Netclient manages WireGuard on client devices (nodes). As its name suggests, Netclient is a client in a mesh topology, thus it needs to communicate with the server and with the other clients as well. Netclient will detect local changes and send them to the server when necessary. A change to IP address or port will lead to a network update to keep everything in sync.

It goes without saying that in almost all cases it is imperative that firewall must be up and running on any device that is connected to a network, especially the internet. Firewalls are inherently restrictive for good reasons. And by default, it doesn't allow any traffic that Netclient would use to function properly. What rules then are necessary to be applied to the firewall?

On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard.

On Linux, these necessary ports are needed to be opened:

For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices.

For example, in UFW you may do:

#set firewall to log only the blocked traffic

ufw logging low

#clear out the current logs

cat /dev/null | sudo tee /var/log/ufw.log
​
​#reload ufw

ufw reload

#filter the logs

cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs>