# Making OpenWRT Successfully Integrate with the Netmaker Network

## Making OpenWRT Successfully Integrate with the Netmaker Network

Integrating routers into the Netmaker network opens up valuable possibilities for creating secure, scalable, resilient, and automated network infrastructures. One significant benefit is the ability to seamlessly interconnect different sites with a secure mesh virtual private network without needing to install a software client on every machine at each location.

This document focuses on OpenWRT. To integrate OpenWRT with Netmaker, you need to configure your OpenWRT device to run the Netclient for Netmaker. The steps assume you already have shell and Web UI access to your OpenWRT device.

{% stepper %}
{% step %}

### Setup Storage

Installing large packages on OpenWRT can be challenging due to the limited storage space typically available on many routers. To expand your firmware's space to install more packages, refer to this article:

<https://openwrt.org/docs/guide-user/additional-software/extroot\\_configuration>
{% endstep %}

{% step %}

### Install WireGuard

Netmaker uses WireGuard for VPN communication. Ensure that your OpenWRT device has WireGuard installed. It’s recommended to install WireGuard via the web UI:

* Go to System -> Software
* Click the “Update lists…” button, then search for WireGuard
* Install wireguard-tools and luci-proto-wireguard (for the web GUI)
* Reboot
  {% endstep %}

{% step %}

### Install and Configure Netclient

Netclient can be run as a Docker container or installed directly on the host machine for more reliable connectivity. Note: Docker Netclients on version 0.24.3 and earlier have a known bug; it was fixed in 0.25.0.

To install the Linux version, copy and paste the command provided by Netmaker (remove sudo if needed), then execute it.

[![](https://downloads.intercomcdn.com/i/o/1155054275/d3040642d2cab2329a29698b/image.png?expires=1769018400\&signature=f0c85727ad9baf7c7b59ecf993c549517704552e539ff6fbcd216038c8910c08\&req=dSEiE8l7mYNYXPMW1HO4zTkGtaboXv9A7OVbR1YLePl5ygqAl5gSufUj3juq%0ANoboqcDo%2F6xvZ8X0r5Y%3D%0A)](https://downloads.intercomcdn.com/i/o/1155054275/d3040642d2cab2329a29698b/image.png?expires=1769018400\&signature=f0c85727ad9baf7c7b59ecf993c549517704552e539ff6fbcd216038c8910c08\&req=dSEiE8l7mYNYXPMW1HO4zTkGtaboXv9A7OVbR1YLePl5ygqAl5gSufUj3juq%0ANoboqcDo%2F6xvZ8X0r5Y%3D%0A)

You can then join a Netmaker network using the enrollment key or by using the `netclient join` command.

Alternatively, to run Netclient as a Docker container on OpenWRT, refer to the OpenWRT Docker guide:

<https://openwrt.org/docs/guide-user/virtualization/docker\\_host>

Generally, you may need to run containers as specific users, requiring creation of new users, groups, and setting appropriate folder permissions. For simplicity in this demo, we'll use the root user.

Install Docker and Docker Client:

```sh
opkg update
opkg install dockerd docker
```

Once installed, you can run and join Netclient with `docker run`. Consider adding `--restart=always` so the container restarts after router boot.

[![](https://downloads.intercomcdn.com/i/o/1166060735/67ae2fabab7f63f8d53d4d35/docker-run.jpg?expires=1769018400\&signature=6c1b80ee5bed5b719681a03f2685efe61c58b1a8b5225b8e992967e68a1d76a1\&req=dSEhEMl4nYZcXPMW1HO4zc5AhbFzj61OnRa%2BkVu1PTURSHOgPU4vTVtIqJ8f%0AcsnDJKsgGuQNUEteprs%3D%0A)](https://downloads.intercomcdn.com/i/o/1166060735/67ae2fabab7f63f8d53d4d35/docker-run.jpg?expires=1769018400\&signature=6c1b80ee5bed5b719681a03f2685efe61c58b1a8b5225b8e992967e68a1d76a1\&req=dSEhEMl4nYZcXPMW1HO4zc5AhbFzj61OnRa%2BkVu1PTURSHOgPU4vTVtIqJ8f%0AcsnDJKsgGuQNUEteprs%3D%0A)

At this point, your OpenWRT device should be able to access resources within the Netmaker network. However:

* These devices will not be able to ping the OpenWRT machine by default.
* OpenWRT will not function as a Remote Access Gateway, Relay, Egress Gateway, or Internet Gateway until firewall rules are configured.

