hey everybody welcome back to Jim's Garage in this video we're going to be setting up our own mesh VPN network using netb bird now in a previous video I showed you how to use heads scale and that was a Prelude to me setting up my own private virtual Cloud this I thought hm is the opportune moment to go and test netb bird because I know a load of you guys have been asking for this I'm really pleased to say that I'm probably going to be switching from head scale to netb bird and hopefully by the end of this video you'll see why from everything I've seen so far and The Limited use I've had over the past week much better UI easier to use little bit more complicated perhaps to set up but I'm going to solve that for you today everything just seems to be a lot more polished now obviously there's tail scale and you can go and use that and there's no problem with that I'm just comparing that to something like head scale which does work but again doesn't have that same level of Polish anyway if you want to hear more about the theory of what a mesh VPN is go and check out my previous videos I won't cover that in this topic that's because we've got enough configuration to get through so let's now hop into the configuration I'll take you through a review of the documentation on the netb bird website because there a few ways that you can set this up I'm going to show you how to set this up using an existing traffic proxy which if you follow my videos you already have and you likely already have anyway be it traffic engine X or whatever it's also going to use as an identity provider authentic orbe it you can use something like zadel or keycloak again I have videos on those but the key thing there is it's going to be used an existing identity provider you can also use external identity providers um but I'm not going to do that in this video we want to keep this all self-hosted on top of that it's obviously going to be running in Docker and there's a few configuration files we need to tweak before we get this up and running so let's hop straight into it so if we head over onto their website you'll see that it's configured very similarly to tail scale there are Enterprise offerings for this where you can sign up to their website and you can use the existing service that they provide for you what we're interested in though is doing the self-hosted approach so if we go on to the install sorry the zoom function doesn't work on this page for some reason but here you can see how you can basically download the clients and get this up and running by default this is going to be using the Enterprise version or the netb bird hosted version so similar to how most people will be consuming tail scale even the free version but we don't want to do that we actually want to set this up ourselves but do bear in mind this is how we'll be setting up and downloading clients later once we have our own server set up so what we need to do is Click onto the installation guide now once we're in the installation guide there's quite a few things that we can do now as I alluded to at the beginning of the video there are actually a number of ways to set this up so there is the quick start guide so if we click on here there's a handy video and actually the quick start guide is as quick as either using the Enterprise version which you just need to go through their website download the clients and then if we look down the left hand side you'll see the selfhosted again there's a quick start guide so this quick start guide will basically download everything you need so you can run this script here say you have a virtual machine or a bare metal box you can run this script and within a few minutes it will basically pull down Docker it will then deploy an identity provider I think by default is Citadel which I've covered before and then it will set up the docker containers necessary to run um netb bird on your machine and it will sort out all of the certificates for you the reverse proxy and all of that which is great if you just want to get this up and running quickly but obviously not great if you have an existing setup like I assume you have for that instance we're going to need to go to the advanced guide now this is where it got a little bit tricky and it took me a little bit of time to figure all of this out that's because again in the advanced guide there's basically two options there's the one that uses setting this up just on your own infrastructure and then if you actually see on the bottom right here you see this Advanced running net bird behind an existing reverse proxy and there's additional configurations for not using zadel so in this instance I'm going to be using authentic the only reason I do that is cu typically for a home lab environment I find authentic ticks all of the boxes don't get me wrong keycloak Citadel both great products but for a lot of Home applications that still don't support oor 2 Etc you need to fall back to that um proxy and neither of those offerings have the proxy whereas authentic does so let's have a quick look now through the advanced guide for setting this up I'm going to whistle through this so that I can get onto the actual technical configuration so for the advanced guide really you basically need to ensure that you've got a virtual machine with Docker already installed and you need to have a public IP address and you need to make sure that these ports are going to be forwarded you can also forward these ports here for stun and ter protocols and then we're basically onto the deployment so you can run this script if you wanted to but like I say we want to use an existing setup so the first thing that we need to do is basically grab a copy of the setup. environment file so much like in other videos I've got we need to set up and configure an environment variable first all the files in there Etc all the settings configs we then need to create the docker compos file from that file and then we need to set up authentic and then get into that so if you look here you'll see that basically we need to clone this repository so if you run this here you'll