Making OpenWRT Successfully Integrate with the Netmaker Network
Making OpenWRT Successfully Integrate with the Netmaker Network
Integrating routers into the Netmaker network opens up valuable possibilities for creating secure, scalable, resilient, and automated network infrastructures. One significant benefit is the ability to seamlessly interconnect different sites with a secure mesh virtual private network without needing to install a software client on every machine at each location.
This document focuses on OpenWRT. To integrate OpenWRT with Netmaker, you need to configure your OpenWRT device to run the Netclient for Netmaker. The steps assume you already have shell and Web UI access to your OpenWRT device.
Install WireGuard
Netmaker uses WireGuard for VPN communication. Ensure that your OpenWRT device has WireGuard installed. It’s recommended to install WireGuard via the web UI:
Go to System -> Software
Click the “Update lists…” button, then search for WireGuard
Install wireguard-tools and luci-proto-wireguard (for the web GUI)
Reboot
Install and Configure Netclient
Netclient can be run as a Docker container or installed directly on the host machine for more reliable connectivity. Note: Docker Netclients on version 0.24.3 and earlier have a known bug; it was fixed in 0.25.0.
To install the Linux version, copy and paste the command provided by Netmaker (remove sudo if needed), then execute it.
You can then join a Netmaker network using the enrollment key or by using the netclient join command.
Alternatively, to run Netclient as a Docker container on OpenWRT, refer to the OpenWRT Docker guide:
https://openwrt.org/docs/guide-user/virtualization/docker_host
Generally, you may need to run containers as specific users, requiring creation of new users, groups, and setting appropriate folder permissions. For simplicity in this demo, we'll use the root user.
Install Docker and Docker Client:
opkg update
opkg install dockerd dockerOnce installed, you can run and join Netclient with docker run. Consider adding --restart=always so the container restarts after router boot.
At this point, your OpenWRT device should be able to access resources within the Netmaker network. However:
These devices will not be able to ping the OpenWRT machine by default.
OpenWRT will not function as a Remote Access Gateway, Relay, Egress Gateway, or Internet Gateway until firewall rules are configured.
To resolve this, you need to configure OpenWRT firewall rules based on your intended use within the Netmaker network. First, register the tunnel interface (next step).
Register the Tunnel Interface
On OpenWRT, the tunnel interface that Netclient creates is recognized as a device named by default "netmaker." Create a new unmanaged interface via LuCI:
Network → Interfaces → Add new interface
Name: netmakerif (can be any name)
Protocol: Unmanaged
Device: netmaker
Click "Create interface". If you are running CoreDNS on your Netmaker server, in the modal's "Advanced Settings" tab specify the public IP of the server in the "Use custom DNS servers" field. Click Save.
To persist all changes, click "Save & Apply". Then reboot the router.
Create Firewall Zone
The firewall uses zones over your network interfaces to control traffic flow. Create a new firewall zone via LuCI:
Network → Firewall → Zones → Add
Name: netmakerzn (or any other name)
Input: ACCEPT (default)
Output: ACCEPT (default)
Forward: ACCEPT
Masquerading: on
MSS Clamping: on
Covered networks: netmakerif (or the custom name you specified previously)
Allow forward to destination zones:
Select LAN and/or any other internal zones to allow Netmaker resources to reach devices in these zones (applicable if you set OpenWRT as an Egress Gateway).
Select WAN if you intend to use OpenWRT as an Internet Gateway or an exit node.
Allow forward from source zones:
Select your LAN and/or other internal zones to allow machines on these zones to reach resources in the Netmaker network. Leave blank otherwise. It’s essential to specify LAN and/or other internal zones if you plan to use this device as a gateway in a site-to-site mesh.
Click Save, then Save & Apply to persist changes.
These steps should suffice if you plan to use OpenWRT as a Relay, Egress Gateway, and/or Internet Gateway.
Add Port Forwarding Rules (for Remote Access Gateway)
Only necessary if you want OpenWRT to function as a Remote Access Gateway.
Network → Firewall → Port Forwards → Add
Create port forwarding rules from WAN to "netmakerzn":
Name: netmaker (or any name)
Protocol: TCP/UDP
Source Zone: WAN
External port: 51821 (or any port; default is 51821). To find the port, in NMUI go to the Netmaker network that OpenWRT is part of → Remote Access tab → find OpenWRT and view the VPN config file. Under [Peer], check the number after the IP in the Endpoint value.
Destination zone: netmakerzn (or your Step 5 name)
Internal IP address: Netmaker IP address of OpenWRT
Internal Port: 51821
Click Save, then Save & Apply.
Note: Review the routes and firewall rules configured by Netclient on your OpenWRT device.
Disclaimer
The information provided in this how-to guide is for general informational purposes only. All content on this page is provided in good faith; however, no representation or warranty is made regarding accuracy, adequacy, validity, reliability, availability, or completeness.
Under no circumstances shall the authors be liable for any loss or damage of any kind incurred as a result of use of this guide or reliance on any information provided here. Use of this guide and reliance on any information contained within is solely at your own risk.
Last updated
Was this helpful?