To resolve this, you need to configure OpenWRT firewall rules based on your intended use within the Netmaker network. First, register the tunnel interface (next step).
{% endstep %}

{% step %}

### Register the Tunnel Interface

On OpenWRT, the tunnel interface that Netclient creates is recognized as a device named by default "netmaker." Create a new unmanaged interface via LuCI:

Network → Interfaces → Add new interface

* Name: netmakerif (can be any name)
* Protocol: Unmanaged
* Device: netmaker

[![](https://downloads.intercomcdn.com/i/o/1155054883/3469e825f03b272921f2598b/image.png?expires=1769018400\&signature=58fc0b584c428510596b9d01781e2fa8dc54ecdb09b018056b567f35a46bcc18\&req=dSEiE8l7mYlXWvMW1HO4zYJpZ%2F2EHgooPYo%2BiBLcUg0UbIfVcnunGfoZJGAR%0AGAHHB9hngFLg27OTxEU%3D%0A)](https://downloads.intercomcdn.com/i/o/1155054883/3469e825f03b272921f2598b/image.png?expires=1769018400\&signature=58fc0b584c428510596b9d01781e2fa8dc54ecdb09b018056b567f35a46bcc18\&req=dSEiE8l7mYlXWvMW1HO4zYJpZ%2F2EHgooPYo%2BiBLcUg0UbIfVcnunGfoZJGAR%0AGAHHB9hngFLg27OTxEU%3D%0A)

Click "Create interface". If you are running CoreDNS on your Netmaker server, in the modal's "Advanced Settings" tab specify the public IP of the server in the "Use custom DNS servers" field. Click Save.

[![](https://downloads.intercomcdn.com/i/o/1155055519/25e287abb0db9af2a60aa5ec/image.png?expires=1769018400\&signature=f815f5ca76606a28daf2406e9728e30bfc3ab944626e920ffb16c6cca8669089\&req=dSEiE8l7mIReUPMW1HO4zRvN9RCi1LUaNAqx7P14C36FOqlb%2FRKnOrOITAOH%0A4zspu4TjbsIsb%2FBdNIs%3D%0A)](https://downloads.intercomcdn.com/i/o/1155055519/25e287abb0db9af2a60aa5ec/image.png?expires=1769018400\&signature=f815f5ca76606a28daf2406e9728e30bfc3ab944626e920ffb16c6cca8669089\&req=dSEiE8l7mIReUPMW1HO4zRvN9RCi1LUaNAqx7P14C36FOqlb%2FRKnOrOITAOH%0A4zspu4TjbsIsb%2FBdNIs%3D%0A)

To persist all changes, click "Save & Apply". Then reboot the router.

[![](https://downloads.intercomcdn.com/i/o/1155055731/ab128013e6aab856398ef176/image.png?expires=1769018400\&signature=8c7c3df7d50883e965662fe5ac633af183c6b52b3053fb2c8bbc69536a6db2bb\&req=dSEiE8l7mIZcWPMW1HO4zZDMvIn9aWQDabQhTKmqNVBEaq3KSx6vc6lPM3T9%0AXAtiv5iD4lYrS6qXm%2BY%3D%0A)](https://downloads.intercomcdn.com/i/o/1155055731/ab128013e6aab856398ef176/image.png?expires=1769018400\&signature=8c7c3df7d50883e965662fe5ac633af183c6b52b3053fb2c8bbc69536a6db2bb\&req=dSEiE8l7mIZcWPMW1HO4zZDMvIn9aWQDabQhTKmqNVBEaq3KSx6vc6lPM3T9%0AXAtiv5iD4lYrS6qXm%2BY%3D%0A)
{% endstep %}

{% step %}

### Create Firewall Zone

The firewall uses zones over your network interfaces to control traffic flow. Create a new firewall zone via LuCI:

Network → Firewall → Zones → Add

* Name: netmakerzn (or any other name)
* Input: ACCEPT (default)
* Output: ACCEPT (default)
* Forward: ACCEPT
* Masquerading: on
* MSS Clamping: on
* Covered networks: netmakerif (or the custom name you specified previously)

Allow forward to destination zones:

* Select LAN and/or any other internal zones to allow Netmaker resources to reach devices in these zones (applicable if you set OpenWRT as an Egress Gateway).
* Select WAN if you intend to use OpenWRT as an Internet Gateway or an exit node.

Allow forward from source zones:

* Select your LAN and/or other internal zones to allow machines on these zones to reach resources in the Netmaker network. Leave blank otherwise. It’s essential to specify LAN and/or other internal zones if you plan to use this device as a gateway in a site-to-site mesh.

Click Save, then Save & Apply to persist changes.

[![](https://downloads.intercomcdn.com/i/o/1155805397/3754cf098b33763bd81026cb/openwrt+-+fw+zone.jpg?expires=1769018400\&signature=001b142a4b029c9daf68d68c86dde3a5887584d9673680e68e989bed3fd1b0f2\&req=dSEiE8F%2BmIJWXvMW1HO4zSYi1k0Tu3ptZcWG57jRoNn1d7pLqlRkScklBZMa%0AIMbYSjV1vj%2By2uVhx%2FM%3D%0A)](https://downloads.intercomcdn.com/i/o/1155805397/3754cf098b33763bd81026cb/openwrt+-+fw+zone.jpg?expires=1769018400\&signature=001b142a4b029c9daf68d68c86dde3a5887584d9673680e68e989bed3fd1b0f2\&req=dSEiE8F%2BmIJWXvMW1HO4zSYi1k0Tu3ptZcWG57jRoNn1d7pLqlRkScklBZMa%0AIMbYSjV1vj%2By2uVhx%2FM%3D%0A)

These steps should suffice if you plan to use OpenWRT as a Relay, Egress Gateway, and/or Internet Gateway.
{% endstep %}

{% step %}

### Add Port Forwarding Rules (for Remote Access Gateway)

Only necessary if you want OpenWRT to function as a Remote Access Gateway.

Network → Firewall → Port Forwards → Add

Create port forwarding rules from WAN to "netmakerzn":

* Name: netmaker (or any name)
* Protocol: TCP/UDP
* Source Zone: WAN
* External port: 51821 (or any port; default is 51821). To find the port, in NMUI go to the Netmaker network that OpenWRT is part of → Remote Access tab → find OpenWRT and view the VPN config file. Under \[Peer], check the number after the IP in the Endpoint value.
* Destination zone: netmakerzn (or your Step 5 name)
* Internal IP address: Netmaker IP address of OpenWRT
* Internal Port: 51821

Click Save, then Save & Apply.

[![](https://downloads.intercomcdn.com/i/o/1155060820/546086c0f6fb556bc1839668/image.png?expires=1769018400\&signature=6c57f02a60caacce371fcd500f73ca979f3d38aaa0e62a40e63c6f8afffbdada\&req=dSEiE8l4nYldWfMW1HO4zduzPfjgWRUiNFHJZX2QTFasXHBchbcrgJsfgCq4%0A7MQm5KVxx3kHv9701VM%3D%0A)](https://downloads.intercomcdn.com/i/o/1155060820/546086c0f6fb556bc1839668/image.png?expires=1769018400\&signature=6c57f02a60caacce371fcd500f73ca979f3d38aaa0e62a40e63c6f8afffbdada\&req=dSEiE8l4nYldWfMW1HO4zduzPfjgWRUiNFHJZX2QTFasXHBchbcrgJsfgCq4%0A7MQm5KVxx3kHv9701VM%3D%0A)

Note: Review the routes and firewall rules configured by Netclient on your OpenWRT device.
{% endstep %}
{% endstepper %}

{% hint style="danger" %}
Disclaimer

The information provided in this how-to guide is for general informational purposes only. All content on this page is provided in good faith; however, no representation or warranty is made regarding accuracy, adequacy, validity, reliability, availability, or completeness.

Under no circumstances shall the authors be liable for any loss or damage of any kind incurred as a result of use of this guide or reliance on any information provided here. Use of this guide and reliance on any information contained within is solely at your own risk.
{% endhint %}

<details>

<summary>Did this answer your question?</summary>

😞 😐 😃

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.netmaker.io/help-articles/making-openwrt-successfully-integrate-with-the-netmaker-network.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.