download the latest repo now if I go into my vs code I'll show you what that looks like so over here on vs code this is on my Docker virtual machine don't worry I'll be going back to the documentation in a minute this is basically what it looks like so it's going to download so you want to navigate to wherever you're storing this I put it in my dock slet birdbird file that's where it's downloaded all of those GitHub files now when it does that it basically downloads this setup. example file here so this is an example copy and what you need to do is create a copy of that call it setup. EnV and you're going to put all of your actual variables in this one once you've done that there's a handy configure do shell script and what that does is you run this script it takes the environment variables in this file and then it spits out a Docker composed file in this instance I used the traffic example file because I'm obviously using traffic that actually didn't work by default just because of the way I've got some of my label set up so I did have to amend that before it worked but I'm not going to go into too much detail in that because I've actually got the configuration files for you but if we head back to the documentation you'll see that once we' set up the setup the environment variables as as discussed here and remember because we're using a different identity provider there are additional instructions for that so I follow the authentic instructions and we'll have a look at authentic in a moment to get that set up but once you've done that you can UT all of these variables in here and then you can run the configuration script let's have a quick look at the authentic just so we know what that looks like so for authentic and if you've watched my previous videos you've seen me do this for a few applications things like portainer Etc so you basically need to create an application and provider so you set that up exactly as it says in here I'm not going to walk you through that process because it is literally just a case of clicking buttons and following exactly what's on here so the key thing really is to change this domain to whatever your domain is so for example here Jims garage .co.uk again the same here and then just leave this local host for those local connections you need to make sure that that self signed certificate's there and follow through all of those extra parameters then you need to get on to creating the external application so that's all done here and then you need to create a service account and that's what it's going to use to connect when it does the authentication so hopefully once you've got that ready it will look something like this and if I now log into my authentic I'll show you what that looks like here's the provider that you need to set up so this netb bird one and if you click edit you'll see all of those variables I put in there's those redirects Etc you'll see the client ID all of that good stuff and that's set up exactly as it says on that website and then if you go to the applications you'll see the corresponding app for that here's netb bird and if I click edit you'll see those parameters again exactly as the documentation specified and I think in system and no it's not in system I think in directory users you'll see that I've created the net bird user for that service account as well which is what's required so not going to go into clicking buttons for you on that one just follow the guide exactly as specified I didn't have any issues with this part of the video so now back over onto the instructions you'll see that you can now specify these parts and you'll get this exactly from the authentic website so when you log in you'll get all of these end points and you need to copy this over now into your setup. EnV so now we've done that we're ready to go on to the rest of the instructions for the deployment step four is optional I didn't bother doing that and left it as is as I mentioned step five I ran that configuration. shell and that created the docker compos file for me using those environment variables so once you've done that you should be able to just run the docker compose up like I say that didn't work for me I'm going to have a look now at the actual variables and we'll go into detail of what this is actually doing so hopefully you should just need to copy and amend what I have for you but understand that this is how I created those files so over on my Docker machine now the only two files you need you can ignore all of these these are just the assets that are used from creating and running that configuration. shell just follow those instructions but effectively all you need is the setup. environment variables so let's have a look at this and the docker compos file which is this one here so the key things really that you need to specify here is the domain that's because this is where it's going to be hosting and listening for I've set the external IP to be the external IP of my Docker VM this also does work in kubernetes and it's a Helm chart for that I'll possibly cover that in a future video next we get things like the oidc configuration endpoint this is just taken from when you do the authentic setup so you'll get this from your identity provider so don't worry about what the heck is this that will do it for you you just copy and paste it in here this again is just the client IDs and you'll get that from authentic and it tells you exactly where to put these variables as I showed on the previous page that's all this stuff here so you'll see that netb bird or uh configuration endpoint that one is this one here so you just need to copy and paste those values in once that's done there isn't really much else you need to do in here all I did was literally follow those instructions and then I got onto generating the docker compost file the key thing here really is to netb bird disable let's encrypt true that's because we don't want net to be pulling down certificates for our server we're letting traffic do that for us and we've already got that set up so now if we head over to the actual Docker compost