netbird/client/ui-wails/frontend/settings.md

Settings — Tabs & Controls

Each row has a title and short description. Booleans default to toggle switch; pick another control only when noted.

Tab order: General · Network · SSH · Troubleshooting · About.

---

1. General

App behavior + how the client connects.

Startup

• Connect on startup — disableAutoConnect (inverted) · toggle switch
  • Automatically connect to NetBird when the app launches.
• Show notifications — disableNotifications (inverted) · toggle switch
  • Show desktop notifications for connection events and updates.

Connection

• Management URL — managementUrl · text input
  • The NetBird management server this client connects to.
• Admin URL — adminUrl · text input
  • Web dashboard URL used by "Open Admin Panel".
• Pre-shared key — preSharedKey · password input with reveal toggle
  • Optional WireGuard pre-shared key for an extra layer of symmetric encryption.

Interface

• Interface name — interfaceName · text input
  • Name of the WireGuard network interface created on this host.
• WireGuard port — wireguardPort · number input
  • Local UDP port the WireGuard interface listens on.
• MTU — mtu · number input
  • Maximum transmission unit for the WireGuard interface.

---

2. Network

Routing, DNS, firewall, and encryption — everything the daemon does on the wire and to the host network.

Routing & DNS

• Lazy connections — lazyConnectionEnabled · toggle switch
  • Only establish peer tunnels on first traffic instead of eagerly at startup.
• Network monitor — networkMonitor · toggle switch
  • Reconnect automatically when the host network changes (Wi-Fi switch, VPN, sleep/wake).
• Enable DNS — disableDns (inverted) · toggle switch
  • Apply NetBird-managed DNS settings to the host resolver.
• Enable client routes — disableClientRoutes (inverted) · toggle switch
  • Accept routes advertised by other peers so this client can reach their networks.
• Enable server routes — disableServerRoutes (inverted) · toggle switch
  • Advertise this host's local routes to other peers.

Firewall

• Block inbound traffic — blockInbound · toggle switch
  • Drop all unsolicited inbound traffic on the NetBird interface.
• Block LAN access — blockLanAccess · toggle switch
  • Prevent peers from reaching this host's local network.

Encryption

• Quantum-resistant encryption — rosenpassEnabled · toggle switch
  • Add a post-quantum key exchange (Rosenpass) on top of WireGuard.
  • Permissive mode — rosenpassPermissive · toggle switch (nested, only when above is on)
    • Allow connections to peers without quantum-resistance support.

---

3. SSH

NetBird SSH server config. Master switch at the top; sub-toggles greyed out with an inline notice ("Enable Allow SSH to configure") when the master is off.

Server

• Allow SSH — serverSshAllowed · toggle switch (master)
  • Run the NetBird SSH server on this host so other peers can connect to it.
• Allow root login — enableSshRoot · toggle switch
  • Permit incoming SSH sessions to authenticate as root.
• Enable SFTP — enableSshSftp · toggle switch
  • Allow file transfers over the NetBird SSH server.
• Local port forwarding — enableSshLocalPortForwarding · toggle switch
  • Allow clients to forward local ports through this host.
• Remote port forwarding — enableSshRemotePortForwarding · toggle switch
  • Allow clients to expose remote ports back through this host.

Authentication

• Disable SSH auth — disableSshAuth · toggle switch
  • Skip JWT authentication for incoming SSH sessions. Insecure — diagnostics only.
• JWT cache TTL — sshJwtCacheTtl · number input (seconds)
  • How long verified JWTs are cached before re-validation.

---

4. Troubleshooting

Everything you reach for when something is wrong. Config + actions deliberately mixed — they're used together.

Logging

• Log level — dropdown: Debug / Info / Warn / Error
  • Verbosity of the daemon log. Raise to Debug when reproducing an issue.
• Log file path — read-only text + Copy + Reveal in Finder/Explorer
• Config file path — read-only text + Copy + Reveal in Finder/Explorer

Debug bundle

• Anonymize — toggle switch
  • Strip IPs, hostnames, and peer names from the bundle before saving.
• Include system info — toggle switch
  • Add OS, kernel, and network interface details to the bundle.
• Upload on create — toggle switch
  • When on, reveals an upload URL field and uploads the bundle after creation.
• Create Bundle — button → progress indicator → resulting path or upload URL.

---

5. About

Version, update flow, and identity reference.

• App version, daemon version
• Check for Updates — button (drives auto-update flow; 15-min timeout, success/error states)
• Local peer info quick-reference (FQDN, IP) — same data shown in the connection-state view
• Links: docs, GitHub repo, license