netbird安装使用

发表于 2023-09-11 更新于 2023-10-10 阅读次数：本文字数： 7.4k 阅读时长 ≈ 7 分钟

对我来说netbird比headscale好处就是可以分组自定义peer路由，完全实现服务端控制下发路由，且下发和回收路由速度几乎秒级(headscale关闭路由后很长时间不清理路由)

安装

使用oth0方式

官方文档: https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guid

参照文档服务器放行端口
准备一个域名 netbird.example.com

clone release 代码

1 2	git clone https://github.com/netbirdio/netbird.git cd netbird/infrastructure_files/

已Auth0作为认证

https://auth0.com注册账号
创建NetBird Login应用
Application Login URI 填入 https://netbird.example.com
Allowed Callback URIs、Allowed Logout URLs 与 Allowed Web Origins 都填入 https://netbird.example.com,http://netbird.example.com
启用Device Code授权方式：
创建和配置机器对机器应用程序。

此应用程序将用于授权对Auth0 Management API的访问。

勾选权限

配置：
- Copy Client ID to NETBIRD_IDP_MGMT_CLIENT_ID in the setup.env file
- Copy Client SECRET to NETBIRD_IDP_MGMT_CLIENT_SECRET in the setup.env file
- Copy DOMAIN to NETBIRD_IDP_MGMT_EXTRA_AUDIENCE in the setup.env file
创建和配置Auth0 API

此Auth0 API将用于访问NetBird管理服务API。

https://auth0.com/docs/quickstart/backend/golang#create-an-api

## example file, you can copy this file to setup.env and update its values
##
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="sit-wg.suosihulian.cn"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
# <DOMAIN> 为 auth0应用中Domain
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<DOMAIN>/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="https://quickstarts/api" # 是创建的 auth0 APIs Identifier值
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="xxxx" # NetBird Login CLIENT ID
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="true" # 修改
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
# NETBIRD_AUTH_REDIRECT_URI="/peers"
# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="xxxx" # NetBird Login CLIENT ID
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="auth0" # 修改为auth0
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="xxxx" # Netbird API
NETBIRD_IDP_MGMT_CLIENT_SECRET="xxxx" # Netbird API
NETBIRD_IDP_MGMT_EXTRA_AUDIENCE="https://xxxx.jp.auth0.com/api/v2/"  # auth0 applications/APIs 页面中
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL="" # 记得改
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=true # 修改
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

执行初始化

需要先安装docker docker-compose
./configure.sh
docker-compose up -d
# 看日志，不报错就行
docker-compose logs signal
docker-compose logs management
docker-compose logs coturn
docker-compose logs dashboard

访问域名后注册用户

使用自建OIDC(keycloak)

部署keycloak

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: devops
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-pre
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - keycloak.xxxx.cn
      secretName: keycloak.xxxx.cn
  rules:
    - host: keycloak.xxxx.cn
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycloak
                port:
                  number: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: devops
spec:
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8080
  selector:
    app: keycloak-new
  type: ClusterIP
  sessionAffinity: None

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: devops
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak-new
  template:
    metadata:
      labels:
        app: keycloak-new
    spec:
      containers:
        - name: keycloak
          image: keycloak/keycloak:22.0
          args: 
            - start
            - --hostname-url=https://keycloak.xxxx.cn
            - --proxy=edge
            - --db mysql
            - --db-password xxxx
            - --db-username keycloak
            - --db-url-port 3306
            - --db-url-host xxxx
          ports:
            - name: web
              containerPort: 8080
              protocol: TCP
          env:
            - name: KEYCLOAK_ADMIN
              value: xxxx
            - name: KEYCLOAK_ADMIN_PASSWORD
              value: xxxx
      restartPolicy: Always
      terminationGracePeriodSeconds: 10
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: Recreate
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

参照官方文档：https://docs.netbird.io/selfhosted/identity-providers#keycloak
流程结束后访问https://< YOUR_KEYCLOAK_HOST_AND_PORT >/realms/netbird/.well-known/openid-configuration 有数据就ok

重新部署时记得把docker的所有卷及数据清理干净

1
2
3

docker ps -q | xargs docker rm -f
infrastructure_files_netbird-letsencrypt 保留
docker volume prune -af

使用netbird残留数据搭建会产生权限异常问题,如果遇到权限问题，即页面能打开，但没有管理界面

将Role 修改为 admin

使用

修改默认的IP地址池(默认的地址池会和阿里云内网的服务冲突，导致无法访问，比如使用aliyunlog下载日志)

# vim /var/lib/docker/volumes/infrastructure_files_netbird-mgmt/_data/store.json
"Network": {
                "Id": "ck00sufq8vcs73e71ajg",
                "Net": {
                    "IP": "10.255.250.0",  # 这里
                    "Mask": "///8AA==" # 掩码的话用下面py脚本生成
                },
                "Dns": "",
                "Serial": 128
            },

import base64

mask = "255.255.252.0"

# 将每个八进制数转换为二进制并连接起来
binary_mask = ''.join(format(int(x), '08b') for x in mask.split('.'))

# 将二进制值转换为字节对象
byte_mask = bytes(int(binary_mask[i:i + 8], 2) for i in range(0, len(binary_mask), 8))

# 进行 Base64 编码
encoded_mask = base64.b64encode(byte_mask).decode()

print(encoded_mask)

在Setup Keys页面中创建key并复制

netbird up --hostname xxx --management-url https://netbird.xxxx.cn:33073 --setup-key 8D1D79A2-462E-421C-B311-xxxxxxx
# --hostname 在0.23.1中不生效
# linux
netbird service start