It's really a great setup. I have setup a bunch of machines, have my own Authentik IdP setup, and it is working quite well. I did have to uninstall the tailscale client on a couple of machines as they appear to interfere with each other. Not sure why though.

Awesome Timing!

Don't believe there is a limit via the software stopping you, but only what your hardware may can handle.

Is there a better answer on this? This is SUPER important

I would have to refer you to the Netbird team for that. I don't have a good answer based on what's on their site. I was looking at a question on Reddit from last year to them about them ever changing the self hosted model. They didn't answer, and honestly, as a business I understand why. They want to make money. As a business that makes their software open source, I appreciate that about them.

@@AwesomeOpenSource Yep, I totally agree. If there is a limit say 10 peers for self hosted without some sort of a license or support subscription I'm perfectly fine with that for home use. If there is no limit then that is even better. If used in a business to support large number of peers and is self hosting I would expect them to get a business support subscription. That's what I did with ProxMox servers for work.

Let me see if I can get something setup. I'll add it to my list.

Netbird is being released in the official Openwrt repository

That's awesome

My pleasure.

It's the open source way of thinking really. You have the opportunity to see exactly how things are being implemented by Netbird because it's open source. If you find faults, you have the options to help them address the issues. As for whether it's better or worse, I think it's simply another option. We all want options, and I try to let you all know about various options. Tailscale is cool, Headscale makes it self hostable, and with some work you can even setup IdP with it, but Netbird does that for you much easier. So it's another option. Just depends on what you need at the end of the day.

No problem 👍

Indeed, and that could happen, but good to know there are alternatives out there.

My pleasure!

Glad my video helped.

On your management page, you will create a setup key, then copy that key immediately. You can set how many times that key can be used (so if you have 5 machines, you can use it 5 times). Next, use that key on each machine you're adding to the network with the command 'netbird up --management-url netbird.yourgreatdomain.com:443 --setup-key your-key'. I have this in my show notes link in the description as well.

Maybe, you'd need to make sure you are using their advanced setup, and change the ports that netbird dashboard is using so you can have 80 adn 443 used in NGinX Proxy Manager.

80 and 443 are attractive for botnets as they're well known ports and there are plenty! Of misconfigured Web Servers out there. Plus you can't trust the software you're running isn't vulnerable to any exploit... For a home lab environment you usually don't follow all the good practices and security policies you'll normally follow on an enterprise/professional level. In other words because we tend to neglect things and because there are bad actors out better expose the least amount of ports possible especially! Well known ports when you can.

@@geogmz8277 thanks but how can you do anything without those ports exposed? He says to do it on a VPS rather than your home network but what is the difference? You still have to secure it somewhere

Netbird offers their SaaS for free. For home use, you are better off using it than hosting the control server yourself. If you do self-host, you are better off using a VPS so you are not messing with NAT

The idea behind services like these are that you run the server in a VPS, then the client on your home network machines. Those machines can reach out and connect through the encrypted tunnel, and no firewall ports are required to be opened on your home network. It's a more secure way to run, but nothing is perfect, so keep adding layers of security where you can.

Great questions. but it's not just 80 and 443, there is a whole range of ports required for this to run properly, and opening that many ports on your home network really expands the attack surface.

Agree, it's super nice.

Thank you!

@@AwesomeOpenSource Do you think it is safe to use this Docker in production environments or would it be preferable to do a more secure installation of each component?

I was having issues getting the client to connect, and one of the things they said was it needs gRPC enabled if using cloudflare for DNS. They told me thins without me telling them I was using Cloudflare, so I enabled it, and it started working properly. You can ask them why it's required if you're looking for a more technical answer. I"m sure they'd be happy to explain.

I got it setup through a cf tunnel. I just set the domain to http in cloudflare and everything is working perfectly

When I had setup my DDNS and inturn VPN Access via Cloudflare. I had to disable the Cloudflare Proxy to make it work. If you read the Cloudflare documentation VPN does not work well with CLoud Flare's proxy enabled.

