Integrating Non-native Devices
Introduction
Netmaker manages WireGuard configurations through the Netclient and the Netmaker Desktop (formerly Remote Access Client, RAC) installed on the hosts and on the external clients respectively. Basically Netmaker makes WireGuard configurations, which are inherently static, dynamic. As you setup and change your network, Netmaker propagates these changes in the configuration to the affected machines installed with either Netclient or Netmaker Desktop (or RAC mobile).
However in some cases, it might not be ideal or even possible to install Netclient or Netmaker Desktop on some of your machines/devices. In these cases, Netmaker will rely upon your intervention to install WireGuard on these machines/devices and then to manually set up or change their WireGuard configurations whenever necessary. Basically, you just need to get the current WireGuard configuration (or VPN config files) from your Netmaker Gateway on the Netmaker web UI and then stick it to your device in order for it to connect to your Netmaker network.
Generating a WireGuard Configuration File on Remote Access Gateway
Netmaker allows you to generate and manage your VPN configuration files. For instructions on how to make a node a Gateway and on how to create/generate VPN configuration files, please refer here.
You can also get the WireGuard VPN configuration by following these steps:
View, Download or Scan QR
Once you’ve located the configuration file, hover over or click on its ‘kebab’ icon to the right-hand side of the row. A context menu should show up similar to the screenshot below.
You can view and copy the configuration file by clicking on the ‘View Config’ option, or click on the ‘Download’ option to get a copy of the configuration file. You could also scan the QR code.
Once you have the configuration information or the configuration file, you can now apply it to your router, IoT, or other edge devices.
Routers and Firewall Appliances (Virtual or Bare metal)
While Netclient can be installed on some routers and firewall appliances after which you can then configure as egress gateways, it is generally ideal to use these devices’ built-in VPN feature for seamless integration. Since most modern VPN routers and firewall appliances today support WireGuard, they can connect to a Netmaker network as an external client, after which you can then responsibly expose the resources behind these routers by inputting specific IP address ranges in the ‘Additional Addresses’ field. For more information on the Egressing External Clients, please refer to this link here.
The general guidelines for integrating routers and firewall appliances (FWA) to Netmaker are the following:
Before doing any further configuration, take note of your current firmware version and back up the current configuration settings
Upgrade your firmware if necessary
Install WireGuard via your router’s or FWA’s Package Manager. Usually this can be done from its web interface (GUI) instead of from its shell (CLI)
Input the VPN configuration information from Netmaker; or upload the configuration file if your device supports it
If necessary, create a routing entry for the WireGuard tunnel interface
Create tight and specific firewall rules for traffic going in and out between the VPN interface and your LAN [or depending on your use case, your specific device, interface/port, VLAN, DMZ, WAN, etc.]
pfSense
This guide will help you set up WireGuard on pfSense 2.7.2. We will connect to a Netmaker network via a Remote Access Gateway.
Create WireGuard tunnel
Go to VPN -> WireGuard -> Tunnels, and then create a new WireGuard tunnel using the configuration information provided by Netmaker. Click on the Generate button under the Interface Keys fields before pasting the Private Key (from the configuration file generated by Netmaker). Save or submit the form and then take note of the tunnel interface name.
Configure interface settings
Go to Interfaces -> [OPT1], tick the ‘Enable interface’ checkbox, input the MTU, static IP address, and the Netmaker network prefix.
If you’re trying to connect to a Netmaker Internet Gateway, click on the ‘Add a new gateway’ button. Depending on your use case, you may tick the Default Gateway checkbox so that all internet traffic will route through the Netmaker Internet Gateway. Then go to System -> General Setup and, depending on your use case, select the Netmaker Internet Gateway in the DNS Server Settings so that domain name resolution traffic will pass through it instead of the other gateways.
Create firewall rule (if needed)
If you just need to connect to an Internet Gateway, you don’t need to do this step. Otherwise, create a Firewall rule allowing traffic from the Netmaker network to the target resource. In this guide we allow ICMP traffic to the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to the screenshots below.
After saving the firewall rule, nodes from your Netmaker network should now be able to ping the egress ranges you’ve specified, and vice versa. Edit the firewall rule or create another one specific to your needs.
