Help On hosting netbird on ECS on EC2 behind ALB

fourass · April 17, 2026, 1:36am

Describe the problem
netbird up --management-url https:/mynetbrid.com:443 --setup-key $SETUP_KEY
Error: daemon up failed: call service up method: rpc error: code = DeadlineExceeded desc = context deadline exceeded
Peer registers with setup key, tunnel starts (wt0), but immediately disconnects. Dashboard shows “Disconnected”. Relay: 502 WebSocket + EOF loop. Signal: “no registration header” every 60s. netbird status hangs.

To Reproduce
Deploy NetBird v0.68.3 on AWS ECS on EC2 w/ nginx reverse proxy
netbird up --management-url https://mynetbird.com:443 --setup-key XXX -F
Tunnel up → immediate disconnect
Dashboard: Disconnected
Logs: 502 relay + EOF + Signal disconnects

Expected behavior
Peer stays Connected (Relay) in dashboard, stable connections.

Are you using NetBird Cloud?
Self-hosted AWS ECS on EC2 (3 containers: nginx proxy, backend, dashboard)

NetBird version

Client: v0.68.3 (Linux/macOS)
Backend: netbirdio/netbird:v2.34.0
Dashboard: netbirdio/dashboard:v2.34.0

Is any other VPN software installed?
No

Debug output

netbird status -dA : **hangs forever**
netbird debug for 1m -AS -U : **context deadline exceeded**

Key logs:

netbird up --management-url https:/mynetbrid.com:443 --setup-key $SETUP_KEY 
Error: daemon up failed: call service up method: rpc error: code = DeadlineExceeded desc = context deadline exceeded
ERRO relay WS: expected 101 got **502**  
ERRO relay: **failed to read frame header: EOF** (loop)
WARN signal: **"didn't receive registration header"**
ERRO daemon up: **DeadlineExceeded**
ERRO tunnel: **device busy** / **unix socket in use**

Backend logs:

peer connected ✓ (server-side)
management: **"no peer auth method provided"**

Screenshots

The Peer is registered but is directly disconnected
The netbird up run for about 3 minutes then return
Error: daemon up failed: call service up method: rpc error: code = DeadlineExceeded desc = context deadline exceeded

Additional context
Architecture:

ALB (gRPC 443 + HTTP/1.1) → nginx proxy → NetBird backend (80) + Dashboard (8080 localhost)
ECS Task: nginx(9443→dynamic), backend(80→dynamic,3478 UDP), dashboard(internal)

nginx config (curl gRPC tests pass grpc-status:12):

location ~ ^/(signalexchange|management)/ { grpc_pass grpc://netbird_server; grpc_set_header Authorization $http_authorization; ... }
location ~ ^/(relay|ws-proxy)/ { proxy_pass http://netbird_server; proxy_set_header Upgrade $http_upgrade; proxy_set_header Authorization $http_authorization; ... }

Issues:
Relay 502 → WebSocket handshake fails
Signal “no registration header” despite gRPC proxy working
Daemon hangs (status -dA, debug) → context timeout

Additional logs

I’m running inside an ec2, using ECS, I have Nginx, Dashboard, Server (combined) running each in a docker EC2 is behind and ALB, and I have created a Grpc listner for the ALB and another one for the Http1.1

