In the third part of this series on Netmaker/Wireguard for the home LAN, (part 1, part 2) let’s set up another wireguard network, featuring our external vps server which we’re going to use to browse the web from a different IP address to dodge ISP filtering, much as one might via a commerical VPN provider.
- In the netmaker web UI, click Create Network on the left, name it
vpnand assign a new private subnet, eg.
- Go to Access Keys and add an access key for the vpn network.
- Now, we need to install netclient on our vps.
- First, make sure wireguard is installed.
Next, install netclient. We can run it using docker, as detailed in the docker-compose file above. If you wish to install it directly on the host system, the curl oneliner shown when you generate the access key currently has a bug whereby the node name, autogenerated from the machines hostname, cannot have a dot in it. As such we must amend it like so:
curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/develop/scripts/netclient-install.sh | VERSION=0.8.5 NAME=mynode KEY=<ACCESS_KEY>= sudo -E sh -
Additionally, note that we have inserted
sudo -Ebefore the
shcall. The script must be run as root, but if you naively put
sudoat the front of the line before
curl, only the
curlcall will be elevated, not the
shthat actually executes the script. The
-Eensures that the preceeding variables are not stripped by
Upon success, we should see something like this:
- Alternatively, if you don’t like the idea of using a script like this, you can download the binary directly and feed it the access key. It will set itself up as a systemd service automatically.
- Back in the GUI, you should see the vps added as a
Now we need to set it up as an egress gateway to the rest of the internet, as well as an ingress gateway for external clients. We are doing exactly the same thing as we did before for the home server node, except in a sense in reverse: traffic is going to be routed out from the node to the internet at large, as opposed to the LAN.
Click on the egress icon as before:
In address ranges, one might think one would specify
0.0.0.0/0for all IPs. On desktop clients, the routes are prioritised such that LAN subnets will still be routable. This means, for example, that you will still be able to connect to your NAS box when connected to your VPN. However, this doesn’t work on the android wireguard client for whatever reason. The workaround is to instead specify an explicit list of all non private subnets, like so:
22.214.171.124/8, 126.96.36.199/8, 188.8.131.52/8, 184.108.40.206/6, 220.127.116.11/7, 18.104.22.168/8, 22.214.171.124/6, 126.96.36.199/4, 188.8.131.52/3, 184.108.40.206/2, 220.127.116.11/3, 18.104.22.168/5, 22.214.171.124/6, 126.96.36.199/12, 188.8.131.52/11, 184.108.40.206/10, 220.127.116.11/9, 18.104.22.168/8, 22.214.171.124/7, 126.96.36.199/4, 192.0.0.0/9, 188.8.131.52/11, 184.108.40.206/13, 220.127.116.11/16, 18.104.22.168/15, 22.214.171.124/14, 126.96.36.199/12, 188.8.131.52/10, 184.108.40.206/8, 220.127.116.11/7, 18.104.22.168/6, 22.214.171.124/5, 126.96.36.199/4
For the network interface, specify the relevant device as usual, probably
- Now this node also needs to be an ingress node, so click the button: and confirm the dialog.
- Finally, add your external clients as before. You can verify that it works by browsing to a blocked site, or using
tracerouteto verify that your traffic is being routed correctly.
If you want to be able to add new clients to the LAN tunnel via SSH from offsite, you will need to add the vps to the
home network as well as the
vpn one. Remember that
netclient is already installed there, so you can add another network like so:
sudo netclient join -t <ACCESS_TOKEN> --name <NODE_NAME>
Then you’ll need to use ssh to set up a SOCKS proxy on the VPS, like so:
ssh -D your.vps.com -D1337
Then configure your browser to connect to a SOCKS proxy on localhost port
1337. You are then effectively joined to your home LAN, but only through the browser. You can then browse to
http://$INTERNAL_IP:8002 and add yourself as a new client, and enjoy full highspeed systemwide routing rather than just through through the browser.
This concludes my series on netmaker. Hope you found it helpful! 😊