WireGuard® has grown in popularity amongst VPN providers, and for good reason. It’s way faster than older VPN protocols, not to mention smaller and more efficient.
But what if you don’t want to pay for NordVPN or PrivateInternetAccess? Well, the good news is, you can host your own WireGuard® VPN with WireGuard®.
There are dozens of articles out there describing how to create a VPN with WireGuard®, but we’re going to cover how to do it with Netmaker, which comes with a few advantages.
*Netmaker needs one public port per network, starting at 51821. If you plan on deploying additional networks, you will want to open up a range, typically 51821–51830/udp
Once the VM is set up, all you need to do is run the following script:
Option #1 - If you have your own domain configured
:wget -qO - https://gist.githubusercontent.com/afeiszli/381cb6bbeb69f7e1aa6966d2ccecd2a0/raw/b359112e5021c7f47cae7f2acaf0097e14571851/netmaker-vpn.sh | sudo bash -s -- -v true -m false -c 3 -d netmaker.mydomain.com -e firstname.lastname@example.org
Option #2 - If you do not:
wget -qO - https://gist.githubusercontent.com/afeiszli/381cb6bbeb69f7e1aa6966d2ccecd2a0/raw/b359112e5021c7f47cae7f2acaf0097e14571851/netmaker-vpn.sh | sudo bash -s -- -v true -m false -c 3
Netmaker should be up and running in a few minutes. The logs will give you the address to reach your server.
To use the Netmaker VPN, you next have to install WireGuard® on your device(s). Installation instructions can be found here.
Go to the domain in the logs, and create your admin user
Once logged in, you can download and use your Netmaker client.
Click on “Ext Clients.”
Download the config file for vpnclient-1, or scan the QR code if using a phone. If you are joining multiple devices to the VPN, you can click “add external client” on the left side to create more.
On Linux or Mac, once WireGuard® is installed, simply run “wg-quick up /path/to/conf/file”.
On Windows, open the WireGuard® app and import the conf file.
On iPhone or Android, open the WireGuard app and scan the QR code in the UI.
To confirm it’s working, go to whatsmyip.com and see that the IPv4 address is now equal to the Netmaker server IP.
That’s it! You’re now running on a Netmaker VPN.
If you’re using Netmaker as an internet VPN, you may want to consider the other use cases for Netmaker. Primarily: remotely access to your devices/servers/networks. Netmaker allows you to deploy “nodes” to access devices directly in any environment, including your home or office network.
Deploy a “node” onto a server in that network, and your client devices gain immediate access. Additionally, create an “egress gateway” on that node, and now client devices can reach anything in the full remote network! Check out this guide for setting up remote access to an AWS environment.
The Netmaker server will not route IPv6 by default. Your VPS may not come with IPv6 enabled, and even if it does, setting up IPv6 in Docker is very challenging. If you would like to create an internet gateway which routes IPv6 traffic (in addition to IPv4), we recommend the following:
Netmaker has a great admin UI for controlling your networks. You may not want this exposed to the public. To reduce the dashboard to just your local IP address (example, 188.8.131.52), you can follow these steps.
Got this in your logs?
testing Traefik setup (please be patient, this may take 1-2 minutes)
issue establishing connection...retrying in 15 seconds...
issue establishing connection...retrying in 20 seconds...
issue establishing connection...retrying in 25 seconds...
issue establishing connection...retrying in 30 seconds...
Traefik might be having problems with your DNS / Certificate issuing. ctrl+c and then look at your docker logs
docker logs traefik
This should tell you the issue with your certificates. A common issue, if not using your own domain, is that “nip.io” is rate-limited, which means you either need to try again later, or get your own domain.
Sometimes the setup script is not so smart. If you run into issues. Try following these steps for the egress gateway.
Next, make sure the “Default Ext Client DNS” field is set. Edit the network and make sure the field is set (#12 in this picture). The “address should be 10.201.255.254 (whatever the node netmaker-1 is set to).
Finally, set the netmaker server as an Ingress Gateway to generate the ext clients.
If the client is not connecting to the VPN (can’t reach the internet), it may be due to a race condition in the bash script (client configs get created too quickly). In this case, go to the Ext Client section and “create” another VPN client. This should resolve the race condition and your exiting client config should work.
Disclaimer: WireGuard is a registered trademark of Jason A. Donenfeld.