2026-04-17T01:07:12.476Z ERRO shared/relay/client/dialer/ws/ws.go:48: failed to dial to Relay server ‘wss://mynetbird.com:443’: failed to WebSocket dial: expected handshake response status code 101 but got 502
2026-04-17T01:07:12.476Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/dialer/race_dialer.go:79: failed to dial via WS: failed to WebSocket dial: expected handshake response status code101 but got 502
2026-04-17T01:07:16.459Z ERRO shared/relay/client/dialer/quic/quic.go:66: failed to dial to Relay server via QUIC : timeout: no recent network activity
2026-04-17T01:07:16.459Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/dialer/race_dialer.go:79: failed to dial via quic: timeout: no recent network activity
2026-04-17T01:07:16.459Z ERRO client/internal/connect.go:353: failed to connect to any relay server: all attempts failed
2026-04-17T01:07:16.473Z ERRO client/internal/engine.go:517: failed creating tunnel interface wt0: [error creating tun device: device or resource busy]
2026-04-17T01:07:18.092Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:21.218Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:21.493Z WARN client/iface/iface.go:237: failed to remove WireGuard interface wt0: timeout when waiting for interface wt0 to be removed
2026-04-17T01:07:21.508Z ERRO client/internal/connect.go:375: error while starting Netbird Connection Engine: create wg interface: error creating tun device: device or resource busy
2026-04-17T01:07:23.319Z ERRO shared/relay/client/dialer/ws/ws.go:48: failed to dial to Relay server ‘wss://mynetbird.com:443’: failed to WebSocket dial: expected handshake response status code 101 but got 502
2026-04-17T01:07:23.319Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/dialer/race_dialer.go:79: failed to dial via WS: failed to WebSocket dial: expected handshake response status code101 but got 502
2026-04-17T01:07:27.302Z ERRO shared/relay/client/dialer/quic/quic.go:66: failed to dial to Relay server via QUIC  timeout: no recent network activity
2026-04-17T01:07:27.302Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/dialer/race_dialer.go:79: failed to dial via quic: timeout: no recent network activity
2026-04-17T01:07:27.302Z ERRO client/internal/connect.go:353: failed to connect to any relay server: all attempts failed
2026-04-17T01:07:27.330Z ERRO client/iface/configurer/usp.go:316: failed to open uapi listener: unix socket in use
2026-04-17T01:07:27.346Z ERRO client/firewall/iptables/router_linux.go:119: failed to clean up rules from FORWARD chain: clear and delete chain NETBIRD-RT-FWD-IN in table filter: running [/sbin/iptables -t filter -X NETBIRD-RT-FWD-IN --wait]: exit status 1: iptables: Too many links.
2026-04-17T01:07:27.347Z WARN client/firewall/create_linux.go:55: failed to create native firewall: init firewall: router init: create containers: create chain NETBIRD-RT-FWD-IN in table filter: running [/sbin/iptables -t filter -N NETBIRD-RT-FWD-IN --wait]: exit status 1: iptables: Chain already exists.
2026-04-17T01:07:28.925Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:32.054Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:35.180Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:38.305Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:07:41.427Z ERRO [relay: rels://mynetbird.com:443] shared/relay/client/client.go:410: failed to read message from relay server: failed to get reader: failed to read frame header: EOF
2026-04-17T01:08:27.355Z WARN shared/signal/client/grpc.go:153: disconnected from the Signal Exchange due to an error: didn’t receive a registration header from the Signal server whille connecting to the streams

Have you tried these troubleshooting steps?

Reviewed client troubleshooting (if applicable)
Checked for newer NetBird versions
Searched for similar issues on GitHub (including closed ones)
Restarted the NetBird client
Disabled other VPN software
Checked firewall settings

Xeravax · April 25, 2026, 11:01am

Are there any other services that are running on the same EC2 instance? Or are you only using NetBird itself? If it’s the latter, install NetBird with Traefik.

If you need NGINX, check your config. See if it’s properly redirecting the connections. See

For more information

fourass · April 25, 2026, 8:43pm

There are other servers, but they’re not using the same reverse proxy instance, I had basically the same nginx configuration described in the documentation, I can post it if needed

Xeravax · April 29, 2026, 10:42am

If you could do that, that’d be appriciated

fourass · April 29, 2026, 1:06pm

First of all, thank you very much for your replies, I truly appreciate it

This is my current nginx conf

upstream netbird_server {
    server backend:80;
    keepalive 10;
}

upstream netbird_dashboard {
    server dashboard:80;
    keepalive 10;
}

server {
    listen 80;
    server_name mydomain.com/;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen      9443 ssl http2 default_server;
    listen [::]:9443 ssl http2 default_server;
    server_name mydomain.com/;

    port_in_redirect off;
    absolute_redirect off;

    include security.conf; 
    ssl_certificate     /etc/nginx/certs/cert.crt; #These are specific to our image
    ssl_certificate_key /etc/nginx/certs/cert.key; #These are specific to our image
    error_page 497 https://$host$request_uri;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Host $host;
    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_header_timeout 1d;
    client_body_timeout 1d;
    proxy_read_timeout 1d;
    proxy_send_timeout 1d;

    location = /management/health {
        return 200;
    }

    location /grpc.health.v1.Health/Check {
        grpc_pass grpc://netbird_server;
        grpc_read_timeout 5s;
        grpc_send_timeout 5s;
    }

    location ~ ^/(relay|ws-proxy/) {
            proxy_pass http://netbird_server;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            proxy_set_header Authorization $http_authorization;
            proxy_read_timeout 1d;
    }

    # Native gRPC (signal + management)
    location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
        grpc_pass grpc://netbird_server;
        grpc_read_timeout 1d;
        grpc_send_timeout 1d;
        grpc_socket_keepalive on;
    }

    # --- BACKEND HTTP REST APIs ---
    location /api {
        proxy_pass http://netbird_server;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Port 443;
    }

    # --- AUTHENTICATION ---
    location /oauth2 {
        proxy_pass http://netbird_server;
        proxy_set_header Host $host;
    }

    # --- FRONTEND DASHBOARD (Must be last) ---
    location / {
        proxy_pass http://netbird_dashboard;
    }
}