Skip to main content

Overview

NetBird Selfservice uses environment variables for configuration. All settings are stored in the .env file at the root of your application. This page provides a comprehensive reference for all configuration options.
Never commit your .env file to version control. It contains sensitive credentials and API tokens.

Environment Variables Reference

Application Settings

Core Laravel application configuration:
VariableRequiredDefaultDescription
APP_NAMEYes"VPN Selfservice"Application name displayed in UI and emails
APP_ENVYeslocalEnvironment: local, staging, or production
APP_KEYYesAuto-generatedEncryption key (generated by php artisan key:generate)
APP_DEBUGYestrueEnable debug mode. Set to false in production
APP_URLYeshttp://localhostFull URL where application is accessible
APP_LOCALENoenDefault language
APP_FALLBACK_LOCALENoenFallback language if translation missing
APP_FAKER_LOCALENoen_USLocale for fake data generation
APP_NAME="VPN Selfservice"
APP_ENV=local
APP_DEBUG=true
APP_URL=http://localhost:8000
Always set APP_DEBUG=false in production to prevent sensitive information leakage through error messages.

Database Configuration

Database connection settings:
VariableRequiredDefaultDescription
DB_CONNECTIONYessqliteDatabase driver: mysql, mariadb, sqlite, or pgsql
DB_HOSTNo*127.0.0.1Database server hostname (not needed for SQLite)
DB_PORTNo*3306Database server port (not needed for SQLite)
DB_DATABASEYeslaravelDatabase name or path to SQLite file
DB_USERNAMENo*rootDatabase username (not needed for SQLite)
DB_PASSWORDNo*-Database password (not needed for SQLite)
Variables marked with * are only required when using MySQL, MariaDB, or PostgreSQL.
DB_CONNECTION=sqlite
# No additional configuration needed
# Database file: database/database.sqlite

Google OAuth Configuration

While the default is Google OAuth, NetBird Selfservice supports any OAuth provider compatible with Laravel Socialite.
Required for user authentication:
VariableRequiredDescription
GOOGLE_CLIENT_IDYesOAuth 2.0 Client ID from Google Cloud Console
GOOGLE_CLIENT_SECRETYesOAuth 2.0 Client Secret from Google Cloud Console
GOOGLE_REDIRECT_URIYesOAuth callback URL (must match Google Cloud Console configuration)
GOOGLE_CLIENT_ID=123456789-abcdefghijklmnop.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your_client_secret_here
GOOGLE_REDIRECT_URI=https://your-domain.test/auth/google/callback

Google OAuth Setup

1

Access Google Cloud Console

Navigate to Google Cloud Console and sign in with your Google account.
2

Create or Select Project

Create a new project or select an existing one for your NetBird Selfservice deployment.
3

Enable OAuth Consent Screen

  1. Navigate to APIs & Services > OAuth consent screen
  2. Choose Internal (for Google Workspace) or External
  3. Fill in application name, user support email, and developer contact
  4. Add scopes: email, profile, openid
4

Create OAuth Credentials

  1. Navigate to APIs & Services > Credentials
  2. Click Create Credentials > OAuth client ID
  3. Select Web application as application type
  4. Add authorized redirect URI: https://your-domain.test/auth/google/callback
  5. Click Create
5

Copy Credentials

Copy the generated Client ID and Client Secret to your .env file:
GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_REDIRECT_URI=https://your-domain.test/auth/google/callback
The GOOGLE_REDIRECT_URI must exactly match the authorized redirect URI in Google Cloud Console, including the protocol (http/https) and port number.

NetBird API Configuration

Settings for NetBird API integration:
VariableRequiredDescription
NETBIRD_API_URLYesNetBird API endpoint URL
NETBIRD_API_TOKENYesAPI access token with network management permissions
NETBIRD_NETWORK_IDYesID of the NetBird network to manage resources in
NETBIRD_NETWORK_NAMENoDisplay name of your NetBird network
NETBIRD_ADMIN_EMAILYesEmail address of the admin user (receives admin privileges)
NETBIRD_EGRESS_IPYesEgress IP address displayed to users for reference
NETBIRD_RESOURCE_GROUP_NAMEYesName of the NetBird group where resources are assigned
NETBIRD_USER_GROUP_NAMEYesName of the NetBird group containing users who can access resources
# NetBird API Connection
NETBIRD_API_URL=https://api.netbird.io
NETBIRD_API_TOKEN=nb_1234567890abcdefghijklmnopqrstuvwxyz
NETBIRD_NETWORK_ID=abc123def456
NETBIRD_NETWORK_NAME="Production VPN Network"

# NetBird Settings
[email protected]
NETBIRD_EGRESS_IP=99.99.99.99
NETBIRD_RESOURCE_GROUP_NAME="Resources for Employees"
NETBIRD_USER_GROUP_NAME="Employees"

NetBird API Setup

1

Log in to NetBird Dashboard

Navigate to NetBird Dashboard and sign in to your account.
2

Create API Token

  1. Go to Settings > Access Tokens
  2. Click Create Access Token
  3. Give it a descriptive name (e.g., “Selfservice API”)
  4. Select appropriate permissions (network management required)
  5. Copy the generated token immediately (it won’t be shown again)
3

Find Network ID

  1. Navigate to your network in the NetBird dashboard
  2. The Network ID is visible in the URL or network settings
  3. Copy it to NETBIRD_NETWORK_ID in your .env file
4

Create Required Groups

Create two groups in NetBird:User Group (e.g., “Employees”):
  • Contains users who will access VPN resources
  • Add your team members to this group
Resource Group (e.g., “Resources for Employees”):
  • Resources created through Selfservice are assigned here
  • Should have access policies allowing the User Group to connect
5

Configure Access Policies

Set up NetBird access policies to allow the User Group to access the Resource Group.
Keep your NETBIRD_API_TOKEN secure. It has full access to manage your NetBird network. Never commit it to version control or expose it in logs.

