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="netbird"
NETBIRD_IDP_MGMT_CLIENT_SECRET="v5U1nV35g3UsquePOvUhPunuaPmnJGW6KmHMjooBKmiSGoBvkFmimjcX6e13LsjR"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="http://192.168.1.4:8080/management/v1"
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
root@debian:/opt/netbird/infrastructure_files#

docker-compose.yml

root@debian:/opt/netbird/infrastructure_files/artifacts# cat docker-compose.yml
version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://192.168.1.4:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://192.168.1.4:33073
      # OIDC
      - AUTH_AUDIENCE=266484708244783107@netbird
      - AUTH_CLIENT_ID=266484708244783107@netbird
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=http://192.168.1.4:8080
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=192.168.1.4
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "192.168.1.4", "--log-file", "console"]

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "192.168.1.4", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=192.168.1.4",
      "--dns-domain=netbird.selfhosted"
      ]

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: 192.168.1.4
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:
root@debian:/opt/netbird/infrastructure_files/artifacts#

management.json

root@debian:/opt/netbird/infrastructure_files/artifacts# cat management.json
{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:192.168.1.4:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:192.168.1.4:3478",
                "Username": "self",
                "Password": "D5wXUTViscSnPavpxjAokNQ1nzQKJyu5P+rMq8kQOPI"
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "192.168.1.4:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "4Jn+QdWfQuGclAlgYflBD6gq2eCE9wbfRTP+bIZfmqs=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "/etc/letsencrypt/live/192.168.1.4/fullchain.pem",
        "CertKey": "/etc/letsencrypt/live/192.168.1.4/privkey.pem",
        "AuthAudience": "266484708244783107@netbird",
        "AuthIssuer": "http://192.168.1.4:8080",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "http://192.168.1.4:8080/oauth/v2/keys",
        "OIDCConfigEndpoint": "http://192.168.1.4:8080/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "zitadel",
        "ClientConfig": {
            "Issuer": "http://192.168.1.4:8080",
            "TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
            "ClientID": "netbird",
            "ClientSecret": "v5U1nV35g3UsquePOvUhPunuaPmnJGW6KmHMjooBKmiSGoBvkFmimjcX6e13LsjR",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "ManagementEndpoint": "http://192.168.1.4:8080/management/v1"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "266484708244783107@netbird",
            "ClientSecret": "",
            "Domain": "192.168.1.4:8080",
            "Audience": "266484708244783107@netbird",
            "TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
            "DeviceAuthEndpoint": "http://192.168.1.4:8080/oauth/v2/device_authorization",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "266484708244783107@netbird",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "266484708244783107@netbird",
            "TokenEndpoint": "http://192.168.1.4:8080/oauth/v2/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "http://192.168.1.4:8080/oauth/v2/authorize",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}root@debian:/opt/netbird/infrastructure_files/artifacts#

openid-configuration.json

root@debian:/opt/netbird/infrastructure_files/artifacts# cat openid-configuration.json
{"issuer":"http://192.168.1.4:8080","authorization_endpoint":"http://192.168.1.4:8080/oauth/v2/authorize","token_endpoint":"http://192.168.1.4:8080/oauth/v2/token","introspection_endpoint":"http://192.168.1.4:8080/oauth/v2/introspect","userinfo_endpoint":"http://192.168.1.4:8080/oidc/v1/userinfo","revocation_endpoint":"http://192.168.1.4:8080/oauth/v2/revoke","end_session_endpoint":"http://192.168.1.4:8080/oidc/v1/end_session","device_authorization_endpoint":"http://192.168.1.4:8080/oauth/v2/device_authorization","jwks_uri":"http://192.168.1.4:8080/oauth/v2/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["bg","cs","de","en","es","fr","it","ja","mk","nl","pl","pt","ru","zh"],"request_parameter_supported":true,"request_uri_parameter_supported":false}
root@debian:/opt/netbird/infrastructure_files/artifacts#

mlsmaycon commented 1 month ago

Hello @linkinuul, the setup requires an SSL certificate, so a public IP with a public DNS is mandatory.

nuterum commented 1 month ago

Hello @linkinuul, unless you know how to use SSL certificate it mandatory to have a public IP and public DNS to use letsencrypt to have your certificate.

Unfortunately i have other test to do and cant do test for your case for now but here what i can say:

The SSL is mandatory
The check for SSL is done in the code and for now i have not find where but you have two case possible.
- Use of curl and public check for certificate CA (harder to manage as your certificate need to be valid for internet)
- Use of computer store (easier as you just need to add the CA that signed you certificate in the store)
In either case you will need a DNS pointing to your IP as SSL certificate for IP are not easly obtainable for internet (even more for local IP)
Your case may be possible to work but need to know how to manage SSL certificate and even a PKI

My advice is to use it with public IP and public DNS as say by mlsmaycon.

linkinuul commented 1 month ago

@nuterum @mlsmaycon Good suggestion, I can follow your advice and study it again.

juniormarangao commented 2 weeks ago

I have a public IP and Public DNS... All installation was clear and OK, but the initial page doenst load

netbirdio / netbird

netbird dashboard does not open properly #1962