file like I said it created a Docker compose file but it wasn't quite right for the labels I needed for my setup so this is a multicontainer setup so we have the dashboard we then have signal we then have management and we also have the curn server the curn server doesn't run behind behind the proxy so just looking through the dashboard we've obviously commented out the ports because we're going to be using the reverse proxy to expose this we've set the management API in point to be this here and this is generated automatically because we put it in the setup environment variable we put this as at the top we put this as our uh net bird domain and that's where it copied over for me and all of the end points are going to be the same the orth audience is that client ID we don't need need the secret in this instance because we're using the service account which we'll reference later the authority is obviously my authentic so that's what I'm using as my identity provider the Scopes it can use any of these as advertised when it goes and does the query so actually when you do this configuration script it actually queries authentic and if I go to the API on authentic it would show you all of the supported Scopes the rest we can leave blank for the redirect and silent because that's taken care of within authentic itself and the source is actually an access token as defined in the documentation engine X is running on 443 inside the containers and we don't need the let's encrypt I could probably just delete that but I've left it as is because that's what's in the documentation um but like I say let's encrypt is already taken care of with traffic we've created a volume to store let's encrypt but like I say that probably isn't needed I might tidy that up in the future and crucially I've put it on the proxy Network so this is the network my existing traffic instance is on and then I've added some traffic labels so nothing really new here it's sitting on Port 80 which is quite standard when we've got this behind a reverse proxy and that's all we need to get the dashboard up and running next up is the signal container now that's required to have a volume and that's where it's going to mount it to because we're running this behind the proxy we can get rid of all of the ports commands because as we can see here in the traffic label we mount it on Port 80 and we use the scheme of h2c we've used that before for different containers and that's basically the H2 Pro uh protocol one thing that's important on this is actually the path prefixes now I didn't create these these were generated by the script but those need to be in there to make sure that this functions correctly so it gets all of those redirects correct next we're on to the management interface there's a few volumes here again that lets encrypt probably isn't required and the ports are commented out because it's going to run again behind the reverse proxy so here we can see that it's running a command to set itself up and configure itself on 443 and it's also running behind my uh domain in the proxy labels it's actually setting up two entry points so it's got the net bird API and then the net bird management both of those are going to be running on HTTP https and they both run on Port 443 again with that server scheme of h2c uh that's required for the management interface again there's a couple of path prefixes on both of those so you don't have to put the trail Link slashers in uh and both sit on the proxy Network so nothing too exotic there lastly we have curn and that's on our domain name of net. Jims garage and we've got a volume there for the configuration file readon mode and that's set on the host and it runs the command to basically use that configuration file that's pretty much at the bottom we've obviously got the volumes that we're using and we've got the network and it's external true because we created this proxy Network earlier in my traffic videos okay so with that run through now complete and like I say to generate this do just follow the instructions on the website make sure you've got your identity provider set up you don't have to use authentic you can use zadel keycloak and there are different instructions for that but broadly speaking is an identical process so we're now ready to hop into the terminal so in the terminal I'm going to navigate now to where I have these files residing so that's in my Docker composed netb infrastructure artifacts so a bit of an unusual file structure because this is just what it created when I ran the script you could obviously tidy this up once the files are generated to whatever you want you probably do need the configuration. Json file which is this one here for open ID so all of this is created when you run the script as well it actually goes off and queries your authentic or whatever identity provider you are using and pulls down all of the supported formats protocols Etc all of the um supported parameters claims similarly for the management Json as well it puts in here and generate some um certificates and um passwords etc for connecting to internal services so you will need to have these in your folder but without going through all this just because this is autogenerated you don't need to do this yourself we're ready to get into the deployment so now navigating to this folder and you can see all of these files are in there it should just be a case of running your pseudo Docker compose up- D and when we do that it should go away now and pull down all of the containers once that's done we'll have a quick look and see if that's up and running but it should just pull pretty quickly these AR big files remember once you pulled this down you need to make sure that you go away and create your domains in your internal domain service so netb bird. Jims garage add it to your hosts your firewall your pie hole your ad card whatever it is you use and then you should be able to navigate to this in your web browser you can see here that this container is running and if we hop over into paina we can see here that we've got the curn server the dashboard the management and the signal and here's my authentic that's already running in the background as demonstrated so now if we head to net bird. Jims garage. co.uk fingers crossed everything is up and running so if I hit return you can see yep it's logged straight in and it also did the authentic piece as well and now we're ready to get started let me just show you what happens the first time you do this because I've got some save credentials and I'm already logged into authentic so in an incognito browser if I go to netb bird so this time because I'm Incognito I'm not actually logged into authentic so it's going to say hey welcome to authentic so I'm going to put my email address in here I'm going to click log in now it's going to ask me for my password hit continue and now it should successfully as you saw in the top redirect me so again now I'm back I've authenticated with authentic and because it's the trusted identity provider it's taken the identity of my admin user in authentic and it's then created that user and it uses that now for netb bird so you can obviously go and create as many users as you want in authentic and you can then pass those credentials out to different people so they can log in Via authentic into your netb bird application which is super cool so now we're ready to get on to the actual configuration unfortunately again I can't zoom because this is kind of a popup but like I showed earlier in the video it's really simple to get this up and running so you can see that there's Linux Windows Mac OS iOS iOS Android and even Docker containers for this so this is for the client and it's really straightforward and very similar to how you set up the official one using the official netb bird infrastructure so effectively similar to the Head scale you download the binary or whatever it is and you simply choose to connect to an alternate server in this case you'll connect to netb bird. your fqdn and then you'll go through that authentication process with authentic so let me now demonstrate that using Linux which people will probably be using and I'll also demonstrate that on a Windows VM and a Android phone so here I've created a virtual machine conveniently named netb bird-d demo and we're simply going to follow the instructions behind us so to install with the command line we can just run this script here this is just a convenient script you can obviously install it using a package manager if you want following these instructions here so over in the VM let's get this installed that's all up and running now all we need to run is net bird up and provide it with a-- management URL and then put in the URL for our server now that's not quite true because when you run this what you'll find is it will spin up and then it will say head to this URL here now that URL doesn't work work for me when I go there it just sort of times out so what I actually found I needed to do was go back into your netb bird close this down can make that a little bit larger now and what we need to do is go to some setup keys so a bit like in head scale where we can create those pre-authorization keys it's exactly the same thing so let's create a setup key and I'm just going to call this one auntu you can choose obviously any of the options you want here I'm just going to keep them as the defaults you could choose to reduce the validity of the expiration date on those if you wanted Etc create that setup key and now I'm going to copy that to the clipboard now what I can do with that is go back into here we contrl C so to not set that up I'll press up again just to get that command and then I can do das Dash setup and then Dash key and then I can paste that key in now in the background I'm not going to press return yet let's close that and let's go to PE Pi is empty we haven't actually set one up but hopefully it will dynamically update when I hit return here so now that says it's connected and then hopefully in the background yeah Bingo there we go we've got the netb bird demo machine that's just been added perfect you've just added your first node or Pier to your netb bird Network so now that we've got one in there that's great let's get another one in I'm going to show you now on my phone how to download and install netb bird onto your Android device so once you've installed the netb bird application from your Marketplace you can see that when you open it it says by default it's going to connect to netb Bird's Cloud servers that's what we discussed earlier that's the similar sort of behavior you get for tail scale but what we actually need to do is click the orange there for change server now when we change server we obviously want to put in our own server that netb bird. your fqdn so now with the right server in place hopefully we can click change it's now verified server was changed we got the green tick instantly okay great but we can't actually connect it yet because we need to go through the authentic authorization piece so if we now click on the gray icon in the middle it's going to ask the default Android permissions do you want to allow this as a VPN connection we're going to say okay it's now connecting and you'll see it's going to push me through authentic so again I'm going to put in my username and password for authentic once I've done that it's then going to go through exactly the same process as we saw before so now you can see that I'm connected and that's basically all you need to do you can also scroll up from the bottom and you can see that I've got that net bird demo Jims garage that's actually my Linux box so already they're by default on the same network and can connect to one another we can obviously change that later on and we can put some granular access in place to revoke or restrict whatever we want to have access and you still get the exact same control over which one you want to function as an exit node so that's basically it to set it up on Android as simple as that and I expect it's very similar on iOS let's hop now back over and let's just double check what's going on in the netb bird UI so now back over in netb bird let's just click off that and then let's click back on the peers you can see that My mobile's there I've actually disconnected let me just click connect my phone now says connected hopefully that'll go green any second let me just refresh yeah there we go oh there's a refresh button there as well so yeah basically now you can see that I've got both of those machines connected to my netb bird uh Network and now what you can actually do if you wanted to for example you could go into your access control and you could go to your policies and you could actually do things like oh there's a default rule there a bit like a firewall rule if you click that now on my Android I can't actually see that Linux box it basically breaks all connections you could then put in specific rules and change the order of them Etc or you can just put it on and everything can see everything thankfully the instructions for Windows is simple so if we add a pi again and we want windows we simply need to download netd and then go to this URL here so if I hop into my windows VM in here let's go to netb bird Jims garage again it's going to ask us to authenticate so I'm going to put my username and password in obviously you could do this with a pre-or key as well if you didn't want to go down this route but it's entirely up to you this is obviously logging me now into netd and now that we're logged in we can click add appear we can download netb bird which will take us to the official website to start downloading the binary once that's done we can click the installer in the top right go through the standard process for installing this once that's done we should be able to go to the settings on the netb bird icon and just copy this so let's start the netb bird UI let's copy that down we can see if we click in the system tray now we can rightclick that we can go to the settings we can go to the advaned settings and we want to change the management and the admin URL so as it says we need to change this manage URL so let's change that to what I've got here so copy that and then we'll just paste it in so hopefully now we can just click save and we should be able to click connect so let's right click and then click connect now it's going to ask us to log in again but because we've already logged in previously that should just forward us on so that login has been successful so if we go back in here now to the peers you'll see that that's now updated and hopefully in a moment yeah you can see that I've got Windows 11 here which is that machine I just set up all three of those are now available all three of those are now connected to our netb bird uh Network now that we've got that set up we can start to look at some of the more advanced features so we can start putting these into different groups so you might have different groups of people different officers and different territories those groupings will make things like the rules and The Roots simpler to administrate so if we have a look at the policies now you can see that we've got the default one that's on but we could obviously create a new one by hitting the Plus in the top right hand corner this would be say you could use a group or you could just use a pi and then you could say where do you want to go to and then you can obviously do things like you could enable One Direction so uni Direction by directional you can even select the CH type of um protocol it's going to use so choose whatever you want and then you can choose to enable that or not and you can also restrict some of those ports so really awesome this is basically a bit like a firewall also on this you can set the DNS server so it looks like we don't have any set up by default that's fine I don't think you can actually specify any in the configuration but you can add a DNS name server here so we'd use a custom one and so for this I would use something like either my firewall or whatever my DNS resolver is you'd want to make sure obviously that that the server has got access to this and then you could apply it to whichever groups you want you could even apply it to specific clients on the network you might even want to do different name servers for different clients totally up to you you've also then got your users for netb bird so obviously a home User it's probably just yourself as the administrator but you'd obviously imagine at scale you're probably going to want to have multiple people that can access and manage this you'd probably want to create as an identity provider different user roles with an authentic and then pick those up automatically because it's using that Federation model that would pull those profiles into nird and you could manage them here the service users is around API access so if you want to have API access to this rather than going through the web UI you could also set that up you could probably do that so that you could automate deployment of netb bird via the API after that you've got some handy activity events so you can see when things occurred and who it was which client Etc and in the settings you've also got things like how long you want the authentication to time out so I've got this set for 24 hours you'll actually notice that it's logging me in and out quite a few times not entirely sure what's going on there I probably got a setting set to restrictive um but either way you can you've got the option to go and fix that plus it was pretty seamless anyway that refreshes pretty quick you've got the user groups that you can assign the different permissions for different users and you've also got a danger zone where you can delete your account if you want wanted to so one of the coolest features of netb bird much like head scale tail scale Etc is the rooting whereby any of these peers that we have on here we can actually use as a network exit point and we can also use those if they were in the field for example we could use these as basically a gateway to a different network so what that means is I could use my mobile phone when I'm out and about I could put that onto the s Network and my local devices could actually use that as an exit Point similarly if I had a device in a different country I could use that as an exit node and basically create my own VPN so if you've got go restrictions you could root your traffic out through there also you could use this to connect to whatever land that's on so you wouldn't need to go and install netb bird on all of the appliances in that Lan you could use one specific device that it has netb Bird installed and then use that to access the local Lan so if it's on a different subnet or whatever wherever it is you could access those through that client running out in the field as though it's on your Lan so we can either add a root or add an exit node so let's do both I'm going to add an exit node first so at the moment I've only got my auntu virtual machine and that's unfortunate because of this the good news is it's coming in the next few weeks however that was May and it's now July um but fingers cross that should come very soon but anyway let's demonstrate the process not necessarily the exact result we want so let me select the net bird Pier I'm not going to select any groups it's just the all one so we could we could use an exit node only for specific nodes if you wanted to and then let's click continue it's going to ask for a name so I'll do auntu uh exit node and then click continue um do I want to enable it uh yes I do let's add that exit node so now that's an exit node so hopefully if I go on to my virtual machine again if I go down to the bottom here hopefully I can rightclick that click on network roots and then you can see here now sorry it's small again um I've got the abunto exit node selected so now it's going to be using that for my exit node route so that's pretty cool and obviously the more you added into your exit nodes the more options you would have available to you so now back over on netb bird let's click add rout so now we can create different network ranges so this will be allow allow us to access the lands and different vpcs by adding by adding Network Roots so for example in here we could add a private um ipv Range um it's going to be a bit difficult because most of this stuff is already set up on my Lan um and then we can enter the network range we want to be able to access here we can then select the rooting Pier so there's a handy diagram for this if we click again I must commend netb bird every time you've got an option you can basically click that and you can go and see the documentation for that but if you look at this diagram here that's kind of what I was saying earlier so imagine this is your private landan and then you've got your mesh here this here this rooting Pier say I put this machine I don't know let's say I put this over in America and I've got a different network up there I've got a different um office whatever it is you can set this one up as the rooting pier and then allow it to access the landan of that local office so therefore over here if I'll say in the UK I could connect to this and then connect to all of my devices over in that different territory really awesome so in here again I've only got the few examples I've got my um auntu machine but say this auntu machine was elsewhere in the world um I could then use that to uh I could then use that to access it I'll need to give this an IP uh address range so let me just use the examples that's there for this one and then click continue um give it a network identifier I'm just going to call this one abunto again it could be I don't know auntu us for example click continue I'm going to enable it and then you can actually masquerade it without configuring Local Roots so I'm going to leave that on because typically you'd want to masquerade and then I can click that add rout so now if this was in a real address I haven't set it to a real one um for this demo but I should be able to now access anything that's on that Network that would be elsewhere in the world as though it was a local machine and that's because the device I'm on has access to this mesh Network and this mesh network is allowing access to its local network which is really awesome and that's basically it I think this is amazing user experience compared to the Head scale implementation don't get me wrong the head scale works but the UI is flaky and it's not as robust as this this just once you've got that configuration file working it just deploys and works now obviously to get this working externally you're going to need some Port forwards so the ports that I showed you at the beginning of the video do make sure you've got some port forward set up for that and it's pointing towards where your reverse proxy is that will mean that then once you're out in the field all of your devices will be able to connect remotely I think technically if you connected internally and then left your network that might still work because it's going to use a reverse tunnel but I'm not sure about that anyway do let me know how you found that and if this is something that you're going to consider I'm going to be switching over from head scale to netb bird and I'm going to give that a tour I'm going to be using that in the next video or maybe the next video where we set up that VPC our own private virtual Cloud using something like a Nas boox that we're going to install netb bird onto that will allow me to have remote connection and automatic failback connection to this machine without the need for Port forwards on the other end I.E if I put this at my mother in-law's house I don't need to Fanny about with a router this will automatically connect back into my setup so I don't have to worry about all of that stuff anyway thank you for watching guys there's a ton of documentation around this so please do go and check it out and there's a myriad of ways that you can set up net bird I've just shown you the way that fits my setup with that reverse proxy and authentic but you can choose basically whatever you want and follow the detailed instructions on that website if you like this give it a thumbs up hit that subscribe let me know how you're going to use this see you in the next one everybody take care [Music]