Deploying Static WireGuard
Overview
Your network is now configured with Nodes acting as Endpoints, Gateways, and Egress. Before we move on to adding Users to your network, let’s take care of any of the devices which are not user-managed, and do not support the Netclient, using WireGuard Configuration Files.
These static WireGuard configuration files will allow you to add devices to your network such as Routers and other non-standard devices. They can also be used to run a privileged, always-on VPN on user devices, which is managed by administrators.
There are three primary reasons you may want to use Static Clients with your network:
Admin-Managed, Always On VPN for User Devices
The User Apps are typically used to give users access to the VPN. However, this client requires user authentication to run. You may find yourself in a situation where you want the VPN to run every time the device is booted, and be unaccessible to the user. Perhaps you are configuring fresh user workstations with VPN access which should be “always-on.” This is a good use case for configuration files.
Site-to-Site Connectivity via Routers
There are other ways to configure site-to-site connectivity with Netmaker, but one easy way is to utilize the WireGuard plugins which are supported on a large number of Routers today. You can generate a configuration file, configure them with additional routes (for the local network behind the router), and apply the configuration to routers via the supported plugin, to give full access between the site and the VPN.
Integrate Non-Native Devices
The Netclient runs on Windows, Linux, and Mac. The User Apps runs on all of these plus Android and iOS. For everything else, there’s the static WireGuard config, which can be run on anything that supports WireGuard, from routers to IoT.
Limitations of Static WireGuard Files
The Netclient dynamically updates and receives information about peers in the network. When using a static configuration file, it cannot receive any updates, and thus has some limitations.
Static Configuration
The primary limitation of the static config file is that it is static. It will have routes for everything that exists at the time it is generated, including the whole VPN network range. So new VPN endpoints will be accessible. However, if you generate an Egress or Internet Gateway, config files will need to be re-generated. Also, if your Gateway changes its public key or endpoint, the files will stop working, which is why it is important for Gateways to have a static IP.
Using the API and some automation tools can help alleviate this problem, which we will discuss later on.
Hub-And-Spoke Architecture
An additional limitation is that access to and from the network from these static endpoints go through a Gateway. There will always be an extra hop for connections, which can reduce the network speed and produce a bottleneck for traffic. However, this comes at the advantage of higher connectivity and consistency.
Generating Config Files
Config files can be generated through the Netmaker UI, or over API (see How to Guide). After generating these client configurations, they can be imported and used on any operating system that supports WireGuard, including Windows, MacOS, Linux, Android, BSD, iOS and many router operating systems.
Client Settings
When creating a client, the dialog box presents some optional fields you may wish to set:
Client ID - an identifier for the config.
Public Key - You may generate a public/private keypair locally, and specify the public key here. This will allow you to keep the private key off the server, which will enhance security. However, you will need to store and paste in the private key into the configuration file after download.
DNS - This overrides whatever is set as the default Gateway DNS server, and will be applied as the DNS settings for the VPN tunnel.
Egress - This field can be used to create your own egress from a static file. Other peers in the network will be told that this static file will route traffic for these addresses. In the above picture we have added two routes for “192.168.5.0/24” and “10.10.10.0.0/16.” This is advertised to all the peers in the network, and they will attempt to send traffic to these addresses via the static client.
Note: Y will have to manually configure the device to forward traffic. However, you can also set this in the PostUp and PostDown commands.
Post Up and Post Down — The “Post Up” and “Post Down” fields are commands that get run locally by WireGuard when the interface is brought up (Post Up) and down (Post Down). This can be useful for setting routing or firewall rules on the device whenever the interface is created and destroyed. In our example, we have added an iptables firewall command to allow all ssh connections originating from the netmaker interface when the WireGuard tunnel is alive.
Viewing and Downloading the Config File
After generation, the configuration file can be viewed or downloaded by clicking the client id in the UI and then the “View/Download config” button. This will show the client’s full WireGuard configuration and it will also provide a handy QR code to scan and import the configuration file on mobile devices.
Applying to Devices
The generated static client configuration files can be used in various different platforms and operating systems. These files can be applied to any device that supports WireGuard. However, depending on the system, you may not be able to import or run the file directly. Instead, you may need to set up a tunnel, using the settings presented in the config file.
The steps to apply WireGuard here are exactly the same as you would to set up any WireGuard tunnel. These config files are just valid WireGuard tunnel parameters, which will add it to the network. Below, we provide some generic instructions on how to do this, but again, searching for any instructions to set up WireGuard on your device will work. Just use the settings from the configuration file.
Install WireGuard
First, WireGuard must be installed on the target platform.
To install WireGuard, follow the official WireGuard installation link, and find instructions for your target device: https://www.wireguard.com/install
Apply Configuration via WireGuard GUI (Windows)
On Windows, you’ll get a GUI application to import WireGuard files.
Click the Import Tunnels button, and select the config file (If you have not done so already the config file must be downloaded or transferred to the target device).
After importing the static client configuration file, click the Activate button to make the tunnel active.
If successful, it will show an “Active” status alongside some additional information such as the connection handshake status and total data transfer amount, which can help verify the connection is working.
Now this device can reach any other nodes in the network through the Gateway node.
The windows terminal can be used to check all the WireGuard interfaces and tunnels and can also be used to configure custom interfaces. Open up Windows terminal app, then type wg and press enter to show all the WireGuard interfaces and peers configuration.
Apply Configuration via wg-quick — Linux, macOS, and Others
wg-quick is the easiest tool to get a tunnel active on Linux and macOS (as well as some other operating systems), and is included in the wireguard-tools package.
It will show the handshake and other statistics of the WireGuard interface upon successful connection. Similarly you can bring down the connection with:
Always On-VPN for Windows Devices
Using PowerShell, an always-on VPN tunnel can be created for user devices. Open Windows Terminal and run:
This creates a system service for handling the tunnel so the adapter survives reboots and automatically reconnects.
Next Steps
Now that we have all of our devices deployed, lets discuss setting up DNS and Access Controls, which will complete the formation of our topology.
Last updated
Was this helpful?