Integrating routers into the Netmaker network opens up valuable possibilities for creating secure, scalable, resilient, and automated network infrastructures. One significant benefit is the ability to seamlessly interconnect different sites with a secure mesh virtual private network without needing to install a software client on every machine at each location.
This document focuses on OpenWRT. To integrate OpenWRT with Netmaker, you need to configure your OpenWRT device to run the Netclient for Netmaker. Below is a step-by-step guide on how to achieve this. The steps assume you already have shell and Web UI access to your OpenWRT device.
Step 1: Setup Storage
Installing large packages on OpenWRT can be challenging due to the limited storage space typically available on many routers. To expand your firmware's space to install more packages, refer to this article from the documentation page: https://openwrt.org/docs/guide-user/additional-software/extroot_configuration.
Step 2: Install WireGuard
Netmaker uses WireGuard for VPN communication. Ensure that your OpenWRT device has WireGuard installed. It’s recommended to install WireGuard via the web UI:
Go to System -> Software
Click the “Update lists…” button, then search for WireGuard
Install wireguard-tools and luci-proto-wireguard (for the web GUI)
Reboot
Step 3: Install and Configure Netclient
Netclient can be run as a Docker container or installed directly on the host machine for more reliable connectivity. However, it's important to note that Docker Netclients on version 0.24.3 and earlier have a known bug, which has been fixed in version 0.25.0.
To install the Linux version, copy and paste the command below (removing sudo), then execute it.
You can then join a Netmaker network using the enrollment key or by using the netclient join command.
Alternatively, to run Netclient as a Docker container on OpenWRT, refer to the OpenWRT Docker guide: https://openwrt.org/docs/guide-user/virtualization/docker_host for more details. Generally, you may need to run containers as specific users, requiring the creation of new users, groups, and setting up the appropriate folder permissions. However, for simplicity in this demo, we’ll use the root user.
Install Docker and Docker Client with the following commands:
opkg update
opkg install dockerd docker
Once installed, you can then run and join Netclient with the docker run command. You may insert the parameter --restart=always so that it would run after every router boot.
At this point, your OpenWRT device should be able to access resources within the Netmaker network. However, these devices will not be able to ping the OpenWRT machine. Additionally, OpenWRT will not function as a Remote Access Gateway, Relay, Egress Gateway, or Internet Gateway. This behavior is expected because OpenWRT’s firewall blocks this traffic by default. To resolve this, you need to configure firewall rules on OpenWRT based on your intended use within the Netmaker network. First, you need to register the tunnel interface.
Step 4: Register the Tunnel Interface
On OpenWRT, the tunnel interface that Netclient creates is recognized as a "device" named by default as "netmaker." Create a new unmanaged interface via LuCI: Network → Interfaces → Add new interface:
Name: netmakerif (can be any name)
Protocol: Unmanaged
Device: netmaker
Click the "Create interface" button. A modal form will appear. If you are running CoreDNS on your Netmaker server, go to the "Advanced Settings" tab and specify the public IP of the server in the "Use custom DNS servers" field. Click Save.
To persist all the changes, click "Save & Apply". Then reboot the router.
Step 5: Create Firewall Zone
The firewall uses zones over your network interfaces to control traffic flow. Create a new firewall zone via LuCI. Go to Network → Firewall → Zones → Add:
Name: netmakerzn (or any other name)
Input: ACCEPT (default)
Output: ACCEPT (default)
Forward: ACCEPT
Masquerading: on
MSS Clamping: on
Covered networks: netmakerif (or the custom name you specified in the previous step)
For Allow forward to destination zones:
Select LAN and/or any other internal zones to allow Netmaker resources to reach devices in these zones. This is applicable if you set OpenWRT as an Egress Gateway
Select WAN if you intend to use OpenWRT as an Internet Gateway or an exit node.
For Allow forward from source zones:
Select your LAN and/or other internal zones to allow machines on these zones to reach resources in the Netmaker network. Or leave it blank otherwise. It’s essential to specify LAN and/or other internal zones here if you plan to use this device as a gateway in a site-to-site virtual mesh interconnectivity.
Click Save, then click Save & Apply to persist all changes.
These steps should suffice if you plan to use OpenWRT as a Relay, Egress Gateway, and/or Internet Gateway.
Step 6: Add Port Forwarding Rules (for Remote Access Gateway)
This extra step is only necessary if you want OpenWRT to function as a Remote Access Gateway. Create a new port forwarding rule via LuCI. Go to Network → Firewall → Port Forwards → Add. Create port forwarding rules from WAN to "netmakerzn".
Name: netmaker (or any other name)
Protocol: TCP/UDP
Source Zone: WAN
External port: 51821 (or any port; the default is 51821). To find the port, visit NMUI, navigate to the Netmaker network that OpenWRT is part of, click on the Remote Access tab, find OpenWRT, and view the VPN config file. Under the [Peer] section, look for the number after the IP address in the Endpoint value.
Destination zone: Select "netmakerzn" (or the name you specified in Step 5)
Internal IP address: Enter the Netmaker IP address of OpenWRT
Internal Port: 51821
Click Save, then Save & Apply
Note: It is crucial to review the routes and firewall rules configured by Netclient on your OpenWRT device.
Disclaimer
The information provided in this how-to guide is for general informational purposes only. All content on this page is provided in good faith; however, we make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of the information on this page.
Under no circumstances shall we be liable for any loss or damage of any kind incurred as a result of the use of this how-to guide or reliance on any information provided on this page. Your use of this guide and reliance on any information contained within is solely at your own risk.