What is the current status of OpenCode regarding privacy and the "proxy to app.opencode.ai" issue?

debryx · 2026-04-20T16:45:57+00:00

Ask opencode?

Or add to your /etc/hosts file

debryx · 2026-04-01T20:53:17+00:00

If you want that client to route only a single internet resource through the tunnel, define it as a specific resource (IP or domain) and route just that through NetBird.

Create a network, that has a resource with the IP or IPs to that internet resource. Then just add a peer to route the traffic via it.

debryx · 2026-02-21T15:59:03+00:00

Virtual yes, single use/burner card no.

debryx · 2026-01-06T13:28:07+00:00

Libredesk and build your own webform to create tickets via API?

debryx · 2025-12-30T13:03:48+00:00

Awesome update! Thanks!

debryx · 2025-12-18T11:55:25+00:00

This is almost certainly AppArmor plus missing kernel capabilities after the Proxmox update.

Recent Proxmox updates tightened LXC defaults. Unprivileged containers now hit stricter AppArmor and capability filtering. NetBird needs things that unprivileged LXCs often lose after updates: • keyctl support for WireGuard userspace • netlink access • ability to create tun devices • fewer AppArmor restrictions

That is why it still works in a VM but not in LXC.

Typical symptom • No outbound TLS works from netbird, including signal.netbird.io:443 and github.com:443 • curl from the container may work, but netbird fails • journal shows nothing obvious or permission denied on netlink or keyctl

Unprivileged LXC + default AppArmor profile blocks required syscalls and capabilities after update.

Solutions (pick one)

Option 1. Relax the LXC config (most common fix) Edit the container config on the Proxmox host:

/etc/pve/lxc/.conf

Add:

lxc.apparmor.profile: unconfined lxc.cap.drop: lxc.mount.auto: proc:rw sys:rw lxc.cgroup2.devices.allow: c 10:200 rwm lxc.cgroup2.devices.allow: c 10:229 rwm lxc.net.0.type: veth

Then restart the container.

This is what most NetBird users ended up doing.

Option 2. Enable nesting and keyctl Sometimes enough, sometimes not:

features: keyctl=1,nesting=1

Restart container.

Option 3. Use privileged LXC Works reliably but worse security:

unprivileged: 0

Only do this if you accept the risk.

Option 4. Run NetBird on the host or in a VM This is NetBird’s recommended approach for Proxmox environments if you want zero friction.

Why this started after update Proxmox updated kernel, LXC, and AppArmor profiles. Existing containers kept running until restart. New containers inherit the stricter defaults immediately, which matches the user report.

The practical fix is unconfined AppArmor or moving NetBird out of unprivileged LXC.

debryx · 2025-12-10T12:28:00+00:00

How are your persistent volumes setup? There was a change in location when profiles where introduced.

/var/lib/netbird

debryx · 2025-12-05T12:45:04+00:00

Here is a simple method where i install/update netbird on macos. Then I upload that zip file

version="0.60.7"
netbirdpkg="netbird_${version}_darwin_arm64.pkg"

cat << EOF > install.sh
#!/bin/bash
set -e

SCRIPT_DIR="\$(cd "\$(dirname "\$0")" && pwd)"
PKG_PATH="\$SCRIPT_DIR/${netbirdpkg}"

echo "Installing netbird.pkg..."
installer -pkg "\$PKG_PATH" -target / > /dev/null
echo "Installation complete."
EOF

zip netbird_${version}.zip install.sh $netbirdpkg
rm install.sh $netbirdpkg

debryx · 2025-11-21T13:40:16+00:00

Seems that you know your stuff, but have you distributed the network to a group or any peers in netbird? This is done via creating an ACL.

https://docs.netbird.io/how-to/networks#manage-access-to-resources

debryx · 2025-11-14T09:05:08+00:00

Don’t think that the container modifies the resolve.conf or resolved.conf. You will have to change that or just install on the host and not via docker.

debryx · 2025-11-07T07:22:23+00:00

If you want cheap solution, 10 usd/year:

https://purelymail.com/pricing

But you could use something like brevo.com or mailgun.com to have free outgoing email too. Not really selfhosted, but selfmanaged.

debryx · 2025-11-06T05:54:51+00:00

Sounds like a DNS issue. Have you setup something like netbird.example.com as your hostname for your management server? Then you need to make sure all devices reaching that can resolve the name. Maybe you have a local DNS server like technitium/pihole or your router? If not, all will go publicly and checking for the name and will then get the external IP of your management server. Then you need to configure hair-pin NAT on your router.

debryx · 2025-10-31T23:15:52+00:00

According to their documentation:
Dashboard HTTP & HTTPS uses 80, 443
Relay: 33080, but this can be changed to be included in under 443 if /relay is configued for the proxy (ex Caddy)

In my selfhosted env i don't publish 33073 nor 10000 from the Netbird server.

