Hands-On Guide to Netmaker v0.13.1
This hands-on guide shows you how to set-up Office-Home Wireguard mesh network using Netmaker v0.13.1.
<Hands-on guide to Netmaker v0.14.2 is out! Please see here.>
Scenario
Office network has dynamic global IP that binds to office router and office workstation is behind a NAT. Home network has dynamic global IP that binds to home router and home PC is behind a NAT. Netmaker (server) will place on cloud and static global IP is attached.
Installation of Netmaker
Before install Netmaker, let’s create a VM on your preferred cloud. This guide will use Lightsail on AWS.
VM preparation
- Create a VM with 4GB of memory and 2 vCPU running Ubuntu 22.04
- Attach static global IP to your VM
- Add wildcard A record to your DNS that points to the public IP of your VM
- Allow 80/tcp, 443/tcp, 8883/tcp, 51821–51830/udp from 0.0.0.0/0
- Install dependencies to your VM (
sudo apt update && sudo apt install -y docker.io docker-compose wireguard)
Once you booted up Ubuntu box, download docker-compose.yml file from Netmaker repository.
$ sudo su -
$ wget -O docker-compose.yml \
https://raw.githubusercontent.com/gravitl/netmaker/v0.13.1/compose/docker-compose.ymlSet your base domain, this domain should be matched to wildcard A record that you added to your DNS. Here is the example command that assumes your wildcard A record looks like *.netmaker.example.jp A 54.XXX.YYY.ZZZ
$ sed -i 's/NETMAKER_BASE_DOMAIN/netmaker.example.jp/g' docker-compose.ymlSet your server IP (global IP).
$ curl ifconfig.me
54.XXX.YYY.ZZZ
$ sed -i 's/SERVER_PUBLIC_IP/54.XXX.YYY.ZZZ/g' docker-compose.ymlSet your CoreDNS IP. If you run VM on AWS, global IP is not directly bind to network interface of VM. In such a case, we need to set the IP of the default interface.
$ (ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p')
172.XXX.YYY.ZZZ
$ sed -i 's/COREDNS_IP/172.XXX.YYY.ZZZ/g' docker-compose.ymlGenerate a master key and populate it.
$ tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo ''
8I9Ifom5xfiEVrcatsfsXXXXXXXXXX
sed -i 's/REPLACE_MASTER_KEY/8I9Ifom5xfiEVrcatsfsXXXXXXXXXX/g' docker-compose.ymlPrepare Caddy. Set your base domain and E-mail address for acquiring wildcard SSL certificate from Let’s encrypt.
wget -O /root/Caddyfile \
https://raw.githubusercontent.com/gravitl/netmaker/v0.13.1/docker/Caddyfile
sed -i 's/NETMAKER_BASE_DOMAIN/netmaker.example.jp/g' /root/Caddyfile
sed -i 's/YOUR_EMAIL/netmaker@example.jp/g' /root/CaddyfilePrepare MQ
wget -O /root/mosquitto.conf \
https://raw.githubusercontent.com/gravitl/netmaker/v0.13.1/docker/mosquitto.confLet’s spin up Netmaker
docker-compose up -dWeb UI
Open https://dashboard.netmaker.example.jp on your browser and create an admin user to get started.
Log-in to web UI
Create Network
Create network called awesome
Click network name to configure this network
Create Access Key
Set number to Usesthat satisfies expected user volume
Copy Client Install Commands . Use this command later to add client to this network.
Installation of Netclient (Office Workstation & Home PC)
Install dependencies
sudo apt update && sudo apt install -y wireguardInstall Netclient and Join to Netmaker network
Paste Client Install Commands to your client terminal
sudo su -
curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/netclient-install.sh | VERSION=v0.13.1 KEY=XXXXXXXX sh -You can check your netclient status with:
systemctl status netclientOn v0.13.1, I got following error (error message below has been partially omitted to simplify message). This is just a status check error and if your client can ping through Netmaker network, you can ignore it. This will fix in v0.14 according to Netmaker team.
could not ping server for awesome broker.netmaker.example.jp
ping error 100.000000Let’s check IP of nm-awesome device on Office workstation.
$ ip a
nm-awesome: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.110.1/32 scope global nm-awesome
valid_lft forever preferred_lft forever
bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether de:AA:BB:CC:DD:EE brd ff:ff:ff:ff:ff:ff
inet 10.0.0.254/20 brd 10.0.0.1 scope global bond0
valid_lft forever preferred_lft foreverCheck IP of nm-awesome device on Home PC
$ ip a
nm-awesome: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.110.2/32 scope global nm-awesome
valid_lft forever preferred_lft forever
Ping office workstation from home PC.
$ ping 192.168.110.1If ping doesn’t reach, check wireguard connection with wg show on home PC.
$ wg show
interface: nm-awesome
public key: i3c2HJr+LpXBKv9d166OwPE7ZkMHOwsG/XXXXXXX=
private key: (hidden)
listening port: 43449peer: pvQRAMxKGh8Lzj4Mt3lHqYJesJZ2uXXXXXXX=
endpoint: 54.XXX.YYY.ZZZ:51821
allowed ips: 192.168.110.254/32, 192.168.110.0/24
latest handshake: 50 seconds ago
transfer: 0 B received, 48.56 KiB sent
persistent keepalive: every 20 seconds
If you see 0B received that means wireguard connection is not established. Sometimes MTU is a cause, but since Netmaker’s default MTU is low enough, I’ll explain another possibility such as ”UDP hole punching doesn’t work” case.
UDP hole punching
When we create awesome network, we enabled UDP hole punching . This is convenient if your consumer grade router is UPnP enabled that automatically open UDP port to the public for you and map that port to your netclient installed PC.
If your router does not support or disabled UPnP, you need to configure your router manually. You need to open udp port to the public, for example 51821/udp, for wireguard connection and map that port to your PC that is netclient installed. If there is a firewall you also need to change that settings to allow wireguard connections.
But not always you can administer a router/firewall on both end. If you can’t change settings of office router/firewall, it’s time to make use of Relay functionality of Netmaker.
Relay
You can setup Netmaker server as a Relay. Open Nodes tab of Netmaker web UI. Click “Make Relay” of netmaker-1.
Select office workstation , and click CREATE button.
Now your graph looks like below. If you connect to office workstation from home PC, all the traffic go through Netmaker server. If you place your Netmaker server on cloud, you need to watch transfer costs in some use cases.
Ping may work now.
$ ping 192.168.110.1Egress Gateway
To access office network (ex. 10.0.10.0/24) from home PC. Configure office PC as Egress Gateway. Before hands, check route of office PC.
$ route
10.0.0.0 0.0.0.0 255.255.240.0 U 0 0 0 bond0
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 nm-awesome
home-pc.aweso 0.0.0.0 255.255.255.255 UH 0 0 0 nm-awesome
netmaker-1.awes 0.0.0.0 255.255.255.255 UH 0 0 0 nm-awesomeClick Nodes > Create Egress Gateway
Set Egress Gateway Range, 10.0.10.0/24 , this could be a subnet in your office.
Access Office Network from Home PC
Check route of home PC.
$ route
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 nm-awesome
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 nm-awesomeIf route doesn’t appear, manually pull configuration from Netmaker. Then check route again.
sudo netclient pullSSHing to PC (10.0.10.5) in office network from home PC through office workstation.
$ ssh 10.0.10.5 -l user -i .ssh/id_rsaWelcome to Ubuntu 20.04.2 LTS
user@ws5:~#