How to enable secure access to your hosted services using Netmaker and WireGuard

Introduction

This tutorial uses Nextcloud as an example, but it is very trivial to use this same process for many other use cases such as Kubernetes, remote desktops, game servers, databases, or really any service you can host from a linux server. Nextcloud is not the primary focus, just a tangible example. The focus is on setting up remote access to a service over a WireGuard VPN.

This video outlines what we will cover: https://youtu.be/dKa1D91aRj4

Prerequisite: Get Netmaker Installed

wget -O docker-compose.yml https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/docker-compose.slim.yml

sed -i ‘s/HOST_IP/< Insert your-host IP Address Here >/g’ docker-compose.yml

docker-compose up -d

If all goes well (and if it doesn’t check out the Troubleshooting docs), you can follow along from there.

Problem Statement

Part 1: Create the Netmaker network

After creating, let’s add the Netmaker server as the first node in our “home” network. Even though it’s in the cloud, it can act as a gateway to our home network, as you will see. A public IP comes in handy sometimes and your home network is probably NAT’ted behind a router.

All you have to do is click the little “plus” button in the Network Details pane on the home network row, and then the server will add itself to the network, configuring WireGuard in the background.

If everything goes okay, you should now see the “netmaker” node in your home network under the “Nodes” pane. If not, you’ll need to check the server logs to see what’s going on.

Now things begin to get a little more involved.

Part 2: Adding a Node

But first, you need an access key. Click on the Access Keys tab and create a key. But be careful! Don’t click away from the resulting screen right away, because you’ll only get to see it once.

Remember to save your keys!

This screen displays how you can connect to the server. It provides three methods: custom, with token, and installer script. For a fresh machine, we can just use the installer script. For any additional networks, we’ll use the Access Token with ‘netclient join -t <token>’

SSH to your Nextcloud server locally and run the script:

curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/v0.5/scripts/netclient-install.sh | KEY=<your key> sh -

If all goes well you’ll see the following:

Run wg show to confirm:

The main indicator things are working are those transfer lines. Make sure they don’t say 0 B received or something is probably wrong. However, it also takes about a minute for nodes to retrieve update, so don’t freak out immediately: give it a minute to breath.

You can ssh to other Linux machines and repeat the exact same install command and it should work, so long as WireGuard is installed. They will all form a single mesh network, meaning every node can talk to every other node directly.

However, for our purposes, you just need the one node where Nextcloud is running. If it’s up, you can move on to the next step, external clients, which are very different than the nodes managed by netclient.

Part 4: External Clients

To set up access, we’ll create an Ingress Gateway, and then create some clients. The Ingress Gateway is a single point of entry for remote clients. All traffic gets funneled through the Ingress Gateway to the rest of the network. This way, these clients don’t need to be meshed, and we don’t need to run any complex, platform-dependent logic. This lets us increase the scope of compatibility to any machine that can run WireGuard, which at this point includes iPhone, Android, Windows, and Mac. That should cover it, don’t you think?

To start, go back to your UI and go to the Nodes section of your home network. Click on the “netmaker” node and click the strange looking button to create an ingress gateway (tooltip text may help):

After confirming, head over to the External Clients tab to add some clients. By just clicking the Plus button on the “netmaker” gateway, you can generate a new valid WireGuard configs, which can be added to any device:

You can expand any client to get a QR code and downloadable config file which can be used on any machine:

Finally, use your phone or some other devices to scan the config (using the WireGuard app):

After connecting to the VPN, you can access Nextcloud using the private endpoint!

This same process can be used for many other types of services. WireGuard is very fast and secure, so don’t be afraid to use it.

Part 4: Conclusion

In the meantime, happy networking!

--

--

Alex is CEO of Netmaker (https://netmaker.io), a cloud networking company building the next-gen virtual networking platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Feiszli

Alex is CEO of Netmaker (https://netmaker.io), a cloud networking company building the next-gen virtual networking platform.