Security Configuration

Security and access control settings:
VariableRequiredDescription
NETBIRD_ALLOWED_DOMAINStrongly RecommendedEmail domain allowed to sign in (e.g., example.com)
BCRYPT_ROUNDSNoNumber of bcrypt hashing rounds (default: 12)
# Security Settings
NETBIRD_ALLOWED_DOMAIN=example.com
BCRYPT_ROUNDS=12
Always set NETBIRD_ALLOWED_DOMAIN to restrict access to your organization’s email domain. Without this, anyone with a valid Google account could potentially sign in.

Session & Cache Configuration

Session and caching behavior:
VariableDefaultDescription
SESSION_DRIVERdatabaseSession storage driver
SESSION_LIFETIME120Session lifetime in minutes
CACHE_STOREdatabaseCache storage driver
QUEUE_CONNECTIONdatabaseQueue driver for background jobs
SESSION_DRIVER=database
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
CACHE_STORE=database
QUEUE_CONNECTION=database

Logging Configuration

Application logging settings:
VariableDefaultDescription
LOG_CHANNELstackLogging channel
LOG_STACKsingleStack configuration
LOG_LEVELdebugMinimum log level
LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
In production, set LOG_LEVEL=error to reduce log verbosity and improve performance.

Mail Configuration

Email delivery settings (optional, for notifications): 
MAIL_MAILER=log
MAIL_HOST=127.0.0.1
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_FROM_ADDRESS="[email protected]"
MAIL_FROM_NAME="${APP_NAME}"
By default, emails are logged rather than sent. Configure a real mail driver (SMTP, Mailgun, etc.) if you need email notifications.

Configuration Best Practices

Before deploying to production:
  • Set APP_ENV=production
  • Set APP_DEBUG=false
  • Configure APP_URL with your production domain
  • Use MySQL/MariaDB instead of SQLite
  • Set NETBIRD_ALLOWED_DOMAIN to restrict access
  • Generate a strong APP_KEY
  • Use HTTPS for APP_URL and GOOGLE_REDIRECT_URI
  • Set appropriate LOG_LEVEL (warning or error)
  • Secure your .env file permissions (chmod 600)
  • Never commit .env to version control
Enhance security with these measures:
  1. Domain Restriction: Always set NETBIRD_ALLOWED_DOMAIN
  2. API Token Security: Rotate NETBIRD_API_TOKEN regularly
  3. Admin Access: Limit NETBIRD_ADMIN_EMAIL to trusted users only
  4. File Permissions: Ensure .env is readable only by the application user
  5. HTTPS: Always use HTTPS in production
  6. Database Security: Use strong database passwords and restrict network access
  7. Session Security: Set SESSION_ENCRYPT=true if handling sensitive data
For better performance:
  • Use Redis for CACHE_STORE and SESSION_DRIVER in production
  • Configure QUEUE_CONNECTION=redis with a dedicated queue worker
  • Enable OPcache in PHP configuration
  • Use composer install --optimize-autoloader --no-dev in production
  • Run php artisan config:cache and php artisan route:cache
Key differences between environments:
SettingDevelopmentProduction
APP_ENVlocalproduction
APP_DEBUGtruefalse
DB_CONNECTIONsqlitemysql
LOG_LEVELdebugerror
CACHE_STOREdatabaseredis
SESSION_DRIVERdatabaseredis

Verifying Configuration

After configuring your environment variables, verify the setup: 
# Check configuration is loaded correctly
php artisan config:show

# Test database connection
php artisan migrate:status

# Clear configuration cache (if you made changes)
php artisan config:clear

Troubleshooting

If you see “redirect_uri_mismatch” error:
  1. Verify GOOGLE_REDIRECT_URI exactly matches Google Cloud Console
  2. Check protocol (http vs https)
  3. Ensure port numbers match if using non-standard ports
  4. Clear browser cache and cookies
If NetBird API calls fail:
  1. Verify NETBIRD_API_TOKEN is valid and not expired
  2. Check token has appropriate permissions
  3. Confirm NETBIRD_NETWORK_ID is correct
  4. Test API connectivity: curl -H "Authorization: Bearer $NETBIRD_API_TOKEN" $NETBIRD_API_URL/api/networks
If users from other domains can sign in:
  1. Verify NETBIRD_ALLOWED_DOMAIN is set in .env
  2. Clear configuration cache: php artisan config:clear
  3. Check for typos in the domain name
  4. Ensure no trailing spaces in the value

Next Steps

With configuration complete, you’re ready to:

First Login

Sign in with your Google account and start using NetBird Selfservice

User Guide

Learn how to create and manage VPN resources

Build docs developers (and LLMs) love

Get started for freeTalk to us