Resourceschevron right
VPN
chevron right
Create a WireGuard® VPN with Netmaker

Create a WireGuard® VPN with Netmaker

Posted by
Alex Feiszli
published
March 17, 2023

WireGuard® has grown in popularity amongst VPN providers, and for good reason. It’s way faster than older VPN protocols, not to mention smaller and more efficient.

But what if you don’t want to pay for NordVPN or PrivateInternetAccess? Well, the good news is, you can host your own WireGuard® VPN with WireGuard®.

There are dozens of articles out there describing how to create a VPN with WireGuard®, but we’re going to cover how to do it with Netmaker, which comes with a few advantages.

  1. You won’t have to write config files by hand
  2. It scales automatically
  3. It has a nifty management UI
  4. It can do A LOT more than a standard internet VPN, from remote access to mesh networks.

What you need

  1. A VM with a public IP (VPS). This machine should have at least 1CPU and 1GB RAM. We recommend DigitalOcean, because they have some of the best pricing for outbound networking (which you’ll need a lot of for your VPN).
  2. Linux. We recommend Ubuntu 22.04, but any Debian-based distro should work.
  3. Firewall and security groups configured correctly. Expose ports 22, 443 and 51821/UDP*.
  4. (Optional) If you have a domain you would like to use, point a wildcard to this machine (ex: *.netmaker.mydomain.com). If you don’t provide a domain, netmaker will generate one for you.

*Netmaker needs one public port per network, starting at 51821. If you plan on deploying additional networks, you will want to open up a range, typically 51821–51830/udp

Deploy Netmaker

Once the VM is set up, all you need to do is run the following script:

Option #1 - If you have your own domain configured
:wget -qO - https://gist.githubusercontent.com/afeiszli/381cb6bbeb69f7e1aa6966d2ccecd2a0/raw/b359112e5021c7f47cae7f2acaf0097e14571851/netmaker-vpn.sh | sudo bash -s -- -v true -m false -c 3 -d netmaker.mydomain.com -e example@email.com

Option #2 - If you do not:
wget -qO - https://gist.githubusercontent.com/afeiszli/381cb6bbeb69f7e1aa6966d2ccecd2a0/raw/b359112e5021c7f47cae7f2acaf0097e14571851/netmaker-vpn.sh | sudo bash -s -- -v true -m false -c 3

Netmaker should be up and running in a few minutes. The logs will give you the address to reach your server.

Setup WireGuard® Locally

To use the Netmaker VPN, you next have to install WireGuard® on your device(s). Installation instructions can be found here.

Access Netmaker

Go to the domain in the logs, and create your admin user

Once logged in, you can download and use your Netmaker client.

Click on “Ext Clients.”

Download the config file for vpnclient-1, or scan the QR code if using a phone. If you are joining multiple devices to the VPN, you can click “add external client” on the left side to create more.

Running the client

On Linux or Mac, once WireGuard® is installed, simply run “wg-quick up /path/to/conf/file”.

On Windows, open the WireGuard® app and import the conf file.

On iPhone or Android, open the WireGuard app and scan the QR code in the UI.

To confirm it’s working, go to whatsmyip.com and see that the IPv4 address is now equal to the Netmaker server IP.

That’s it! You’re now running on a Netmaker VPN.

Next Steps

If you’re using Netmaker as an internet VPN, you may want to consider the other use cases for Netmaker. Primarily: remotely access to your devices/servers/networks. Netmaker allows you to deploy “nodes” to access devices directly in any environment, including your home or office network.

Deploy a “node” onto a server in that network, and your client devices gain immediate access. Additionally, create an “egress gateway” on that node, and now client devices can reach anything in the full remote network! Check out this guide for setting up remote access to an AWS environment.

Additional Considerations

The Netmaker server will not route IPv6 by default. Your VPS may not come with IPv6 enabled, and even if it does, setting up IPv6 in Docker is very challenging. If you would like to create an internet gateway which routes IPv6 traffic (in addition to IPv4), we recommend the following:

  1. Create a Netmaker network with “dual stack”
  2. Add a second virtual machine to the network as a “node” which will act as your ingress/egress gateway. This machine must have IPv6 enabled
  3. Set the machine as an ingress/egress gateway as mentioned below (Issue #2), and remember to set “::/0” in addition to “0.0.0.0/0” as your gateway ranges.

Optional Configuration: Reduce Dashboard Access

Netmaker has a great admin UI for controlling your networks. You may not want this exposed to the public. To reduce the dashboard to just your local IP address (example, 1.2.3.4), you can follow these steps.

Troubleshooting

Issue #1: Traefik Connection not working

Got this in your logs?

testing Traefik setup (please be patient, this may take 1-2 minutes)    
   issue establishing connection...retrying in 15 seconds...    
    issue establishing connection...retrying in 20 seconds...    
    issue establishing connection...retrying in 25 seconds...    
    issue establishing connection...retrying in 30 seconds...

Traefik might be having problems with your DNS / Certificate issuing. ctrl+c and then look at your docker logs

docker logs traefik

This should tell you the issue with your certificates. A common issue, if not using your own domain, is that “nip.io” is rate-limited, which means you either need to try again later, or get your own domain.

Issue #2: Ingress/Egress did not get set up automatically

Sometimes the setup script is not so smart. If you run into issues. Try following these steps for the egress gateway.

Next, make sure the “Default Ext Client DNS” field is set. Edit the network and make sure the field is set (#12 in this picture). The “address should be 10.201.255.254 (whatever the node netmaker-1 is set to).

Finally, set the netmaker server as an Ingress Gateway to generate the ext clients.

Issue #3: Client not Connecting

If the client is not connecting to the VPN (can’t reach the internet), it may be due to a race condition in the bash script (client configs get created too quickly). In this case, go to the Ext Client section and “create” another VPN client. This should resolve the race condition and your exiting client config should work.

Disclaimer: WireGuard is a registered trademark of Jason A. Donenfeld.

More posts
April 17, 2024
Critical CVE-2024-3400 Vulnerability in Palo Alto Networks Firewalls
Security
April 16, 2024
Streamlining Remote Access for IT service providers
Networking
VPN
March 20, 2024
Ensuring Scalability and Reliability in Mesh Networks
Networking
VPN
Security

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Get Started
Request Demo

WireGuard is a registered trademark of Jason A. Donenfeld.

Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept