Securing Ingress and Egress Requests using Wireguard VPN and Netmaker

Ingress and egress requests are elementary to the operation of your network communication. Ingress requests are incoming traffic, while egress requests are outgoing traffic. If both types of requests are not secured properly, they can pose lots of security risks to your network.

In the case of Ingress requests, if proper security measures are not put in place, unauthorized access can lead to data breaches, malware infections, and other cyber attacks. On the other hand, unsecured egress requests can result in data leakage, unauthorized data transfer, and other security vulnerabilities. 

By leveraging WireGuard VPN's state-of-the-art cryptographic primitives, including Curve25519 for key exchange and ChaCha20 for encryption, your organization can establish secure tunnel transmission, mitigating the risks associated with unencrypted or vulnerable network communications.

Securing Ingress Requests

Ingress requests refer to incoming network traffic attempting to access resources within your network. This influx of data presents a gilt-edged opportunity for malicious entities to infiltrate your systems and compromise sensitive information. Therefore, implementing robust measures like a Wireguard VPN to safeguard against unauthorized access is vitally important.

Wireguard VPN for Enhanced Security

A Wireguard VPN secures ingress requests by establishing encrypted tunnels between clients and servers. It operates by creating secure point-to-point connections, effectively encrypting all traffic passing through these connections. By deploying a Wireguard VPN, your organization can create a secure pathway for ingress requests, thereby ensuring data transmission between clients and servers remains confidential and secure.

Configuration Steps for Implementing Wireguard VPN for Ingress Traffic

Follow these steps to implement Wireguard VPN for securing ingress traffic: 

1. Installation and Setup: Install the Wireguard VPN software on the designated server or gateway that handles incoming traffic. Follow the installation instructions provided by the official Wireguard documentation tailored to your operating system (Linux, Windows, MacOS, BSD, IOS, Android, etc.).  
2. Key Generation: Generate cryptographic key pairs for both the server and client devices to authenticate and establish a secure connection. You can use tools like ‘wg genkey’ and ‘wg pubkey’ to generate private and public keys.
3. Configuration File Creation: Create a configuration file for Wireguard detailing the network interface settings, allowed IPs, private and public keys, and peer configurations. This creates a secure tunnel for incoming traffic. Implement rules that are in line with your organization’s security policies and requirements. 
4. Firewall Rules Configuration: Wireguard does not prevent all incoming traffic on its own. You need to configure a firewall to block access to services unless they are connected to a Wireguard client. This makes sure that only authorized users can access your services through the Wireguard VPN tunnel.
5. Peer Configuration: Configure the Wireguard peers on both the server and client sides, specify the public keys, allowed IPs and endpoint addresses to establish secure connections between them.
6. Testing and Monitoring: After completing the configurations, conduct a series of thorough tests to ensure the seamless operation of the Wireguard VPN. Monitor network performance and make necessary tweaks where needed.

Setting Up Ingress (Remote Access) Gateway with Netmaker

Netmaker enables any WireGuard-enabled device to connect to a network through a Remote Access Gateway (ingress). That includes devices like phones, laptops, and desktops that support WireGuard. Netmaker’s Remote Access Client adds additional capabilities like user authentication and session expiration.

In either case, devices use a WireGuard config file to access the Remote Access Gateway, which then forwards traffic to the intended destination. This setup allows any device capable of running WireGuard to join a Netmaker network. While it's recommended to use the Remote Access Client for end users, other machines can be configured for more static access using standard WireGuard config files. 

Additionally, Remote Access Gateways can function as internet gateways, routing all client traffic through them to conceal the client's public IP address securely. Configuration for internet gateways can be done via the Internet Gateway tab in Netmaker.

Configuring a Remote Access Gateway

To set up a Remote Access Gateway, clients need to connect to it. By default, your network doesn't have one, so you'll need to configure it by accessing the network settings and navigating to the "Remote Access" tab. 

Clicking the "Create Client Config" button brings up a window where you select a host to use as the gateway. Any host with a public IP address will work, but avoid ones behind a NAT. The Netmaker server itself can serve as a gateway and is a suitable default choice if you're unsure. You can also choose whether the gateway should route all public traffic to the internet, acting as an internet gateway. Additionally, there's an option to specify a default DNS server for all connected clients.

Securing Egress Requests

Egress requests represent the flow of data from your network to external destinations. These requests encompass various protocols and applications, including web browsing, email communication, file transfers, and more. Without strong security measures put in place, your egress traffic can be interpreted, intercepted, manipulated, or exploited by malicious actors, thereby compromising the confidentiality, integrity, and availability of sensitive data.

Wireguard VPN for Securing Outgoing Network Traffic

Wireguard VPN safeguards egress traffic by offering encryption, authentication, and tunneling features to establish secure communication channels between your internal network resources and external destinations. By encapsulating egress traffic within encrypted tunnels, Wireguard VPN can help ensure that the confidentiality and integrity of your company’s data remains intact, mitigating the risks associated with unsecured data transmission over the internet.

Configuration Steps for Implementing Wireguard VPN for Egress Traffic

The following steps will guide you to effectively implement Wireguard VPN for securing ingress traffic:

1. Installation and Setup: Begin by installing the Wireguard VPN software on your selected server or gateway responsible for handling outgoing traffic. Follow the installation instructions provided by the official Wireguard documentation tailored to your operating system (Linux, Windows, MacOS, BSD, IOS, Android, etc.).
2. Key Generation: Generate cryptographic key pairs for both the server and client sides to authenticate and establish secure connections.
3. Configuration File Creation: Create a configuration file for Wireguard specifying the network interface settings, private and public keys, allowed IPs, and peer configurations. Ensure to define the egress traffic parameters, such as the destination IP addresses and port ranges.
4. Firewall Configuration: Adjust firewall rules to permit outbound traffic through the Wireguard interface while blocking unauthorized access to other network interfaces. Implement rules tailored to your organization's security policies and requirements.
5. Peer Configuration: Configure the Wireguard peers on both the server and client sides, specifying the public keys, allowed IPs and endpoint addresses to establish secure connections between them.
6. Routing Configuration: Configure routing tables to direct egress traffic through the Wireguard VPN tunnel, ensuring that all outgoing communication is encrypted and transmitted securely to the intended destinations.
7. Testing and Optimization: After completing the configuration, conduct thorough testing to verify the effectiveness and reliability of the Wireguard VPN for securing egress traffic. Monitor network performance and make necessary optimizations to enhance security and efficiency.

Setting Up Egress Gateway with Netmaker 

‍

Netmaker enables your clients to connect to external networks through an Egress Gateway. This gateway is a network client installed on a server or router that can access a specific subnet. 

Within the Netmaker user interface, this node is designated as an "egress gateway," with defined ranges it can reach. Once established, all clients within the network, including new external clients, can access these specified ranges through the gateway.

Configuring an Egress Gateway

Configuring an Egress Gateway involves simple steps. Firstly, you must identify the remote access requirements, such as VPCs, Kubernetes networks, or home and office networks. Next, deploy a netclient in a stable location with access to the network, typically a Linux server. Stability is crucial to avoid frequent IP changes or unexpected shutdowns. Once the subnet is identified and the netclient deployed, access the Netmaker UI. In the sidebar, select the network and navigate to the egress section.

At this stage, you'll select your preferred host for egress usage. You have the option to decide whether to employ NAT with the switch or not. Enter your chosen CIDR for the egress range(s) in the provided field. You can add additional egress ranges for the host by clicking the "add range" button. The interface is automatically selected and won't be displayed in this window. Once all fields are completed, click on the "create" button.

Netmaker will set either iptables or nftables regulations on the node, depending on which one is installed on your client. This action will enable the node to direct traffic from the network to the designated range(s) according to the specified rules.

The Egress Gateway is only supported on Linux. For non-Linux devices, follow this guide to use the Remote Access Gateway and customized WireGuard config files to achieve the same results with any WireGuard-compatible device, like Routers.

‍

‍