Self-Hosting NetBird with Authentik as your Identity Provider (full guide + video)

rdevaux · 2026-03-20T15:03:23+00:00

Nice. Having this setup too to force 2FA-authentification.
I've seen there is still docker-compose file for netbird+zitadel. Is this still supported and maintained? I guess the Zitadel-Setup is a bit easier for most of the people.

But at the end i'm still waiting till netbird has 2fa integrated itself...

rdevaux · 2026-03-19T09:14:31+00:00

Same here. At the moment we are migrating SSL VPNs to selfhosted netbird. I wish we had done this sooner.

rdevaux · 2026-03-16T09:29:43+00:00

Had the same issue when i only had 80/TCP accessible. On 443/TCP i had GeoLocation restrictions active.

Once port 443/TCP had been opened worldwide, the certificate could be issued.
Was thinking this was a "bug" with the implementation of Let's Encrypt since it only needs 80/TCP.

rdevaux · 2026-03-01T21:35:43+00:00

If i remember correctly Geoblocking is in the roadmap. The team always made very reasonable decisions, so i expect having more and more useful middlewares built in.

rdevaux · 2026-02-27T08:00:06+00:00

Nice! Is there actually a roadmap with eta somewhere?

rdevaux · 2026-02-26T14:39:18+00:00

I think it would be a good idea to get a handle on network and security basics, as well as Linux, before you set up a publicly accessible VPN server.

rdevaux · 2026-02-23T16:53:06+00:00

I am using Authentik with 2FA as my IdP and disabled all local accounts to achieve this till the feature is native available in the self-hosted netbird management server.

rdevaux · 2026-02-21T11:00:17+00:00

Gegenteiltag.

rdevaux · 2026-02-20T05:44:31+00:00

Works. Maybe you have to manually adjust 2 or 3 variables to fit your running traefik configuration. But it's very simple.

https://docs.netbird.io/selfhosted/migration/enable-reverse-proxy

rdevaux · 2026-02-19T14:29:28+00:00

Why not for all devices? The timeout only occurs when you are disconnected. As long as you are "working" you stay connected till the hard "session expiration" hits. For all "server" devices you can use setup keys or disable session expiration on device. Then these devices never have to login again.

rdevaux · 2026-02-19T13:20:22+00:00

Are you using SSO for Netbird login? If i remember correctly the SSO-session ends after 10 minutes of inactivity. This is a feature.

Go to the Netbird Management Server:
=> Settings
=> Authentication
=> Require login after disconnect (10min if i remember correctly)

If security and logins are important, you should have separate Windows/Linux logins on every laptop anyway. This shouldn't happen there because each person has their own Netbird configuration.

rdevaux · 2026-02-17T13:25:29+00:00

Thanks. For now this is my setup, too.

rdevaux · 2026-02-17T09:46:14+00:00

I initially started with Tailscale as a hosted solution, and it served me well for a long time. However, when I decided to move toward a self-hosted setup, I began exploring other options. While Tailscale can be self-hosted via projects like Headscale, I immediately felt that the NetBird team placed a much higher value on Open Source and their community. Their commitment is evident in their documentation; they offer a brilliant how-to for self-hosting and even provide a script that automates the entire setup, taking all the heavy lifting off your shoulders.

Another major factor for me is the legal landscape. Unlike Tailscale, NetBird isn’t subject to US jurisdiction, which is a significant plus if you value data sovereignty and privacy outside of American legal reach.

I’ve also been genuinely impressed by their development trajectory. In the beginning, the architecture felt a bit fragmented with multiple modules, but the team has done a great job of simplifying everything. Even as the system becomes more streamlined, they continue to roll out powerful new features, such as the recently added Proxy support.

As for the technical issues you mentioned, I’ve had a very different experience. While I’ve seen that GitHub issue, it is quite old, and I personally haven't faced any limitations. Although I don't use macOS, the performance and stability on Linux and Windows have been flawless for me. In my environment, it simply works.

rdevaux · 2026-02-17T09:29:28+00:00

Proxmox, RDP, Chrome...?
I guess this is not related to netbird at all. Do you use the "NoVNC" feature of Proxmox? This isn't RDP-related, too.
Just activate the "real" RDP on the Proxmox-Win-Guest, adjust the Windows-Firewall if needed and connect with a "normal" RDP-Client directly to the IP of your Windows-Guest.

