Wireguard

Use Netmaker to proxy traffic from your VPS to your home network

3 min read
Use Netmaker to proxy traffic from your VPS to your home network

This is a somewhat short part 2 of Use HAProxy and WireGuard to proxy traffic from your VPS to your home network.

As I’ve recently switched to TrueNAS SCALE (TrueNas SCALE Website) with the excellent community TrueCharts (TrueCharts Website) project, my original solution didn’t work anymore. In part 1 I bound nginx not just to the local private IP, but also to the IP of the wireguard network. As there was no easy or known way for me to achieve this with Traefik and the TrueCharts chart, I started to look for other solution.

One solution is to just run a wireguard server inside k3s (which is used by TrueNAS SCALE) and then just use the kubernetes IP of Traefik. On the other hand, I was also looking for an easier solution to manage my VPNs which features a nice UI, SSO and multiple networks. wg-easy (Wg-Easy Website) is a nice project which works very well if you just want one network. However, it does not feature SSO or any other advanced features. After some search, I found Netmaker (Netmaker Website) which does everything I was looking for.

NOTE: Using Netmaker only for the use case of proxying back to your home network works, but is almost certainly an overkill. A barebone wireguard or a wg-easy installation should be more suitable.

Installation

Installing Netmaker is fairly straightforward. Just follow their tutorial (Netmaker Quick Start). If you are using ufw or similar, make sure to open your firewall and allow forwarding of traffic. After the install is completed, you should be able to access the UI and set an admin password.

Setup

After setting an admin password, you need to create a new network under “Networks” and then “Create networks”. Klick “Autofill” and make sure to enable “Is Point to Side”. Create Netmaker network

Next, create an “Access Key” for the created network. It’s best to set the token “Uses” to more than one, in case your node rejoins the network after its config has been wiped. Afterwards, note down the “Access Token”.

In the TruenNAS UI, launch a new docker image, specifying the netclient version suiting to your Netmaker server deployment. In the environment variable setting, paste the token you just created and name the variable TOKEN. Make sure to also run the container in privileged and run the deployment on the host network via the checkbox in TrueNAS UI.

Create Netclient deployment in TrueNAS

Next, create another access key and deploy netclient via docker or the binary on your VPS. It might be the same VPS as where your Netmaker server is running, which is fine. Currently, it is not recommended to set the network to host for the Netmaker server, thus we need another Netclient deployment.

Finally, your network (in the “Graphs” section) should look like this

First step of created reverse network

As last steps, click on your TrueNAS node and make it the hub of the network

Make the TrueNAS node the hub

Finally, click on your TrueNAS node again and create an egress. The Target IP is the private IP of your TrueNAS deployment. In the end, your network should look like this (except the private IP in which might be different).

The final Netmaker reverse network

Test

To test your setup, simply check if you can ping your node as well as access your sites from your VPS over your specified private IP.

vps@vps:~$ ping 192.168.178.2
PING 192.168.178.2 (192.168.178.2) 56(84) bytes of data.
64 bytes from 192.168.178.2: icmp_seq=1 ttl=64 time=18.3 ms
64 bytes from 192.168.178.2: icmp_seq=2 ttl=64 time=16.9 ms

vps@vps:~$ curl --header "Host: cloud.clemenskeppler.de" -s -L --insecure https://192.168.178.2 | head
<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="en" data-locale="en" >
	<head

Summary

Now your have your own cloudflare-ish tunnel to protect your home network. No ports need to be opened anymore in your home router and your private home IP won’t be leaked. Further, in this network the nodes cannot communicate with each other, but can only reach the hub due to the “Point to Site” setup.

References

  1. TrueNas SCALE Website. https://www.truenas.com/truenas-scale/. Accessed 20.10.2022.
  2. TrueCharts Website. https://truecharts.org/. Accessed 20.10.2020.
  3. Wg-Easy Website. https://github.com/WeeJeWel/wg-easy/. Accessed 20.10.2020.
  4. Netmaker Website. https://www.netmaker.org/. Accessed 20.10.2020.
  5. Netmaker Quick Start. https://docs.netmaker.org/quick-start.html. Accessed 20.10.2020.