You use user credentials to login to the netbird system. So 1 user could have 2 or 3 machines, you could have 20 machines between 5 users, but each user authenticates, and you can revoke their ability to be on the VPN. So, if you have, for instance, an employee who leaves for a new job, you can go in and disable their account, and thus their access to the VPN.

@@AwesomeOpenSource lets say you need to give it a shot with the free plan / 100 machines. You have to split your users in 5 login creds. So 20 of them will have to login with user1 the other 20 with user2 ... etc. Not best practice I know, since you need to monitor what each user do, but I wanted to see if I understood the concept of users / machines correctly. As for revoking, ZeroTier does that on machine level directly, so it is more efficient this way (at least for me).

I don't knwo if they officially support OPNSense yet, but maybe in the future. Definitely worth a request on their project pages on github.

NetBird doesn't yet support OPNSense but we will add the support

I'll have to take a look.

Both are very good but for me the simple online interface, simple (and cheaper I believe) pricing it makes sense to go with providers like Linode, Ocean, OVH. While lots more intergration with infrastrcture as code is great the often have lots of hidden charges and often lead the price increases. E.G. AWS charging for ip4 external address when some services can still only use that. Also just because there is wide intergration does not mean there are not bugs (I'm looking at you AWS terraform). If you want the cheapest there are websites and subreddit on cheap VPS but be warned, these are often companies trying to get market share and may close down suddenly as they run out of money (shame really as more comptation the better). All in all don't get hung on the pence/cent per machine like I have done. Chose something with a good dashbored and decent price, the time you spend to find the perfect thing when you can get something good is often never worth it.

Well said!

I haven't tried it on Pi4. You'd just have to give it a whirl and see how it goes. Definitely want some RAM for it to be able to do all the things it does. It's really a conflomeration of applications, and a nice Web UI front end, so does use some resources at times.

I may have edited our my earlier discussion on the number of ports that would need to be open. sometimes I talk about things a few times, but edit it down.

I believe I said it in the video, but they have their iOS client in Beta right now, so will be released after beta is done.

@@AwesomeOpenSource I am looking forward. Then this app will be my favorite VPN-Solution.

is it called "Open Source Shelf"? If so, I'll look into it and add it to my list.

If using their quick setup script, check out the 'Upgrade' section at this link docs.netbird.io/selfhosted/selfhosted-quickstart. You essentially to a backup the way they describe, then run a docker compose command to pull the latest changes, then recreate the containers. It's pretty straightforward, but if you need more help let me know.

I do it so that I get the better up time, and so I don't have to open a bunch of ports on my home network to allow traffic through.

I have to ask, have you added peers to the system? Where are you looking for peers? I'm just not following your issue as described.

Definitely let them know about the bug on their github Issues page. That's the best way to get them to fix it.

When you say NGinX, what do you mean specifically? To use as a web-server, or as a reverse proxy?

@@AwesomeOpenSource Reverse proxy for the web management. From my understanding, If I want to use this on my server at home, I would need to open ports 80, 443, and whatever UDP port that wireguard needs. I just want a self hosted wireguard VPN that has a web interface!

I hadn't, but it looks pretty cool! Thanks for pointing it out.

I haven’t set that up yet, but yes as a I recall you can do all of those things from the server console. You can also set ACLs and so on with it.

Here is a link to their docs on the topic. In this case the route would be out to the internet, but hopefully this helps. docs.netbird.io/how-to/routing-traffic-to-private-networks

I don't know for sure. May depend on the server resources. But, if it still won't work after making sure it meets the requirements, it may just be worth starting fresh on a new instance.

@@AwesomeOpenSource I have deleted instance, and make a new instance. But, It's not working. I don't use again by oracle cloud tier. I have another question. Can I setup netbird server on Proxmox (VM)?

You can, but you'll have to do a lot of port forwarding.

I’ve been keeping an eye and the iOS client is now available as well from the App Store.

@@AwesomeOpenSource it’d be nice to have a video about it Thx and Happy New Year 🎆

In Cloudflare, I had to enable gRPC. Not sure how to do that in Oracle Free Tier.

Can't say it's better than Netmaker. I'd say it's on par with it. The SSO integration with their quick start is a definite plus, and yes, you should be able to make a site to site setup. I haven't done it yet myself, so you may need to dig through their docs a bit.

Running docker on LXC can sometimes be a bit tricky. I'd say, just to start see if you can spin up a VM, and do the setup there just to see if it works, then you'll know if it's the Netbird side, or the LXC causing the issue. Also, Wireguard on Proxmos in LXC requires you to set some stuff on the host system so it will all function correctly, or at least I had to do that for the client to run in an LXC container. Do make sure you've enabled nesting in the LXC at the very least.

I had a couple of times where it did take a long time, and seemingly never started. No logging showing so hard to tell what happens. But, I just followed their instructions to remove it and tried agaon. Essentially, use CTRL + C to stop the process (may have to do it a few times), then use "docker compose down --volumes" to stop all containers and remove the volumes, then run "rm -f docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json" to remove all the files it downloaded and setup, and then I'd just try again. Generally worked fine second time around. Maybe that will help.

Are you authenticating with the username and password provided in the terminal when the install finishes? Did you forward all ports as detailed in their documentation?

It can be configured for Single, or multi-tenant. Up to you to decide which. This is a setting in the setup.env file.

You can add your own certificate if you wish, it's in their more advanced documentation. Self signed certs aren't inherently risky, because they are your cert. If you are trusting a site you don't know, and who's owner / maintainer you don't know, then trusting their self-signed cert is risky indeed.

@@AwesomeOpenSource thanks so much for your reply! i thought self signed certs were susceptible to man in the middle attacks

I just ran through this setup an hour or so ago on an Oracle VPS, and it got a trusted cert--there weren't any cert warnings or other issues. But in principle, a self-signed cert (that you control) is even safer than a publicly-trusted cert, in that you can verify for yourself that it's the right cert. The problem is that very few people do that.

You'd have to ask the folks at Netbird about that. Not sure.

@@AwesomeOpenSource I updated the container to the latest version of Zitadel and encountered an error during the database update process. To resolve this issue, I had to first update to an older version before proceeding to the latest one. The system is now functioning perfectly, and it's more secure, considering that Zitadel in the QuickStart script is now seven months old.

@@x1dzerohow do you do this? i’m not so familiar with docker so idk how or where in the file system to run the commands

@@x1dzeroalso, what versions of everything were you on before and then after your updates?

I answered this before, but I think it's on par with netmaker. The setup is a bit easier, and you get SSO with Zitadel with this one, but functionality -wise, they are really close I think.

It is similar in concept, but in my opinion a bit easier to install self hosted, and get SSO setup using Zitadel as part of their installer. So, like Tailscale, but IMO better.

@@AwesomeOpenSource tailscale for personal use and this for team, I will watch again like single computer shared with my team?

This can be for singlue user, or Team. It's up to you how you use it.

@@AwesomeOpenSourceand Netbird have awesome features like groups and ACLs in a very very simple way to configure. Before NB, I used a self-hosted version os Zerotier and it is great too, but ACLs in Netbird is another level. The ideia os the setup-keys ('one-shot' or multiple use) , attaching a host automatically to a group is great.

I find Netbird a bit easier for self hosting for sure.

Similar to it, but a bit easier in my opinion.

I believe Zitadel does support LDAP. Here's a link to the Zitadel site on configuring LDAP as an identity provider. zitadel.com/docs/guides/integrate/identity-providers/ldap

@@AwesomeOpenSource Wow thank you :)

Maybe you ran it as root, or the Zitadel server didn't come up fast enough? Maybe just do a docker compose down, then docker compose up again and see if that resolves it. It's a forbidden access error.

Glad you're here.

So?

@@roucharHe has a point. why build big companies up if youre an “open source advocate”? Do as a i say, not as I do…

@@magog6852 that's not how it works...

Or get a free ARM instance from Oracle OCI... 😊 I'm running Wireguard in Phoenix Data Center for 2 years now... 4 cores, 24GB of RAM, and 200GB SSD... for free.. (of course nothing is free so privacy isn't something you should expect but I can live with) I only use it to tunnel back home via reverse proxy.

@@magog6852 or have freedom to choose whatever you wanna do. curious how you're going to scale with 3 raspberry pi's

If you don't want to use their hosted offering, then you can run it self hosted, as I show in the video. As for the cookies, you can let them know that there's an issue, and I'm sure they'd be happy to update it. I don't think it's a European company, so they may simply not realize they arent compliant with GDPR.

@@AwesomeOpenSource It's darn hard to make sure one complies with laws in every country haha

​@@mrmotofyseems that it is just easier to say that your company is not GDRP complaint and EU users should not use the software!

I think 'easy' is a subjective term. Wireguard solves a problem for a ton of people on its own. Netbird builds on Wireguard to provide a more enterprise level set of features with a GUI that helps a person getings done with relative ease.

So then netbird isn't really a VPN but instead a value add application for the VPN known as wireguard?

The benefit is that a lot of olks are better with a GUI. Not strictly a requirement. You can absolutely do all of this in Wireguard with configuration files, but sometimes a control system like this makes it easier.

If you have a home server at hime, you can run this in a docker/vm. Minimal cost and investment

​@@fool9111zI would like to believe that a docker setup isn't trivial because especially in a home-environment you would likely want to configure masquerading (aka NAT) to allow remote access to all of your home network devices. Getting this to run in docker won't work so easily. In addition to that: WireGuard is a native Linux Kernel feature. No need to run this in a docker environment. Using it natively has the least overhead possible.

@@Coksnuss you are right. Docker will likely be more complicated than vm due to the network issues

​@@CoksnussI'm new to this and acquiring the hardware necessary so forgive me if this is a stupid question. Isn't it a smart and best practice to have a low power machine on which your firewall and IDS is installed? External to the rest of the system? Is it also a good idea to have two for failover?

I don't guess I understand where this comment is coming from. The limits are on a hosted plan by Netbird, not the self hosted version. The software is open source, and Licensed with BSD-3.

Yea it is open source. If I make the source malicious (ie selling your data , extreme telemetry, DRM) itself but you’re free to do as you wish with the program, it is still open source. What you’re thinking about is the term ‘free software’ by the FSF.

Did I say this by mistake? I'm not understanding the comment.

I'm curious to know what examples. How do they achieve that level of blocking? Or is it simply banned and not permitted for use?

@@kenny45532 This works in the DPI method. All providers have equipment installed that analyzes traffic. The whole protocol is blocked, it is physically impossible to connect to any server.

Well. It’s going to use turn relay, right? So it should still somewhat work.

Sorry to hear this. It sucks when a government won't allow the citizens the freedom to choose how they communicate securely with others. Maybe someone will come up with a way to bypass it someday.

Actually Wireguard does work between peers inside Russia. I am using it every day in my work, and have no problem except shitty Rostelecom routers sometimes refusing to work properly (they brake Wireguard and OpenVPN UDP handshakes until you reboot them). And Netbird does work too. But I didn't test peers outside Russia.

It's okay to not trust others with your networking, that's why they made it open source, and allow you to run it yourself. But others find value in a cloud hosted offering.

Burken your comments suck. Elaborate on your points like an adult

At least when deciding to make a comment, kindly elaborate so it's contains more information. Your comments suck.

There are lots of companies that offer this as a service, including companies that open source and companies that don't. For instance, lots of companies pay for zScaler, Azure WAN, and commercial Tailscale or Zerotier for instance.