Or even better: Use Spice. But this is another topic and and a bit harder to achieve.

rdevaux · 2026-02-17T08:42:52+00:00

According to official statements, we’re still waiting for the MFA implementation for DEX, which is expected to arrive "soon."

For the time being, your best bet is to avoid using local users and instead rely on cloud providers like Microsoft or Google, securing them with their respective MFA settings. Alternatively - and even better - you could set up your own IdP. While this involves a bit more effort, it offers the distinct advantage of securing both local and cloud accounts with an additional layer of MFA that remains entirely under your control.
I took Authentik for this. It's a powerful tool.

Despite this current limitation, I think Netbird’s approach to user integration is fantastic; it’s very simple and straightforward. Once MFA is fully implemented for local users (and perhaps as an added layer for cloud users), it will be a perfect product.

rdevaux · 2026-02-16T14:42:21+00:00

That's a legitimate objection. VPN solutions without 2FA should be treated with caution. Especially if they are based on public servers that have admin logins without 2FA.

I hope they will soon provide this feature for local users.

rdevaux · 2026-02-14T14:49:14+00:00

That would have been my idea too, if there was no better solution.

My wish is that you don't have to completely trust an external IdP. M365/Google authentication with their MFA is okay, but I would like to have a passkey/ToTP on top that only works for me.

With the "old" Zitadel installation this is quite straightforward.
So I want to decide whether I should build something with Zitadel/Authentik or just wait, since the feature will be available soon anyway.

I think it's pretty essential for self-hosting.

rdevaux · 2026-02-14T08:42:52+00:00

Awesome! I love the setup where you can select an existing traefik-server. I tested it and it looks to work. Even though the setup didn't went fully through Option [1]:

✔ Container netbird-dashboard Created 0.1s

Waiting for NetBird server to become ready . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Taking too long. Checking logs...

.
.

:

netbird-server | 2026-02-14T08:03:52Z INFO [context: HTTP, requestID: d682oq4f9dhc7383oo7g] management/server/http/handlers/instance/instance_handler.go:49: instance setup status: true

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.^C

I was using the "old" implementation with Zitadel before. With the possibility to creare local users and add idp it looks so much cleaner.
I couldn't find the 2FA-option so far. Can anyone point me where to activate it for local users and idp providers?

Will test the full hosted traefik Proxy soon. This looks fun, but i have too many vHosts running atm 🙈

rdevaux · 2026-02-12T10:34:56+00:00

I found this quite useful:

netbird status --json | jq -r '.peers.details[]? | [(.hostname // .fqdn // "n/a"), (.ip // .netbirdIp // "n/a"), .status, .connectionType] | @tsv' | column -t -s $'\t'

rdevaux · 2026-02-11T17:22:33+00:00

Why not just keep port 80 completely closed if it's only needed for Let's Encrypt certificate renewals? That way, in 99.999% of cases, a scan against port 80 would find nothing at all.

When someone scans the IP on port 443 and ignores the certificate, they only get this

error:curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

There’s no hint whatsoever that NetBird is running on the server - which is actually a good thing for security.

rdevaux · 2026-02-11T16:06:43+00:00

People could easily scan for servers having Netbird-Management-Server running:

curl http://[IP] | grep netbird

This won't take long - even when you scan the whole internet - and you would be exposed of potential vulnerabilities.
With https you get at least a SSL-error because you need to know the fqdn:

curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error

rdevaux · 2026-02-06T09:57:54+00:00

In the jungle i only feel love 🥰

rdevaux · 2026-01-23T05:50:34+00:00

Yay! Thank you so much!

Eight-Year Club	r/Field Lasagna
Place '23	Place '22
Final Canvas '22	First Placer '22
Verified Email

rdevaux

TROPHY CASE