Clients can't connect to server

[Amplificator]

I'm using the self-hosted option and have set up Netbird behind another virtual machine that runs a Caddy reverse proxy.

I used the getting-started-with-zitadel.sh script to install Netbird.

My reverse proxy Caddyfile is this:

{
    admin off

    servers netbird.REDACTED.dk {
        protocols h1 h2c
    }
}

http://netbird.REDACTED.dk {
    @http protocol http

    handle_path /auth {
        redir @http https://{host}{uri} html
    }

    handle_path / {
        redir @http https://{host}{uri}
    }
}

netbird.REDACTED.dk {
    import /etc/caddy/imports/log.import netbird.REDACTED.dk

    import /etc/caddy/imports/gzip.import

    import /etc/caddy/imports/tls-email.import

    import /etc/caddy/imports/headers.import

    reverse_proxy /signalexchange.SignalExchange/* h2c://10.0.0.40:10000 {
        import /etc/caddy/imports/reverseproxy-headers.import

        import /etc/caddy/imports/trusted-proxies.import
    }

    reverse_proxy /api/* 10.0.0.40:80 {
        import /etc/caddy/imports/reverseproxy-headers.import

        import /etc/caddy/imports/trusted-proxies.import
    }

    reverse_proxy /management.ManagementService/* h2c://10.0.0.40:80 {
        import /etc/caddy/imports/reverseproxy-headers.import

        import /etc/caddy/imports/trusted-proxies.import
    }

    reverse_proxy /* 10.0.0.40:80 {
        import /etc/caddy/imports/reverseproxy-headers.import

        import /etc/caddy/imports/trusted-proxies.import
    }
}

Installation goes fine and I can load up the interface, sign in, add 2FA and change things - everything in the interface appears to work and no errors are shown in the logs.

But when I want to connect any client, for example my Mac, I change the server info to my own (https://netbird.REDACTED.dk:443 and also tried without :443 at the end) and click the "Connect" button in the app and I get this error: https://share.cleanshot.com/kgKDxVC1SvHW0S0XWtYJ

Trying to connect using the command line gives me the same error with no more details:

❯ netbird up --management-url https://netbird.REDACTED.dk
2024-06-02T16:57:29+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 613.391081ms due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
2024-06-02T16:57:29+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 1.326498153s due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
2024-06-02T16:57:31+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 2.351547107s due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
2024-06-02T16:57:33+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 4.38098465s due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
2024-06-02T16:57:38+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 6.210155842s due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
2024-06-02T16:57:44+02:00 WARN client/cmd/root.go:231: retrying Login to the Management service in 9.557422609s due to error rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key
Error: login backoff cycle failed: rpc error: code = Unknown desc = getting device authorization flow info failed with error: failed while getting Management Service public key

On my iPhone I simply get a loading animation where it says "Veryfing..." after entering the server details.

I have checked logs using "docker compose logs -f" and I see nothing at all, when doing this.

Any idea on where to start to solve this?

[flyingblackshark]

Same

[s3tupw1zard]

I've got the same error after changing my domain that I use with netbird and authentik for authentication.

[s3tupw1zard]

I found out the problem on my side.

I've replaced for the following two entries inside Nginx Proxy Manager the http scheme through grpc so that it looks like this:

location /management.ManagementService {
                grpc_pass grpc://management:443;
            }

location /signalexchange.SignalExchange {
                grpc_pass grpc://signal:80;
            }

Now I could login without problem.

[Amplificator]

Caddy should already forward grpc when the h2c protocol is used, which it is in my config (and the one NetBird automatically creates).

[krisamin]

I have the same problem, has it been resolved?

[fruworg]

Hi guys. I had the same problem and I think the problem is actually docker compose port forwarding. If you use the same port in the management (e.g. 8888:8888) everything works.

Example of my configuration:

compose.yaml

services:
  dashboard:
    image: netbirdio/dashboard:latest
    container_name: dashboard
    restart: unless-stopped
    ports:
      - 127.0.0.1:8080:80
    environment:
      - NETBIRD_MGMT_API_ENDPOINT=https://vpn.<REDACTED.COM>:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://vpn.<REDACTED.COM>:443
      - AUTH_AUDIENCE=<REDACTED-ID>
      - AUTH_CLIENT_ID=<REDACTED-ID>
      - AUTH_CLIENT_SECRET=<REDACTED-CLIENT-SECRET>
      - AUTH_AUTHORITY=https://accounts.google.com
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=idToken
      - NGINX_SSL_PORT=443
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  signal:
    image: netbirdio/signal:latest
    container_name: signal
    restart: unless-stopped
    ports:
      - 127.0.0.1:10000:10000
    volumes:
      - ./signal:/var/lib/netbird
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  relay:
    image: netbirdio/relay:latest
    container_name: relay
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=<REDACTED.COM>:33080
    - NB_AUTH_SECRET=<REDACTED-SECRET>
    ports:
      - 33080:33080
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  management:
    image: netbirdio/management:latest
    container_name: management
    restart: unless-stopped
    ports:
      - 127.0.0.1:8888:8888
    depends_on:
      - dashboard
    volumes:
      - ./mgmt:/var/lib/netbird
      - ./config/management.json:/etc/netbird/management.json
    command: [
      "--port", "8888",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=true",
      "--single-account-mode-domain=vpn.<REDACTED.COM>",
      "--dns-domain=<REDACTED.COM>"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
  coturn:
    image: coturn/coturn:latest
    container_name: coturn
    restart: unless-stopped
    volumes:
      - ./config/turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

Caddyfile (i use binary)

vpn.<REDACTED.COM> {
        reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:10000
        reverse_proxy /api/*  127.0.0.1:8888
        reverse_proxy /management.ManagementService/* h2c://127.0.0.1:8888
        reverse_proxy /* 127.0.0.1:8080
}

@krisamin @Amplificator