r/netbird

I'm just curious.

So right now I am using the non self hosted of netbird. I am now converting to self hosted and includes Proxy so I can remove NPM. I was told that it’s much harder due to NetBird’s own reverse proxy feature for exposing services requires Traefik/TLS passthrough in self-hosted mode; docs say Nginx, Caddy, and NPM cannot do that required TLS passthrough for the NetBird reverse proxy feature.

Is this true and if so how hard is it compared to setting up self hosted NPM?

My setup is mini pc running Windows 11 Pro. Then I installed VMware and have ubuntu installed. So no vps and no dedicated server at all saves me the money. Co-Workers tell me it can be done however there is extra work required vs NPM. I would like to use NextBirds Reverse proxy.

I am struggling with this, and I am not understanding why.

It works for about 10 seconds, and then just.... dies. The proxy container logs are filled with:

2026-04-29T03:03:11.621Z WARN proxy/internal/proxy/reverseproxy.go:317: proxy error: request_id=d7on98u479ac73d5ivb0 client_ip=x.x.x.x method=GET host=warden.xxxx.com path=/ status=502 title="Request Canceled" err=context canceled

I have successfully forwarded several other services without an issue. Why is it struggling with vaultwarden so much? Anyone have any insight?

hi there 😄

im self hosting netbit on vps and works like a charm! but theres this

group called netbird i think im not sure it has the peers that were added by sign in not by setup key!

thing is i cant remove peers or owner user from this group and cant delete the group?

any idea whats the issue and whats this group!

I've got netbird deploying with a script through RMM. Users are guided through SSO. VPN connects, but the ui / tray doesn't start up automatically or get added to startup applications. I've tried starting the ui in the same script as the deploy, but it never shows up. I can launch the ui from the desktop shortcut, but I'd like for it to just launch after install and launch at startup.

Any suggestions?

https://preview.redd.it/5cgl6hslmvxg1.png?width=738&format=png&auto=webp&s=ddce3721f520b11ff9eabd93e7acb08f0c06044f

Anyone else getting this?

Has anyone got a Minecraft server working through the new reverse proxy?

I had it working on Pangolin, but can't seem to get it to pass on Netbird. I have the "Service" defined under "Reverse Proxy", the domain is active, port is added in docker compose file under proxy, firewall has the port forwarded, I can reach that peer from outside but still no dice.

I know that you can do [netvird_name]:port to direct request, but I would prefer to just have the internal domain name instead to map to my services.

Not all my services needs to be publicly available on the internet, there are some that I would like to hide behind a VPN.

So I've been testing selfhosted Netbird as an alternative to Tailscale for a bit now and it in general works great. However I have trouble with the Android client losing connection every time I leave the house(disconnect from my wifi). Does anyone else have this issue? I just noticed I had battery optimization enabled on it, but I'm not sure if that will make a difference, I have however turned it off and I'll see if it makes any difference when I get home.

Hello guys,

i'm using Netbird from few weeks (trying to switch from Cloudflare to Netbird!) and the only thing i'm missing is bypass option in Reverse proxy based on ip address. It would be great.

I'm using vaultwarden and it would be great to protect it with netbird in some way, maybe GET route params?

Thank you for your work!

I'm trying to get NetBird integrated in my Homelab, but am hitting an issue with deploying GitLab.

I've got a host running the management & proxy cluster of services on one host and a netbird client (exposing subnet 172.11.1.0/24) & GitLab (172.11.1.3) on another host. GitLab expects SSH connections through the host's port 2424, and I've created a TCP Service to forward TCP traffic to git.example.com on port 2424 to 172.11.1.3:2424.

When attempting to `git clone ssh://git@git.scottfries.com:2424/homelab/group/project.git`, I get a kex_exchange_identification error:

Cloning into 'project'...
kex_exchange_identification: read: Connection reset by peer
Connection reset by <my public IP> port 2424
fatal: Could not read from remote repository.

