u/allxm4

▲ 18 r/netbird

Upgrading netbird-server 0.73.2 → 0.74.0 breaks WireGuard handshakes (reverse-proxy 502s, fixed by downgrading server only)

Upgraded my self-hosted server (management + signal + relay + STUN) from 0.73.2 to 0.74.0 and all my reverse-proxy services started returning 502 errors.

What was happening:

  • The proxy authenticates with management fine
  • The proxy connects to the relay fine
  • ICE never finishes starting up ("ICE Agent is not initialized yet", repeating forever)
  • WireGuard handshake times out and never completes
  • This still happened even with NB_FORCE_RELAY=true, which is supposed to skip ICE completely

What I checked and ruled out:

  • Config files, Traefik, CrowdSec: all fine, nothing changed
  • Container permissions: added NET_ADMIN, NET_RAW, and /dev/net/tun to the proxy container, no difference
  • Just the proxy image: downgraded only the reverse-proxy container to 0.73.2 while keeping the server on 0.74.0, still broken
  • STUN port (3478/udp) was reachable the whole time

Downgraded netbird-server itself to 0.73.2 (matching the proxy version). Everything came back up right away.

Anyone else run into this?

reddit.com
u/allxm4 — 4 days ago

Hi all,

First to explain my previous setup: Previously I had all my services exposed with port forwarding to the whitelisted IPs of Cloudflare, and in order to limit the access to my Vaultwarden instance, I limited the access with two rules:

  1. Access only from my Country. ( This works now in Netbird too, already implemented)
  2. Limit access only to myself to the path /admin of the app. ( via PIN login, allowed only to my email )

I had both done through the CF zero trust and it worked great, but now exposing the Vaultwarden through Netbird, I can't find a way to block access to that path, and my /admin path is available.

Any ideas are welcome. Thank you.

reddit.com
u/allxm4 — 2 months ago