Is NPM capable as reverse proxy with source from other peers?
what does not work:
Cant reach services like nextcloud, nginx, adguard, .. with NPM (instead of internal reverse Proxy) on other subnets on peers.
what does work:
lokal subnets whos in the same physical network are reachable through NPM and all hostet services works (nextcloud, nginx, adguard, .. ).
To Reproduce
- install NPM in docker with network:
services:
npm:
image: "jc21/nginx-proxy-manager"
container_name: npm
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "81:81"
networks:
- npm-network
volumes:
- ./data:/data
- ./certs:/etc/letsencrypt
networks:
npm-network:
external: true
- Install netbird with official command
choose Option 3 for npm
use network "npm-network"
- create proxy host in npm with:
tick http2, exploit and in advanced tab use:
# Advanced Configuration for Nginx Proxy Manager
# Paste this into the "Advanced" tab of your Proxy Host configuration
#
# IMPORTANT: Enable "HTTP/2 Support" in the SSL tab for gRPC to work!
# Required for long-lived connections (gRPC and WebSocket)
client_header_timeout 1d;
client_body_timeout 1d;
# WebSocket connections (relay, signal, management)
location ~ ^/(relay|ws-proxy/) {
proxy_pass http://netbird-server:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1d;
}
# Native gRPC (signal + management)
location ~ ^/(signalexchange\.SignalExchange|management\.ManagementService)/ {
grpc_pass grpc://netbird-server:80;
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
}
# HTTP routes (API + OAuth2)
location ~ ^/(api|oauth2)/ {
proxy_pass http://netbird-server:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Expected behavior
I need clean advice on how to expose services with npm where the source come from peers on other subnets
I need Netbird as replacement for my existing solution with site2site wireguard and zoraxy reverse proxy between “homelab proxmox” ←→ “Hetzner vps“
Are you using NetBird Cloud?
self-host NetBird’s control plane.
NetBird version
v0.69.0
Is any other VPN software installed?
wireguard on my “opnsense firewall vm” on my “proxmox host” (Port 51825)
site2site wiregaurd on “local proxmox vm” between Hetzner (51820 not exposed in local Firewall)
“Both shouldnt interference because i use this setup localy in my homenet for testing before i switch to hetzner”
Debug output
Peers detail:
firefox-149-browser-client-20-3.netbird.selfhosted:
NetBird IP: 100.65.20.3
Public key: ZGTFCo1fpMiVVSP3SLQCpQOwb/QvasSLdTqu6H/jpSs=
Status: Connecting
– detail –
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 1 hour, 37 minutes ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
netbird-peer-pe.netbird.selfhosted:
NetBird IP: 100.65.64.247
Public key: F8qVXZb1v6IsAyHgZdawtkvO5Iq68BaEIRJS86kO0UA=
Status: Connecting
– detail –
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 1 hour, 37 minutes ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
pbs-zero2.netbird.selfhosted:
NetBird IP: 100.65.168.71
Public key: K17POQC4VQwBpG77McywUmRLu+6EjaMRBnwmKLpTLEo=
Status: Connected
– detail –
Connection type: Relayed
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address: rels://netbird.anon-mIbst.domain:443
Last connection update: 1 hour, 37 minutes ago
Last WireGuard handshake: 2 minutes, 20 seconds ago
Transfer status (received/sent) 33.3 KiB/46.7 KiB
Quantum resistance: false
Networks: -
Latency: 0s
Events:
[INFO] SYSTEM (fb4772db-f245-4595-9028-86cf441d254e)
Message: Network map updated
Time: 1 hour, 31 minutes ago
[INFO] SYSTEM (6822a2b1-160d-4e74-9b1f-ef497910cd05)
Message: Network map updated
Time: 1 hour, 31 minutes ago
[INFO] SYSTEM (e271fc89-1b77-4e22-a466-e01608e8bacf)
Message: Network map updated
Time: 1 hour, 28 minutes ago
[INFO] SYSTEM (75a1c675-1825-47c6-9ee2-c15929010ba7)
Message: Network map updated
Time: 1 hour, 27 minutes ago
[INFO] SYSTEM (f869c672-3457-442c-8f8d-d26b09ac08af)
Message: Network map updated
Time: 1 hour, 27 minutes ago
[INFO] SYSTEM (d19d8da4-d4d5-4364-9180-40290f0871e4)
Message: Network map updated
Time: 1 hour, 25 minutes ago
[INFO] SYSTEM (007d37fe-f6c5-4413-ab98-240270dbbf3c)
Message: Network map updated
Time: 1 hour, 24 minutes ago
[INFO] SYSTEM (5ec56e6d-3359-4274-991d-b474878e8902)
Message: Network map updated
Time: 1 hour, 24 minutes ago
[INFO] SYSTEM (cf6dea08-0f18-4ff5-8748-f3ea245c7389)
Message: Network map updated
Time: 1 hour, 24 minutes ago
[INFO] SYSTEM (367b6b43-ed10-4791-ae74-1ecb4afc0c06)
Message: Network map updated
Time: 1 hour, 20 minutes ago
OS: windows/amd64
Daemon version: 0.69.0
CLI version: 0.69.0
Profile: default
Management: Connected to https ://netbird.anon-mIbst.domain:443
Signal: Connected to https ://netbird.anon-mIbst.domain:443
Relays:
[stun:netbird.anon-mIbst.domain:3478] is Available
[rels://netbird.anon-mIbst.domain:443] is Available
Nameservers:
FQDN: kemi-zenbook.netbird.selfhosted
NetBird IP: 100.65.226.231/16
Interface type: Userspace
Quantum resistance: false
Lazy connection: false
SSH Server: Disabled
Networks: 0.0.0.0/0, 10.0.0.0/24
Peers count: 1/3 Connected
Have you tried these troubleshooting steps?
- Reviewed client troubleshooting (if applicable)
- Checked for newer NetBird versions
- Searched for similar issues on GitHub (including closed ones)
- Restarted the NetBird client
- Disabled other VPN software
- Checked firewall settings
