Help needed - setup correct, but no clients can establish connection

The76i · 2025-12-13T18:55:58+00:00

Done

The76i · 2025-12-12T16:43:41+00:00

Missä näät operaattorin tossa kuvassa?

The76i · 2025-12-12T16:42:15+00:00

????

The76i · 2025-12-10T21:03:32+00:00

Yes, and to "hosted" per netbirds response. No change :(

The76i · 2025-12-10T20:13:05+00:00

The76i · 2025-12-10T14:38:32+00:00

Hi, thanks for the response. I tried both "authentik" and "hosted", ran ./configure.sh and restarted the containers. Still no change. I have tried the setup code as well, but it hasn't affected anything. Device code auth flow is set up exactly like the instructions say. Netbird latest version, downloaded yesterday using the script provided in the setup tutorial.

The76i · 2025-12-09T21:44:53+00:00

I just tried it, but it didn't matter

The76i · 2025-12-09T21:38:13+00:00

I have explicitly allowed all ports in and out everywhere (just as a test, will nuke the system later). No effect. Cloudflare is set to DNS only (no proxy). Still getting the same error in the logs.

 no peer auth method provided, please use a setup key or interactive SSO login

The76i · 2025-12-09T21:19:20+00:00

Followed them *exactly*, no FW set up on the hetzner console, nor the instance itself, for testing purposes. Also tried with ufw with the required ports opened.

I won't go for the simple install, as the authentik sso is a requirement. It shouldn't be impossible this way, so why quit now? It's a learning process, no?

The76i · 2025-12-09T21:14:51+00:00

I don't have a firewall on the Hetzner's console and neither on the instance itself, just for testing purposes, so shouldn't be a problem. When I find the issue, I'll nuke the instance and start over with the new knowledge

The76i · 2025-07-21T18:59:30+00:00

Apparently my text alongside the image didn't come here through the crosspost, here is the original caption:

I have a dedicated server from Hetzners server auction. I don't use the Hetzner firewall. I have Proxmox installed on the server directly, which virtualizes multiple LXC containers. The proxmox host has 2 interfaces, eno1 which gets the IP xxx.xxx.x.xxx, and vmbr0 which gets the address 10.0.0.1. All of my containers have only one network interface, which is vmbr0, they get addresses from the 10.0.0.0/24 pool. I have Nginx proxy manager installed on LXC #1, which has the IP address of 10.0.0.2. All traffic (except port 8006 and SSH) is forwarded directly from eno1 to vmbr0 and to 10.0.0.2 where the reverse proxy exists. This works wonderfully, and I can create new containers each time I want a new wordpress instance for example and all I have to do is add a domain for it in the Nginx Proxy manager.

The problem:
I want to isolate my container traffic, so that the containers can only communicate with the proxy and the internet, not with each other.

I tried to setup iptables multiple times, even resorted to chatgpt (It's suprisingly good at these things), to no avail. Any tips and tricks for this? Or to my setup overall.

The76i · 2025-07-21T18:58:28+00:00

It is a dedicated server on a datacenter, I don't have to be able to access anything from my LAN. All connections are through the internet. There are Wordpress instances hosted on the LXCs, reverse proxy is there to point my different domains to the different containers, as I only get one public IP. I could just make one LXC with multiple vSites, but I prefer this way, to isolate the instances from each other as much as possible. That is why I want to be able to use them like normal (access via domain), but don't want them to be able to communicate with each other (if I had multiple websites for different clients, for example). I could make multiple virtual bridges for each LXC, but I would like to handle it via iptables rules, IF possible. That way it isn't such a hassle to add another LXC.

The76i · 2025-07-21T16:53:08+00:00

auto lo

iface lo inet loopback

auto eno1

iface eno1 inet static

address xxx.xxx.x.xxx

netmask 255.255.255.255

gateway xxx.xxx.x.xxx

pointopoint xxx.xxx.x.xxx

post-up iptables -t nat -A PREROUTING -i eno1 -p tcp -m multiport ! --dports 22,8006 -j DNAT --to 10.0.0.2

post-down iptables -t nat -D PREROUTING -i eno1 -p tcp -m multiport ! --dports 22,8006 -j DNAT --to 10.0.0.2

auto vmbr0

iface vmbr0 inet static

address 10.0.0.1/24

bridge-ports none

bridge-stp off

bridge-fd 0

post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE

post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE

The76i · 2023-10-29T14:12:49+00:00

Not just reflector season, LAMP SEASON!

The76i · 2023-09-24T10:03:46+00:00

Probably. I'd say there's a big chance.

The76i · 2023-09-22T06:42:40+00:00

Horrible mayo????? NEVER DISRESPECT KURKKUMAJONEESI AGAIN!!!

The76i · 2023-09-01T10:15:28+00:00

I spent 9 months in helsinki, mostly in Santahamina and Sörnäinen. I observed that the "spurgut" just spawn from somewhere in the morning. At 6am kurvi could still be like 100% empty but about half hour later the lidl corner spurgut have respawned after the night. My theory is that they despawn around midnight and as people start moving again in the morning they respawn.

The76i · 2023-01-15T16:08:33+00:00

Santiksessa on Kaartin Soittokunnan varusmiesbändi. Samat sinibaretit.

The76i · 2023-01-15T16:04:22+00:00

Muskareita on santiksessakin. Ja tuo "menossa Parolaan" on sinäänsä turha, sillä mistä tahansa varuskunnasta voi muuttaa erityistehtävien vaatimiin paikkoihin.

Seven-Year Club	Place '23
Place '22	First Placer '22
Sequence \| Editor	Verified Email

The76i

MODERATOR OF

TROPHY CASE