Skip to content

Netbird for Private Networking

For traffic to reach the application servers without a virtual private cloud (VPC), we forward that traffic though a Wireguard tunnel managed by Netbird.

This automated deployment is based on the guide at https://docs.netbird.io/selfhosted/selfhosted-quickstart.

Deploying Netbird Management Server

Prerequisites

You will need to create a DNS record for a new subdomain on your domain. These steps will be uniquie to your domain registrar, but it should be simple to create an A record with the desired subdomain pointed to your server's IP address.

In this example the we'll choose netbird as the subdomain, so the URL for the server will be netbird.example.org

1. Edit Inventory file

The host group for web proxies is [nb]. Place the following information under that group.

The standard vaules:

  • The server's IP address.
  • server_tag= - This could be "netbird"
  • ansible_user= - The non-root user
  • ansible_become_pass="{{ nb_become_pass }}" - or change variable to the appropriate value in the Vault.
  • ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<nonroot_user>" - The SSH key used to authenticate onto the server.

Extra values:

  • netbird_domain - the domain for the Netbird management server

Example:

[nb]
203.0.113.73 server_tag=netbird ansible_user=serveradmin ansible_become_pass="{{ nb_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_netbird_serveradmin" netbird_domain="netbird.example.com"

2. Edit Ansible Vault variables

Edit the Ansible Vault file: 

ansible-vault edit group_vars/all/vaulted_vars.yml

Include the following settings:

# Netbird
# If you have a unique credentials for this server.
nb_become_pass: <sudo password for non-root user>

The setup under the quickstart guide for Netbird only needs a domain which is included in the inventory file, so there are no additional sensitive variables for this playbook.

3. Run Ansible playbook command

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags netbird

Post-deployment setup

4. Connect to the Netbird management interface

To access the management interface, simply go to the domain you set for the server. Log in with the credentials shown at the end of the Ansible output. It should look like this.

If you accidentally close or clear your terminal, you can grab those one-time-use credentials from the file ~/netbird/setuplog.txt.

When you log in for the first time, you will be prompted to changed your password. Do so and save the credentials in your password manager.

Advanced options

The Advanced guide to self-hosting Netbird provides a path to configuring many other options upfront. These include:

  • Custom identity providers (IdPs) like Keycloak, Authentik, and Zitadel.
  • Using different ports for the Netbird components,
  • Configuration of a reverse proxy.

Updating the containers

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags netbird-update -vv

Connecting your services through Netbird

1. Create Netbird Setup Key

2. Add management URL and Setup Key to vaulted_vars.yml

After creating the setup key, add the management URL and setup key to your vaulted_vars.yml file.

```

Netbird

nb_become_pass:

Netbird Agent Setup

nb_management_url: https://mmm.thebinarycraftsman.com nb_setup_key: