Back to Networking Knowledge Hub

Self-Hosting NetBird with Authentik

Set up a self-hosted NetBird instance on a VPS and integrate Authentik as your identity provider for SSO and MFA. Covers DNS setup, the NetBird install script, Docker Compose, the NetBird sidecar, and configuring Authentik as an OAuth2/OIDC IdP.

 

Self-Hosting NetBird with Authentik

NetBird is an open-source zero trust networking platform that lets you build secure private networks using the WireGuard protocol. The self-hosting experience has improved significantly — a single script handles the full setup, including Traefik as a reverse proxy with automatic TLS and a built-in local user system right out of the box.

For production deployments, pairing NetBird with an external identity provider gives you SSO, multi-factor authentication, and centralized user management. In this guide we'll use Authentik a powerful open-source identity provider, as our IdP. We'll also run a NetBird client alongside Authentik in the same Docker network and use NetBird's built-in reverse proxy to expose it securely — no separate proxy stack required.

Prerequisites

A Linux VPS with at least 2 CPU cores and 4 GB of RAM works well here (Authentik needs a minimum of 2 cores and 2 GB on its own). The server needs to be publicly accessible on TCP ports 80 and 443 and UDP port 3478.

You'll need a public domain with two DNS records pointing to your VPS. If you're using Cloudflare, make sure both records are set to DNS only — not proxied.

TypeNameContentProxy Status
ADNS only
CNAMEDNS only

The A record is for the NetBird management dashboard. The wildcard CNAME ensures all service subdomains (e.g., ) resolve to your server, which is what the built-in reverse proxy uses to expose Authentik.

Make sure Docker is installed on your VPS along with and . The Docker convenience script is the easiest way to get everything set up:

NetBird Setup

Create a directory and run the install script:

The script will walk you through a few prompts. Enter your domain (e.g., ) and select the reverse proxy option:

Press Enter to go with Traefik. It handles TLS via Let's Encrypt automatically. When prompted to enable the NetBird Proxy service, type :

This is the built-in reverse proxy feature we'll use later to expose Authentik without needing Nginx, Caddy, or a separate proxy stack.

Initial Login

Navigate to your NetBird dashboard at . You'll land on a setup page — create your local admin account here. This account uses NetBird's embedded IdP and is temporary. We'll replace it with Authentik later.

Authentik

Authentik is a full-featured identity management platform. Beyond just being an IdP for NetBird, it supports a wide range of integrations — anything that speaks OAuth2, OIDC, or SAML will work with it. We're going to run it in the same Docker stack as a NetBird client container. That client acts as a routing peer, which means NetBird can reach anything on that Docker network. The reverse proxy then uses that routing peer to expose Authentik under your domain with automatic TLS.

Install Authentik

Create a directory for the Authentik stack:

Download the official Docker Compose file:

Generate Credentials

Authentik requires a PostgreSQL password and a secret key. Generate both and write them to a file:

Add the NetBird Sidecar

We'll add a shared Docker network with static IPs to the downloaded compose file, then append a NetBird client container to the stack. The static IPs are important — the reverse proxy needs to know exactly where to find the Authentik server container.

First, generate a setup key in the NetBird dashboard. Go to Setup Keys > Add Setup Key, give it a name like "VPS Services", and copy the key.

Open and add a stanza to each of the three existing services:

postgresql — add inside the service block:

server — add inside the service block:

worker — add inside the service block:

Then append the NetBird service to the block and add the top-level definition at the end of the file:

Replace with the key you just copied, and update to match your NetBird domain. The Authentik server sits at on port 9000 — that's what we'll point the reverse proxy at.

Start the stack:

Give it a minute to pull images and initialize. Once it's up, you should see the vps-services peer appear in your NetBird dashboard under Peers.

Initial Authentik Setup

Navigate to to create your Authentik admin account. This is a one-time setup and the page won't be accessible after the admin password is set.

Note: Once Authentik is exposed through the NetBird reverse proxy, you can close port 9000 on your firewall. Until then, keep it open so you can complete the initial setup.

Set Up the Network and Routing Peer

Now tell NetBird that the peer can route traffic to the Authentik Docker subnet:

  1. In the NetBird dashboard, go to Networks > Add Network
  2. Name it something like "VPS Services"
  3. Add a network resource with the subnet
  4. Assign vps-services as the routing peer
  5. Create a policy to control which peers can access this network (e.g., restrict to an admin group)

With that saved, any container on is reachable through the NetBird network via the routing peer. If you add more services to this stack later, assign them an IP in this range and the same NetBird client routes traffic to all of them.

Expose Authentik with the NetBird Reverse Proxy

Instead of opening Authentik to the public internet directly, we'll use NetBird's built-in reverse proxy to expose it under your domain with automatic TLS.

  1. In the NetBird dashboard, go to Reverse Proxy > Services > Add Service
  2. Enter a subdomain like and select your domain — the full URL will be
  3. Click Add Target, select the VPS Services network resource, enter the Authentik server IP , set protocol to HTTP and port to 9000
  4. Under the Authentication tab, leave all methods disabled — Authentik handles its own auth
  5. Enable Pass Host Header and click Add Service

NetBird provisions a TLS certificate and establishes the tunnel. Once the service shows as active, navigate to — Authentik should load over HTTPS through your NetBird network. At this point you can close port 9000 on your server's firewall.

Configure Authentik as the NetBird IDP

With Authentik accessible, we can configure it as the identity provider for NetBird. This involves creating an OAuth2 provider and application in Authentik, then wiring it up in NetBird settings.

Create an OAuth2/OIDC Provider in Authentik

  1. Log into Authentik at and go to the Admin Interface
  2. Navigate to Applications > Providers > Create
  3. Select OAuth2/OpenID Provider and click Next
  4. Set the Name to
  5. For Authorization flow, select
  6. Set Client type to Confidential
  7. Leave the Signing Key as the Authentik self-signed certificate
  8. Click Finish

Once created, open the provider and note the Client ID and Client Secret — you'll need these shortly.

Create an Application in Authentik

  1. Go to Applications > Applications > Create
  2. Set the Name to and the Slug to
  3. Select the provider you just created
  4. Click Create

Add Authentik as an Identity Provider in NetBird

  1. In the NetBird dashboard, go to Settings > Identity Providers > Add Identity Provider
  2. Select Authentik
  3. Fill in the fields:
    • Issuer URL:
    • Client ID: paste from Authentik
    • Client Secret: paste from Authentik
  4. Click Add Provider
  5. Copy the Redirect URL that NetBird displays

Add the Redirect URI in Authentik

  1. Back in Authentik, go to Applications > Providers and edit the NetBird provider
  2. Under Redirect URIs, click Add, set the mode to Strict, and paste in the redirect URL from NetBird
  3. Click Update

Authentik is now configured as the NetBird identity provider.

User Management

Test the Login Flow

Open a new browser window or incognito tab and navigate to your NetBird dashboard. You should see an Authentik option on the login page. Click it — you'll be redirected to Authentik to authenticate.

After logging in, NetBird will show a User approval pending message for the new Authentik-managed user. Head back to the NetBird dashboard, go to Team > Users, and approve the pending user.

Transfer Ownership and Remove the Local Account

Once the Authentik user is approved and working:

  1. In Team > Users, find the Authentik-managed user and change their role to Owner
  2. Log out of the local account and log back in using Authentik to confirm everything works
  3. Delete the original local user account — you no longer need it

Warning: Confirm you can successfully log in via Authentik before removing the local account. Losing access to both accounts at once would lock you out of the dashboard.

Managing Users

To add users in Authentik, go to Directory > Users > Create. You can also create groups under Directory > Groups and use them for access control. If you want NetBird to automatically sync Authentik group memberships, see the JWT group sync documentation — Authentik includes a claim in the ID token by default through the scope.

Conclusion

You now have a fully self-hosted NetBird instance with Authentik handling authentication. Authentik gives you SSO, MFA, and a full user directory — and because it's running as a sidecar in the same Docker network, it's exposed securely through an encrypted WireGuard tunnel via the NetBird reverse proxy. No extra proxy stack, no open ports beyond what NetBird needs. Any additional services you add to the Docker network are immediately routable through the same NetBird client.

You may also like:

Jellyfin Media Server - Self-Host Your Movies, TV, and Music

Set up Jellyfin media server with Docker and Portainer on Ubuntu Server. Covers storage planning, Intel Quick Sync hardware transcoding, and secure remote access with NetBird.

Read more

Cloudflare Tunnels vs. NetBird Reverse Proxy

A detailed comparison of NetBird Reverse Proxy and Cloudflare Tunnels for exposing internal services to the internet without opening ports, covering architecture, TLS termination, authentication, depl...

View Comparison

NetBird's March Newsletter

Built-in reverse proxy, expose command, Home Assistant access, Pangolin comparison, KubeCon Europe, and 23k GitHub stars.

Read more

We are using cookies

We use our own cookies as well as third-party cookies on our websites to enhance your experience, analyze our traffic, and for security and marketing. View our Privacy Policy for more information.