How to enable secure access to your hosted services using Netmaker and WireGuard
--
Introduction
In this tutorial, we will make a Nextcloud instance securely accessible over a WireGuard VPN. Netmaker will set up the WireGuard VPN and configure client access.
This tutorial uses Nextcloud as an example, but it is very trivial to use this same process for many other use cases such as Kubernetes, remote desktops, game servers, databases, or really any service you can host from a linux server. Nextcloud is not the primary focus, just a tangible example. The focus is on setting up remote access to a service over a WireGuard VPN.
This video outlines what we will cover: https://youtu.be/dKa1D91aRj4
Prerequisite: Get Netmaker Installed
We assume you have already deployed Netmaker. If not, check out the Quick Start Documentation. For an even quicker start, if you have a linux-based cloud VM with a public IP, you can ssh to it as root and run the following commands:
wget -O docker-compose.yml https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/docker-compose.slim.yml
sed -i ‘s/HOST_IP/< Insert your-host IP Address Here >/g’ docker-compose.yml
docker-compose up -d
If all goes well (and if it doesn’t check out the Troubleshooting docs), you can follow along from there.
Problem Statement
Let’s assume you are hosting from home. You have an HP Proliant someone at work was going to throw away, and now you’re going to host a Nextcloud instance from it for friends and family. Maybe in the future you’d like to put a lot of other stuff on it too like Kubernetes and monitoring software or a family website. So now the questions are: How do you make this thing accessible, and how do you make this thing accessible securely? One option would be to add certs to everything and use multi-factor auth. That’s all good stuff, and should definitely be done, but our approach is just to run everything over an encrypted VPN.
Part 1: Create the Netmaker network
Netmaker makes creating networks fairly simple. There’s a default network in there our case we’re going to create a new one called “home.”
After creating, let’s add the Netmaker server as the first node in our “home” network. Even though it’s in the cloud, it can act as a gateway to our home network, as you will see. A public IP comes in handy sometimes and your home network is probably NAT’ted behind a router.
All you have to do is click the little “plus” button in the Network Details pane on the home network row, and then the server will add itself to the network, configuring WireGuard in the background.
If everything goes okay, you should now see the “netmaker” node in your home network under the “Nodes” pane. If not, you’ll need to check the server logs to see what’s going on.
Now things begin to get a little more involved.
Part 2: Adding a Node
Besides the server, nodes have to be added using the netclient. The netclient manages WireGuard tunnels on a given device and configures the full mesh topology. Assuming your Nextcloud (or whatever other service) is running on Linux, you can likely run the netclient on that VM.
But first, you need an access key. Click on the Access Keys tab and create a key. But be careful! Don’t click away from the resulting screen right away, because you’ll only get to see it once.
Remember to save your keys!
This screen displays how you can connect to the server. It provides three methods: custom, with token, and installer script. For a fresh machine, we can just use the installer script. For any additional networks, we’ll use the Access Token with ‘netclient join -t <token>’
SSH to your Nextcloud server locally and run the script:
curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/v0.5/scripts/netclient-install.sh | KEY=<your key> sh -
If all goes well you’ll see the following:
Run wg show to confirm:
The main indicator things are working are those transfer lines. Make sure they don’t say 0 B received or something is probably wrong. However, it also takes about a minute for nodes to retrieve update, so don’t freak out immediately: give it a minute to breath.
You can ssh to other Linux machines and repeat the exact same install command and it should work, so long as WireGuard is installed. They will all form a single mesh network, meaning every node can talk to every other node directly.
However, for our purposes, you just need the one node where Nextcloud is running. If it’s up, you can move on to the next step, external clients, which are very different than the nodes managed by netclient.
Part 4: External Clients
Now comes the fun part. You currently have a private endpoint to reach your Nextcloud instance, (for instance, 10.7.11.2). However, how do you actually get to this thing? Even if you’re running linux on the desktop (in which case, kudos, and I’m sorry about the printer drivers), I’m guessing your grandparents don’t run Linux, and they want access too.
To set up access, we’ll create an Ingress Gateway, and then create some clients. The Ingress Gateway is a single point of entry for remote clients. All traffic gets funneled through the Ingress Gateway to the rest of the network. This way, these clients don’t need to be meshed, and we don’t need to run any complex, platform-dependent logic. This lets us increase the scope of compatibility to any machine that can run WireGuard, which at this point includes iPhone, Android, Windows, and Mac. That should cover it, don’t you think?
To start, go back to your UI and go to the Nodes section of your home network. Click on the “netmaker” node and click the strange looking button to create an ingress gateway (tooltip text may help):
After confirming, head over to the External Clients tab to add some clients. By just clicking the Plus button on the “netmaker” gateway, you can generate a new valid WireGuard configs, which can be added to any device:
You can expand any client to get a QR code and downloadable config file which can be used on any machine:
Finally, use your phone or some other devices to scan the config (using the WireGuard app):
After connecting to the VPN, you can access Nextcloud using the private endpoint!
This same process can be used for many other types of services. WireGuard is very fast and secure, so don’t be afraid to use it.
Part 4: Conclusion
This was a very fast overview and we skipped over many optional configurations. We didn’t cover Netmaker or Nextcloud installation, PrivateDNS, Egress Gateways, or unmanaged Netclients. If you found that this overview doesn’t fit your needs exactly, it is important to note that Netmaker is a highly customizable platform, and the documentation covers many of the options for configuration; it may very well be able to help you accomplish your goals. You can check it out here.
In the meantime, happy networking!
