This repository contains setup and config files to create the Netbird self-hosted docker instances with Zitadel in combination with Cloudpanel running Nginx as a reverse-proxy.
netbird-with-zitadel-without-caddy.sh is based on getting-started-with-zitadel.sh, Copyright (c) 2022 NetBird GmbH & Authors.
-
A public available virtual server e.g. Hetzner, DigitalOcean, etc. and running Cloudpanel v2.
-
Also your VPS should meet the self-host Netbird quickstart guide requirements. From my tests it is sufficient to open the TCP ports 80 and 443 in the firewall as well as UDP ports 3478 and 49152 to 65535.
-
A domain you intend to use for your Netbird management endpoint e.g. netbird.example.com. Your domain A-record should be pointing to your VPS.
-
Docker should already be installed. You can use this command from the server console to do so:
cd /opt curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh
If all the requirements are met, you can follow these steps:
-
Create a new static website in Cloudpanel with your netbird.example.com domain. Go to Vhost and replace everything with the contents of netbird/cloudpanel-netbird-reverse-proxy.conf. Update
server_name YOUR_NETBIRD_DOMAIN;with yourserver_name netbird.example.com;then click Save. Switch to SSL/TLS and create a new Let's Encrypt Certificate for your domain. -
If you can open your website in the browser and it shows "Hello World :-)" then you are able to proceed with the Netbird installation. Connect to your server via SSH and clone this repository:
cd /opt git clone https://github.com/ggfx/cloudpanel-netbird-reverse-proxy.gitChange into the cloudpanel-netbird-reverse-proxy/netbird directory and start the script:
cd cloudpanel-netbird-reverse-proxy/netbird sudo chmod +x netbird-with-zitadel-without-caddy.sh ./netbird-with-zitadel-without-caddy.shIf you are asked for your NETBIRD_DOMAIN enter your netbird.example.com domain.
-
Remove the Cloudpanel default index.html; Use your appropriate directory.
rm /home/example-netbird/htdocs/netbird.example.com/index.html
-
Now you should reach netbird at https://netbird.example.com.
-
As a final security step you should consider changing the password for the default Zitadel Admin user. Open https://netbird.example.com/ui/console and login with zitadel-admin@zitadel.netbird.example.com and the password = Password1! (refer to Self-hosting Zitadel). This represents a potential security risk!
To update your Netbird management server, just run the update script:
cd cloudpanel-netbird-reverse-proxy/netbird
sudo chmod +x netbird-update.sh
./netbird-update.shThere may be problems reaching the turn server.
Cloudpanel uses UFW firewall, so be sure to check your firewall first with
ufw status verbose
# or
# iptables -Lfor the presence of:
3478/udp ALLOW IN Anywhere
49152:65535/udp ALLOW IN Anywhere-
Adjust the UFW firewall yourself and allow the necessary UDP Ports 3478, 49152-65535:
ufw allow 3478/udp ufw allow 49152:65535/udp
-
You may turn off stun/turnserver completely, referring to netbirdio/netbird#3546.
-
Publish the ports in
docker-compose.ymlinstead of using network_mode = host. Use only a few ports, otherwise Docker will not start or at least take a decade.Remove network_mode: host and enable ports instead in coturn service:
#network_mode: host ports: - "3478:3478/udp" - "65352-65535:65352-65535/udp"
Adjust ports in
turnserver.conf:min-port=65352 max-port=65535
This file is only for testing. Personally I stick to the native client because the docker container lacks DNS resolving. If you want use it anyway create your NB_SETUP_KEY in Netbird, copy client.env.example to client.env and set your variables, NB_SETUP_KEY can not be empty:
NB_MANAGEMENT_URL=https://netbird.example.com
NB_SETUP_KEY=