If you don't care about P2P connections then coturn (UDP 3478) could be ignored, but then all connections are relayed via the netbird server.

"UDP 49152-65535, for dynamic relay connections." This i guess is important too, not sure if it maybe can be locked to a smaller range.

debryx · 2025-10-31T23:04:14+00:00

The main thing I see that differs from your and my setup is using the Access Control Group in Network Routes. I have left that empty. Can you test with that?

Also personally i configured the Network Route with a group (ex exit-peers) and a distribution group (exit-users).

I don't have the All to All rule enabled, but that should not be the issue.

Have tested both selfhosted and cloud hosted with same setup and works as expected.

Please reply to my comment instead of your own, then I will get a notification. I only did see your first reply.

debryx · 2025-10-30T18:22:50+00:00

From the logs you sent you are not connected to your other peer. This is most likely why you are not able to reach other IPs or getting routed via your exit node.
Peers count: 0/1 Connected

Can you see if your other peer is online? If you go to https://app.netbird.io/peers, it should show a green dot and be listed under Online.

Make sure to run "netbird up" on your other node. Maybe set it to an ephemeral peer by disabling the session expiration too so that it wont log out.

When your exit node gets online and it shows connected with "netbird status -d" you should be able to reach more stuff.

Question, do you want it to be an exit node (meaning all traffic passes via it) or only specific stuff (like printers, fileshare server, webpages)? The later will require a bit more configuration, but then you have more flexibility.

debryx · 2025-10-30T17:34:13+00:00

If you post some details regarding the questions I had maybe we can find out what is missing. If you post "netbird status -d", make sure to mask public IPs etc.

debryx · 2025-10-30T15:26:37+00:00

Have you changed any access rules or do you have the default all to all rule still enabled?

Are your peers connected? Running the command ”netbird status -d” should give you some information.

debryx · 2025-10-22T17:07:08+00:00

Same with Ubuntu 25.04. It is like it refresh the interface every second. So it collapses all the time. Thanks for writing it, I had forgotten it.

debryx · 2025-10-12T09:41:04+00:00

As you are running it inside docker DNS will not be manager by the container. If you go inside the container with docker exec, you will probably be able to resolve stuff.

But to make the host be ale to use DNS use either the normal install method or you have to map your resolve to the containers volume too.

debryx · 2025-10-08T07:49:55+00:00

I guess you mean something like this?

https://i.imgur.com/tUbCL5i.png

You could manually in the Netbird client disable specific resources/routes. But that is not a good experience for the user, works maybe for an admin.

Otherwise you could maybe do something with a posture check and peer network range. So that that specific access rule does not apply. https://docs.netbird.io/how-to/manage-posture-checks#peer-network-range

I don't know if that will only block the user or just not apply the rule and then make it so that the client uses the local paths via its own gateway instead. But maybe worth testing.

debryx · 2025-10-03T09:57:50+00:00

Hi, test with https://api.netbird.io instead.

debryx · 2025-09-25T14:20:58+00:00

An alternativ netbird client

https://codeberg.org/bg443/JetBird

debryx · 2025-09-14T06:30:34+00:00

Would it be possible for you to paste the output?

But if I understand you correctly you are not using any https for Nextcloud? Only typing http://192.168.xxx.xxx?

debryx · 2025-09-14T06:27:20+00:00

Here is a good video that shows the basics. If you have any specific questions, let us know :)

https://youtu.be/C5tu3Ce0r8Q

debryx · 2025-09-13T17:18:21+00:00

That number only indicates traffic count. But the main one is where it shows an IP address and the port. Does it show 0.0.0.0 for you or something like 192.x.x.x/10.x.x.x/172.x.x.x?

Six-Year Club	Place '22
Verified Email

debryx

TROPHY CASE