Describe the problem
My goal is to use Netbird to allow access to my homelab for friends/relatives and thus to have a granular control on what services they can access. Currently, I’m testing this with three services PiHole, Nginx Proxy Manager and Vaultwarden.
All of these devices are also peers in Netbird and belong to different groups:
Homelab (NPM, PiHole, Vaultwarden): Peers that are in my homelab
Vault (Vaultwarden, Pixel): Peers that make use of Vaultwarden
Trusted devices (XPS-15, Pixel): Peers that I trust to have access to services on my homelab, in particular those use Pihole as their DNS
Admin (XPS-15): Peers that have full access to the homelab
Proxy (NPM): Proxy peer
DNS (PiHole): DNS peer
Now, the problem is that if Pixel is only in group Trusted devices, it still manages to access both Vaultwarden and NPM, via vault.mytld.com and npm.mytld.com, while being outside the local network (cellular data).
Expected behavior
What I would expect, is that PiHole would resolve vault.mytld.com to mytld.com to 192.168.1.167 and then NPM would try to redirect to 192.168.1.113 but should fail since that resource is only for peers in group Vault.
So I am not a 100% sure about the setup yet, but currently. If I read your setup correctly, you are expecting a client to not be able to connect if they dont have the group or network for the app you are trying to make it to.
In this case, people go to NPM and from NPM to VaultWarden, if so. Once a NetBird client reaches NPM it does not further evaluate the access as NPM is a reverse proxy.
What you might be looking into, is installing a reverse proxy on every machine. (NGINX) and making the server itself proxy the request, rather then using a machine to do it directly. Saving you the trouble of having another check inside of the app.
I think this sounds overly complicated. I’ll try to explain my need in more details.
Let’s forget about the schematic I added.
Netbird is running on a VPS.
At home, I have a homelab with the following services:
NPM: Reverse proxy and handles HTTPS.
PiHole: Used as a DNS, forwards every *.domain.com to domain.com and domain.com to NPM’s IP.
Vaultwarden: A service accessible in my local network with vault.domain.com
I have a Pixel phone. I want this phone to access my homelab network entirely and use PiHole, so for instance access vault.domain.com when I’m on the go.
I have a family member who also needs to access Vaultwarden with vault.domain.com, but I don’t want him to access anything else on my home network.
A rouch idea you could do is setup a network and make it a DNS based resource. Then allow/deny access based on the network rules of said resource. Otherwise, if you allow port 80/443 on NPM. Any domains can be accessed that are on NPM. You don’t have access to the network, but you do all domains.