OPNsense
This guide will help you set up WireGuard on OPNsense 24.1_1. We will connect to a Netmaker network via a Remote Access Gateway.
Create tunnel instance
Go to VPN -> WireGuard -> Settings -> Instances, and then create a new WireGuard tunnel instance using the configuration information provided by Netmaker. Click on the Generate [gear] icon in the Public Key field before pasting the Private Key (from the configuration file generated by Netmaker). Save and then take note of the tunnel interface name.
Create gateway and route
Create a route to the Netmaker network by first creating a gateway. Go to System -> Gateways -> Configuration, then click on the add icon and specify the tunnel interface [OPT1] and its IP.
Add the necessary routing entry. Go to System -> Routes -> Configuration, then click on the ‘add’ icon and specify a route to the Netmaker network via the gateway created in the previous step.
Create firewall rule
Create a Firewall rule for WireGuard allowing traffic between it and the target resource. In this guide we allow ICMP traffic between WireGuard tunnel interface and the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to the screenshot below.
After saving the firewall rule, devices in your LAN should now be able to ping machines in your Netmaker network, and vice versa. Edit the firewall rule or create one that suits your needs.
MikroTik
This guide will help you set up WireGuard on MikroTik 7.15.3. We will connect to a Netmaker network via a Remote Access Gateway.
Apply WireGuard configuration via CLI
Given a sample WireGuard configuration below, access MikroTik’s CLI and issue the corresponding commands.
WireGuard interface configuration:
Peer configuration:
IP and routing configuration:
And that’s it. Devices from your LAN should now be able to reach machines in your Netmaker network, and vice versa.
For more information, please refer to this guide from MikroTik’s documentation page: https://help.mikrotik.com/docs/display/ROS/WireGuard
Routing internet traffic to a Netmaker Internet Gateway is also possible by adding the necessary firewall NAT rules. Please refer to the MikroTik documentation for more information.
OpenWrt
This guide will help you set up WireGuard on OpenWrt 23.05.2. We will connect to a Netmaker network via a Remote Access Gateway.
Configure firewall zone
Go to Network -> Firewall, and then add a zone allowing traffic between the WireGuard tunnel and the LAN. Please add your own version of Firewall rules that are tight and specific to your needs. Save and apply the changes.
Routing internet traffic to a Netmaker Internet Gateway is also possible by adding the necessary firewall NAT rules. Please refer to the OpenWrt documentation for more information.
Other routers
Please refer to these links for instructions on how to configure WireGuard:
TP-Link - https://www.tp-link.com/fr/support/faq/3772/
Asus - https://www.asus.com/support/faq/1048281/
GL.iNet - https://docs.gl-inet.com/router/en/3/tutorials/WireGuard_client/#setup-WireGuard-client
Teltonika - https://wiki.teltonika-networks.com/view/WireGuard_Configuration_Example
pcWRT - https://www.pcwrt.com/2019/12/how-to-set-up-a-WireGuard-vpn-client-connection-on-the-pcwrt-router/
DD-WRT - https://windscribe.com/knowledge-base/articles/WireGuard-router-setup-guide-dd-wrt
Note on the Router Guides
The router guides assume that machines behind your router or firewall appliance point to it as the gateway. If in your case they don't you have two options:
Internet of Things (IoT Devices)
Please refer to these links for instructions on how to configure WireGuard:
IOTstack - https://sensorsiot.github.io/IOTstack/Containers/WireGuard/
Embedded Linux - https://www.toradex.com/blog/embedded-linux-vpn-application
lwIP IP stack - https://github.com/smartalock/WireGuard-lwip
Other Devices
For other devices not covered above, please refer to your device’s documentation for instructions on how to install and configure WireGuard.
Disclaimer
The information provided by us on this how-to guide is for general informational purposes only. All information on this page is provided in good faith, however we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information on the page.
Under no circumstance shall we have any liability to you for any loss or damage of any kind incurred as a result of the use of this how-to guide or reliance on any information provided on the page. Your use of the how-to guide and your reliance on any information on the page is solely at your own risk.
Was this helpful?