How to Use Netmaker with a Reverse Proxy

Overview

If you would like to publicly expose a service in your local network, you likely need a reverse proxy. You want the local service to be reachable over the public internet, but you want to do it securely. This article shows you how to use Netmaker to help reverse proxy traffic with WireGuard tunnels, and expose your local services to the world.

In this example, we assume you already have:

a Netmaker server
a local service (in this example, a web server)

With these in mind, you simply need to:

a. Join the Netmaker network from the local resource or

b. set up a forwarding node in the local network (Egress)

After that, you will

deploy a reverse proxy server in the cloud
deploy a Netmaker node on that server.

After this is completed, your service will now be accessible to the internet, using a secure tunnel over the web.

1. Make the Service Accessible from Netmaker

To make the service accessible from Netmaker, you need to either deploy the Netclient on the local server, or set up forwarding to the local server using the Netclient and Egress from a co-located server.

See the documentation on deploying the Netclient here.

If you've done this on the same server as your service, you can move on to the next step.

Join the Network from a co-located device and forward traffic

Using a forwarding node (Egress) allows you to easily forward traffic to the target service. This is also a great approach if you have multiple services in the local environment you would like to expose. To deploy egress, check out the documentation here.

2. Deploy a Reverse Proxy and Netclient Node in the Cloud

Next, we need a public service running in the cloud to forward our traffic. You will need to deploy a server to use for this purpose, which should have a public IP.

Once that is deployed, you will need a reverse proxy. For this example, we'll use Caddy.

On your node that will run the proxy:

Install docker if it’s not installed.
Install the Netclient and join the network, as in Step 1.
Create a file /root/Caddyfile as follows:

 http://yyy.yyy.yyy.yyy {
    reverse_proxy http://xxx.xxx.xxx.xxx:8090
}

xxx.xxx.xxx.xxx is replaced by:

a. The private IP address of the Netclient in the local (if Netclient is deployed on the same server as the webserver) or

b. The local address of the webserver (if Netclient has been set up as Egress)

yyy.yyy.yyy.yyy is replaces by:

the public IP address of the server hosting the proxy.

Create a file /root/docker-compose.yml as follows:

version: "3.4"services:
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    network_mode: host # Wants ports 80 and 443!
    volumes:
      - /root/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_conf:/config
volumes:
  caddy_data: {}
  caddy_conf: {}

Run docker-compose up -d and confirm that the container starts as shown by a message like this

Creating caddy ... done

Run docker ps and confirm that caddyis in the list

3. Test Reaching Your Service from Another PC

From your browser, try reaching the public IP by visiting this URL from a browser

http://yyy.yyy.yyy.yyy:8090

Conclusion

You’ve been able to reach your local service from a machine on another physical network via the secure Netmaker network indirectly (via the reverse proxy). Congratulations!

You’ll want to clean up by urning off the service: close the main.go process on your web server which you can do by killing the process after getting the PID via

ps -eaf | grep main.go

PreviousExternal Guides NextSet up a Static IP User VPN for Whitelisting, with WireGuard and Netmaker

Last updated 6 days ago

Was this helpful?

Good evening

hashtagOverview

hashtag1. Make the Service Accessible from Netmaker

hashtagJoin the Network from a co-located device and forward traffic

hashtag2. Deploy a Reverse Proxy and Netclient Node in the Cloud

hashtag3. Test Reaching Your Service from Another PC

hashtagConclusion