And inside of the netbird-proxy's logs I get:

2026-04-26T19:26:00.198529789Z 2026-04-26T19:26:00.198Z WARN [service_id: d7n4qp32951s73atffp0, target: 172.11.1.3:2424] proxy/internal/tcp/router.go:360: TCP relay (fallback): dial backend 172.11.1.3:2424: connect tcp 172.11.1.3:2424: connection was refused

But if I circumvent NetBird with a `git clone ssh://git@<GitLab host local IP>:2424/homelab/group/project.git` I can reach the endpoint without any issue.

GitLab's compose.yaml

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.12.0.0/24
          gateway: 172.12.0.1
  netbird-services:
    external: true


secrets:
  SMTP_PASSWORD:
    file: ./secrets/SMTP_PASSWORD
  GITHUB_CLIENT_ID:
    file: ./secrets/GITHUB_CLIENT_ID
  GITHUB_CLIENT_SECRET:
    file: ./secrets/GITHUB_CLIENT_SECRET


services:
  gitlab:
    image: docker.io/gitlab/gitlab-ce:18.8.0-ce.0
    container_name: gitlab
    restart: unless-stopped
    shm_size: '256m'
    networks:
      gitlab:
        ipv4_address: 172.12.0.11
      netbird-services:
        ipv4_address: 172.11.1.3
    ports:
      - 80:80
      - 443:443
      - 5000:5000
      - 2424:22
    volumes:
      - ./config/gitlab.rb:/etc/gitlab/gitlab.rb:ro
      - /mnt/homelab_data/gitlab/config:/etc/gitlab
      - /mnt/homelab_data/gitlab/logs:/var/log/gitlab
      - /mnt/homelab_data/gitlab/data:/var/opt/gitlab
    secrets:
      - SMTP_PASSWORD
      - GITHUB_CLIENT_ID
      - GITHUB_CLIENT_SECRET

Has anyone experienced this error before? Does anyone have any suggestions on how to further debug where the connection is failing?

Basically the title. I'm assuming that since the A record (netbird.subdomain.tld) points to itself according to OPNsense that there's some error happening when trying to authenticate.

Or is there anything else I need to configure? I keep getting the "failed creating connection to Management Service: create connection: dial context: context deadline exceeded" error.

I prefer not to use a VPS or setup a NetBird instance outside of my main network since that means paying for a service or needing to buy new hardware.

+) Informational logs say "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for OPNsense.internal, not netbird.subdomain.tld". So I guess my assumption was correct in that the error is being caused since it's being pointed to itself. Is there any other way to resolve this other than the insane method which is to replace the default certificate on OPNsense with Netbird's?

Hi,

I made this high availability fork using redis with modified source code.

There is full documentation on this repo but it hasn't been fully tested, I do use it right now and it works but be warned 😅

TLDR this allows to have multiple replicas of management and signal pods/containers

Don't be confused dashboard relay and proxy can be replicated regardless of this fork it's already like that design, this is only for management and signal.

https://github.com/nik-dev-ops/netbird-ha/tree/main

I don't think i will actively maintain this so I'm hoping someone from netbird will merge this to master.

https://preview.redd.it/ltt5drq15rwg1.png?width=2084&format=png&auto=webp&s=0c95d631b22470fb9f17187ff5267bb5393b2ca2

v0.69 is out, and the big one is CrowdSec IP reputation in the reverse proxy (self-hosted only for now, Cloud is coming).

If you're exposing services through the proxy, you can now have it check every incoming request against a local CrowdSec LAPI and drop connections from flagged IPs before they ever hit your backend.

How it works:

• LAPI container runs alongside your stack and syncs the community blocklist
• Proxy embeds a stream bouncer that pulls decisions into an in-memory cache
• Lookups happen per-connection with no network round trip on the hot path
• Enforce mode fails closed during initial sync, so connections are denied until the cache is populated

Three modes per service:

• Off (default)
• Observe: logs what would've been blocked, lets traffic through. Verdicts show up in the proxy event log with an observe-mode badge
• Enforce: blocks flagged IPs

https://preview.redd.it/85wzb8j75rwg1.png?width=1952&format=png&auto=webp&s=f9e0dc77ecafcce1bed1fc6845f0bab70f6f1cf3

Restriction order is CIDR, then country, then CrowdSec, so your existing allow/deny rules still take precedence.

