Netmaker clients

This is the final part of a series about setting up Netmaker-based mesh networks starting here.

Opinionated

This part is totally opinionated. There are plenty of possible network setup, so I do not even try to explain them all. I will show You what I have done, also trying to explain why I did so.

Check out the Netmaker documentation for further information.

Create Netmaker network

Go to Dashboard->Networks->Create Network. The network ID is keszi. It is IPv4 only, with UDP hole punching enabled. I use Default Access Control rules, we do not care about that.

Please remember, that in firewall part we have enabled all traffic on nm+, because Netmaker uses nm-<network ID> as an interface. We also enabled UDP packets on port 51821, it is because this is the first port Netmaker tries to use (You can change both of course, just do not forget to adjust You firewall rules too!).

The Netmaker IP range is 10.20.30.0/24. This is quite easy to remember. This called a CIDR, You can check out here what /24 means at the end.

My home network range is 192.168.0.0/24. I have a router running OpenWRT to serve IP addresses from this range. It is pretty basic:

  • It makes sure that based on its MAC address always gets 192.168.0.200
  • The DHCP server sets the DNS servers to 192.168.0.200 and 10.20.30.53

Here are my Netmaker clients:

  • Client running on the VPS (or Netmaker admin server) as 10.20.30.53. This client is also an ingress node.
  • My (android) phone connects to the network through 10.20.30.53 with address 10.20.30.2
  • Client running on puruttya as 10.20.30.1. This is also an egress node to 192.168.0.0/24.

That’s it. Nothing fancy.

Client setup

Access Keys

The easiest way to connect client is via using access keys. You can create access keys with Dashboard->Access Keys->Create Access Key. Leave name and uses on default values.

This will show You an Access Token (and some other stuff too). Copy the token as You will not see that again.

If You mess up something just delete the access key and create a new one.

WARNING: I do not recommend You to create keys with counter unless You mass deploy clients and always make sure to remove the unused keys. If You leak the token, anybody can connect to Your network.

Setting up puruttya

Copy the newly created token to the docker-compose.yml’s netclient service as TOKEN environment variable.

Start the netclient container:

docker-compose up netclient

You should see something similar in the logs:

[daemon.go-42] Daemon(): netclient daemon started -- version: v0.16.1
[clientconfig.go-23] UpdateClientConfig(): checking for netclient updates...
[clientconfig.go-36] UpdateClientConfig(): upgrading node puruttya on network keszi from v0.16.1 to v0.16.1
[clientconfig.go-45] UpdateClientConfig(): error publishing node update during schema change unable to publish ... no mqclient
[clientconfig.go-52] UpdateClientConfig(): finished updates
[daemon.go-92] startGoRoutines(): initializing network keszi
[daemon.go-109] startGoRoutines(): started daemon for server  broker.netmaker.voroskoi.duckdns.org
[mqpublish.go-30] Checkin(): starting checkin goroutine
[daemon.go-194] messageQueue(): network: keszi netclient message queue started for server: broker.netmaker.voroskoi.duckdns.org

Check Dashboard->Nodes: there should be a new node named after Your client’s hostname. Try to ping those machines using 10.20.30.1 and 10.20.30.254!

Now You can mark this node as an Egress node. The egress gateway range is 192.168.0.0/24 (which is the home network IP range). If You run ip addr on the egress node it will show You the interface name which is sitting on this range. Probably eth0, but make sure You set it properly otherwise it will not work! You want the Enable NAT for egress traffic option set.

Now on the VPS server You should be able to ping the local address of the home network machine. In my case that is 192.168.0.200. Pretty cool, huh?

Setting up VPS client

The first part is identical to puruttya setup. You need an access key, update the docker-compose.yml and start the client. It should show up as a new node.

I use 10.20.30.53 as the IP address of the client. If You click on a node name then edit You can change the IP address. Also note that the client uses port 51822, because 51821 is already taken by the server admin node. This is the reason we had to open this UDP port too on the firewall.

The client creates a nm-keszi network interface, so services can listen on that too. For example the adguard service will be reachable on address 10.20.30.53 (that’s why it is set on my router at home as a DNS address). However we did not open port 8888 and 53 in DOCKER-USER chain of the firewall, so the admin panel and DNS resolver is unreachable via eth0. (I do not want to run a public DNS service.)

Click on Ingress icon to make it an ingress node. You are done.

Connecting the phone (Android)

You need WireGuard application from Google Play installed on the phone.

Go to Dashboard->Ext. Clients. You should see Your freshly created ingress node there. Click on Add external client. It will create a client. Scan the QR code from the phone, enable the network and You are set.

Now You can reach home network host from the phone. Install kodi or jellyfin, Your personal Netflix is ready to roll.

WARNING: External nodes can not keep up with network changes. If You change IP addresses, ports You have to re-scan the updated QR code. It is because there is no netclient for these platforms yet.

Moving further (update: 2022-10-24)

Based on this tutorial You can set up a basic Netmaker-based mesh network. I do not try to be comprehensive here, it is more like a starting point for Your own experimenting.

I highly recommend You to check out Netmaker documentation, especially the Advanced Server Installation and Advanced Client Installation parts for a reference of configuration options and such.

There are a couple of cool aspects of Netmaker, which I have not covered here at all:

Happy hacking!