How to setup a Self Hosted VPN using Wireguard and Netmaker - deprecated

If you're a tech enthusiast who wants to manage their own network, a VPN user tired of subscription fees, or just someone looking to learn more about networking, a self-hosted WireGuard VPN has a lot to offer over traditional 3rd party services. In this tutorial, we’ll explain some of the advantages of self-hosting a VPN, especially with WireGuard, and how to implement a self-hosted WireGuard VPN using Netmaker.

Shortcomings of Public VPN Providers

While public VPN providers are often the default choice for many, they are not without their drawbacks. One significant concern is that your VPN service provider could potentially track your online behavior and even exploit your data. This practice is especially prevalent among free VPN services, which often provide access to their private servers in return for user data.

Performance degradation is another common issue, often attributable to bandwidth contention among multiple VPN users. The quality and robustness of the VPN infrastructure, as well as the efficiency of the VPN software, can significantly influence this issue.

Furthermore, the risk associated with shared IP addresses is non-trivial. Malicious users might exploit these shared IPs to send spam emails, leading to potential blacklisting of the IP across various internet service providers. Consequently, certain websites and applications may restrict your access based on the activities of others sharing your IP address, impacting your online experience.

And of course, there’s always the cost consideration, with subscription-based services often adding up fast.

Self Hosted VPNs

Operating a dedicated server for your VPN provides distinct advantages. It grants you unshared access to the server's resources, inclusive of its entire bandwidth. The network functions devoid of disruptions, and you retain full control over the IP address. This level of autonomy enables you to administer the environment, and provide access as needed to family, colleagues, or friends. However, managing a self-hosted VPN requires an understanding of computer networks, servers, operating systems (like Linux), and hosting mechanisms.

A VPN becomes a critical tool when you need to access local resources like your home lab server or Network Attached Storage (NAS) remotely, and a self-hosted VPN is perfect for such use cases.

Benefits of WireGuard

Traditional networking has often relied on tried-and-true but somewhat slow VPN solutions like OpenVPN, SSTP, and others. While these VPN protocols are dependable, they often compromise on performance. This is where WireGuard, a game-changing VPN protocol, steps in.

WireGuard is an open source VPN protocol known for its impressive speed and modern encryption, making it the first choice for those implementing a VPN from scratch.

Benefits of WireGuard include:

• Responsiveness: WireGuard's rapid connection establishment, even during network roaming, ensures reliable connectivity and a seamless user experience.

• Security: WireGuard uses advanced cryptographic techniques and robust default settings. Its compact and simple codebase facilitates effective security audits.

• Speed: WireGuard's core components are directly integrated within the Linux kernel for Linux servers and desktops, resulting in superior performance compared to VPNs that operate in userspace.

Difficulties of WireGuard

WireGuard is a low-level protocol, so setting it up can be a challenge. The more complex the networking scenario, the more difficult it will be to set up. At the minimum, you must know some command line knowledge, and be able to generate keys and configurations for every device on the network.

Depending on the scenario, you may also need to set up forwarding rules on your target devices, and work around NAT, which will depend heavily on your network environment and operating systems.

This is where Netmaker comes in — it makes setting up a WireGuard network simple, no matter how complex.

Setting up WireGuard using Netmaker

Netmaker automates connections and forwarding between devices using WireGuard, with a dashboard for managing your networks and devices, and different types of VPN clients depending on what you need. You can use the netclient, the Remote Access Client, or just use pure WireGuard, and manage it all from one place.

Netmaker also adds advanced functionalities like user management and access controls.

Netmaker has a SaaS, but you can also deploy the self-hosted, open source server on your own — which is what we’ll do here.

Advantages:

• You can run Netmaker for Free.

• It provides a management dashboard for your networks and endpoints.

• It takes the pain out of configuring WireGuard; follow the deployment steps.

• You can create different networks for different use cases, like internet access and home network access, and manage them from one place.

• It will automatically send updates to your endpoints to do things like NAT traversal, or add new peers to the network.

Setting up Your Own Netmaker Instance: A Quick Guide

Setting up your own instance of Netmaker is easier than you might think. Let's walk through the process to get you up and running.

What You'll Need

• A server running Ubuntu 24.04 (recommended)

• A public static IP address for the server

• A wildcard subdomain (e.g., *.netmaker.yourdomain.com) — optional

  • If you do not set up DNS, the script will use a free domain service (nip.io) and set up a wildcard domain based on your IP, like *.netmaker.192-168-1-250.nip.io

• Modest hardware: 1 GB RAM, 1 CPU, and 2 GB storage

• For production: 2 GB RAM, 2 CPUs, and 10 GB storage recommended

Server Considerations

You can deploy your server in a private environment (home) or a public cloud. Cloud deployment is typically easier and simplifies setup.

If deploying at home, ensure you add port forwarding for the necessary ports so your server is reachable from the internet.

Preparing Your Firewall

Open the following ports on your server:

• TCP 80 & 443: Netmaker Dashboard, API requests, and MQTT traffic

• UDP 51821: WireGuard traffic

• TCP 51821: Endpoint detection

• TCP & UDP 53: CoreDNS (optional)

Point your chosen subdomain (e.g., *.netmaker.yourdomain.com) to your server's IP. If none is provided, the installer will attempt to create one using available services.

Ready to install? Run the provided installer script (one-liner) in your terminal. The script sets up Netmaker Pro with a 14-day trial by default. To use the open source community version instead, remove “-ee” from the netmaker server image (gravitl/netmaker) in your docker compose file.

Using Your Netmaker: After successful installation, your command line will show the domain where you can log in and set up your admin account.

You’ll see on the left sidebar two pre-generated networks: “netmaker” and “internet-access.” Below we cover common use cases: internet access and remote access to resources.

Internet Access

On the left sidebar, click the “internet-access-vpn” network.

On the dashboard you’ll see a “Host” set up on your server as an “InternetGateway,” which can route traffic to the internet from other connected devices.

To use it, download the Remote Access Client from here.

After installing and opening the Remote Access Client, enter your server URL (e.g., api.yourdomain.com) and the Super-Admin username/password you created. Netmaker supports role-based access control; read more here.

You’ll see two options for connecting. Use the “internet-access-vpn” (configured as an Internet Gateway) and click Connect.

Once connected, your internet traffic is routed through your self-hosted server.

Accessing Your VPN with WireGuard Config Files

If you prefer not to use the Remote Access Client, you can use WireGuard directly. The steps below show how to generate and download a WireGuard config from the Netmaker dashboard.

1

Generate a config

On the dashboard, navigate to the Remote Access tab and click the "Create Config" button on the right-hand side.

2

Configure options

A modal will open where you can optionally give a Client ID and modify Advanced Settings. In this example, default values are used.

3

View generated config

The config is generated and ready to be used.

4

Download the config

Click on the ID (random if defaults were used), then download the config.

5

Manage the config

You can enable/disable or delete the config. Advanced Settings remain editable after creation.

Cleanup

If you no longer need an internet access VPN, deleting the network is straightforward.

1

Remove Hosts

First, remove all Hosts from the "internet-access-vpn" network.

2

Delete the network

Go to the Hosts tab to remove hosts quickly. After removing all hosts, delete the network from the Network Settings button.

Remote Access

Use Netmaker to access your home network, office, or servers from anywhere. Install the netclient on target devices to make them accessible remotely. If you install netclient in a local environment and set it as a gateway, the whole local network can be accessible over the VPN.

Steps to add a host (example: homelab):

• Go to the Hosts tab → Add Hosts → Add New Host.

• Select an Enrollment Key for your network. This key tells your netclient which network to join with proper access privileges. You can create additional Enrollment Keys from the dashboard.

• Follow the installation guide for your OS. For this example, use a Linux or Docker client.

• After netclient is installed, add it to your network using the enrollment key (single command shown on the dashboard).

The new Host will appear on your network.

Now set the new host as an Egress Gateway to the home network:

• Navigate to the Egress tab → Create Egress → add the host as an egress gateway.

You can now use the Remote Access Client (connect to the “netmaker” network) to access devices in your home network securely, or use WireGuard config files.

DNS

If you have a DNS server in the local network, edit the gateway in the Remote Access tab and enter the IP of the local DNS server. Your client will apply the settings, allowing access via DNS names rather than IPs.

WireGuard Config Gateway

Instead of using netclient as a gateway, generate a WireGuard config and add the local network in Advanced Settings. You may need to add forwarding rules on the device (use PostUp/PostDown commands). You can also add this config to a Router and access the network using the Remote Access Client or another config file.

After Your Trial

You can keep the PRO license or switch to the community edition after the trial. There’s more you can do with Netmaker — from building Mesh VPNs to integrating edge environments. For more information and advanced guides, see the docs at docs.netmaker.io.

Welcome to the future of networking — you're going to love it here!

Conclusion

Netmaker automates many of the complex tasks involved in setting up a WireGuard VPN, making it easier for individuals and businesses to create their own self-hosted VPNs. Opting for a self-hosted VPN can be a wise choice, but network structure and desired performance are crucial factors in determining the most suitable options.