Deny reasons in access logs are tagged crowdsec_ban, crowdsec_captcha, or crowdsec_throttle depending on the underlying decision type (the proxy treats all three as denials, no captcha or rate limiting at the proxy layer).

Fresh self-hosted installs get the LAPI container out of the box via the quickstart script. If you're already running the reverse proxy, there's a new Step 7 in the migration guide.

Also shipped in v0.69:

• macOS P2P connectivity reworked (scoped default route + IP_BOUND_IF instead of /32 exclusion routes per remote candidate, so tunnel access to a remote peer's local addresses works properly now)
• PCP added to the NAT traversal stack alongside NAT-PMP and UPnP
• --disable-networks flag to pin a client to specific networks
• Direct SSO redirect on proxy services (skips the intermediate page)
• Container DNAT bypass guard in iptables
• iOS posture checks now populate NetworkAddresses
• conntrack netlink listener auto-reconnects on error

Links:

• Release writeup: https://netbird.io/knowledge-hub/crowdsec-ip-reputation
• CrowdSec reference: https://docs.netbird.io/selfhosted/maintenance/crowdsec
• Migration step 7: https://docs.netbird.io/selfhosted/migration/enable-reverse-proxy#step-7-optional-enable-crowd-sec-ip-reputation

Hi all,

First to explain my previous setup: Previously I had all my services exposed with port forwarding to the whitelisted IPs of Cloudflare, and in order to limit the access to my Vaultwarden instance, I limited the access with two rules:

1. Access only from my Country. ( This works now in Netbird too, already implemented)
2. Limit access only to myself to the path /admin of the app. ( via PIN login, allowed only to my email )

I had both done through the CF zero trust and it worked great, but now exposing the Vaultwarden through Netbird, I can't find a way to block access to that path, and my /admin path is available.

Any ideas are welcome. Thank you.

I've been looking into ways to further harden my setup to try and prevent security from living rent free inside my mind.

Try adding these to your compose

Traefik:
cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE 
    security_opt:
      - no-new-privileges:true

Dashboard:
cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
      - DAC_OVERRIDE
      - CHOWN
      - SETUID
      - SETGID
    security_opt:
      - no-new-privileges:true

Server:
cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE 
    security_opt:
      - no-new-privileges:true

I have been able to use the proxy and VPN functionality just fine so far.

If there's any suggestions for the proxy container, let me know

Thanks to the netbird team for integrating crowdsec into netbird. This is awesome and was really easy to setup.

I already had crowdsec running to protect my netbird dashboard. But having it for the proxy was not possible for me yet. With the new integration I just had to add the env variables and were ready to go.

Being able to manage it through the management-dashboard is awesome!

I am wondering why crowdsec is not also integrated for the dashboard as well. Maybe this will come later?

Thanks for this awesome work!

Hi All,

Not sure if I am reading this documentation wrong, so hoping you can assist with some guidence about the use of the reverse proxy.

Currently all my self-hosted services are runing through NPM with the form of https://SERVICE.DOMAIN.NET

with netbird, the documnetation is saying I need to set up a CNAME services in the form of

https://SERVICE.PROXY.DOMAIN.NET

I dont want to change all my services to have the extra subdomain prefix in the URL

Is this required, am I reading this correctly?

Thanks

S

Hi All,

I am self-hosting, and did a fresh install two days ago.

Added a bunch of peers and did basic set-up with no issues, then I tried adding a service behind the reverse proxy.

Initially the service host was not found, which is fine as it was just an intial quick play around.

I came back later to troubleshoot and get it working and find a different error...

"PROXY NOT CONNECTED - The proxy is not connected to the NetBird network. Please try again later or contact your administrator."

Ive checked and all the docker containers are up and running.

not sure where to look next?

Woudl love some guidence if you can.

Thanks

S