Resourceschevron right
Networking
chevron right
Setting up a Self Hosted VPN using Wireguard and Netmaker

Setting up a Self Hosted VPN using Wireguard and Netmaker

Posted by
Alex Feiszli
published
October 19, 2024
TABLE OF CONTENTS
Set Up Your Self-Hosted VPN with Netmaker
Try Netmaker PRO free for 14 days and create your own high-performance, fully-controlled VPN network.
Get Started FreeBrowse Solutions

If you're a tech enthusiast who wants to manage their own network, a VPN user tired of subscription fees, or just someone looking to learn more about networking, a self-hosted WireGuard VPN has a lot to offer over traditional 3rd party services. In this tutorial, we’ll explain some of the advantages of self-hosting a VPN, especially with WireGuard, and how to implement a self-hosted WireGuard VPN using Netmaker.

Shortcomings of Public VPN Providers

While public VPN providers are often the default choice for many, they are not without their drawbacks. One significant concern is that your VPN service provider could potentially track your online behavior and even exploit your data. This practice is especially prevalent among free VPN services, which often provide access to their private servers in return for user data.

Performance degradation is another common issue, often attributable to bandwidth contention among multiple VPN users. The quality and robustness of the VPN infrastructure, as well as the efficiency of the VPN software, can significantly influence this issue.

Furthermore, the risk associated with shared IP addresses is non-trivial. Malicious users might exploit these shared IPs to send spam emails, leading to potential blacklisting of the IP across various internet service providers. Consequently, certain websites and applications may restrict your access based on the activities of others sharing your IP address, impacting your online experience.

And of course, there’s always the cost consideration, with subscription-based services often adding up fast.

Self Hosted VPNs

Operating a dedicated server for your VPN provides distinct advantages. It grants you unshared access to the server's resources, inclusive of its entire bandwidth. The network functions devoid of disruptions, and you retain full control over the IP address. This level of autonomy enables you to administer the environment, and provide  access as needed to family, colleagues, or friends. However, managing a self-hosted VPN requires an understanding of computer networks, servers, operating systems (like Linux), and hosting mechanisms.

A VPN becomes a critical tool when you need to access local resources like your home lab server or Network Attached Storage (NAS) remotely, and a self-hosted VPN is perfect for such use cases.

Benefits of Features of the WireGuard VPNs

Traditional networking has often relied on tried-and-true but somewhat slow VPN solutions like OpenVPN, SSTP, and others. While these VPN protocols are dependable, they often compromise on performance. This is where WireGuard, a game-changing VPN protocol, steps in.

WireGuard is an open source VPN protocol known for its impressive speed and modern encryption,  making it the first choice for those implementing a VPN from scratch.

Benefits of WireGuard Include:

  • Responsiveness: WireGuard's rapid connection establishment, even during network roaming, ensures reliable connectivity and a seamless user experience.
  • Security: WireGuard uses advanced cryptographic techniques and robust default settings. Its compact and simple codebase facilitates effective security audits.
  • Speed: WireGuard's core components are directly integrated within the Linux kernel for Linux servers and desktops, resulting in superior performance compared to VPNs that operate in userspace.

Difficulties of WireGuard 

WireGuard is a low-level protocol, so setting it up can be a challenge. The more complex the networking scenario, the more difficult it will be to set up. At the minimum, you must know some command line knowledge, and be able to generate keys and configurations for every device on the network. 

Based on the scenario, you likely also need to know how to set up forwarding rules on your target devices, and how to circumvent NAT, which will depend heavily on your network environment and operating systems.

This is where Netmaker comes in, which makes setting up a WireGuard network simple, no matter how complex. 

Setting up WireGuard using Netmaker

Netmaker automates connections and forwarding between devices using WireGuard, with a dashboard for managing your networks and devices, and different types of VPN clients depending on what you need. You can use our netclient, our Remote Access Client, or, just use pure WireGuard, and manage it all from one place.

Netmaker also adds on some advanced functionalities like user management and access controls.

Netmaker has a SaaS, but you can also deploy our self-hosted, open source server on your own, which is what we’ll do here..

Advantages:

  • You can run Netmaker for Free.
  • It provides a management dashboard for your networks and endpoints
  • It takes the pain out of configuring WireGuard, just follow our deployment steps.
  • You can create different networks for different use cases, like internet access and home network access, and manage them from one place. 
  • It will automatically send updates to your endpoints to do things like NAT traversal, or add new peers to the network.

Setting up Your Own Netmaker Instance: A Quick Guide

Setting up your own instance of Netmaker is easier than you might think. Let's walk through the process step-by-step, ensuring you're up and running in no time.

‍

‍

What You'll Need:

  • A server running Ubuntu 24.04 (our top recommendation for smooth sailing)
  • A public static IP address for the server 
  • A wildcard subdomain (e.g., *.netmaker.yourdomain.com):some text
    • This is not mandatory, but if you do not set up DNS, our script will use a free domain service (nip.io) and set up a wildcard domain based on your IP, like *.netmaker.192-168-1-250.nip.io 
  • Modest hardware: 1 GB RAM, 1 CPU, and 2 GB storage will do the trick
  • For production environments, we suggest beefing it up to 2 GB RAM, 2 CPUs, and 10 GB storage

Server Considerations:

You can either deploy your server in a private environment, like your home, or in a public environment, like the cloud. Deploying in the cloud is definitely easier, and will simplify setup.

If you’re deploying the server in your home environment, make sure you add port forwarding for all the necessary ports (below), so that your server is reachable from the internet.

Preparing Your Firewall:

Before we dive in, let's ensure your server is reachable, so that remote configurations can be set up properly: 

  • TCP 80 & 443: For the netmaker Dashboard, API requests, and MQTT traffic 
  • UDP 51821: For WireGuard  traffic
  • TCP 51821: For endpoint detection
  • TCP & UDP 53: For  CoreDNS (optional)

Don't forget to point your chosen subdomain (e.g., *.netmaker.yourdomain.com) to your server's IP. Again, if none is provided, we’ll attempt to make one for you, but this is subject to domain availability. 

Ready for the easiest part? Fire up your terminal and let this one-liner do the heavy lifting:

‍

This script will  set up Netmaker Pro  by default, with an included 14-day trial. If you’d prefer to keep to the pure open source version, in your docker compose file, just remove “-ee” from the netmaker server image (gravitl/netmaker), and it will use the community version instead..

Using Your Netmaker: A Quick Guide After successful installation, your command line will show the domain, where you’ll log in and set up your admin account.

You’ll see on the left sidebar, two networks have been pre-generated: “netmaker” and “internet-access.” Let’s take a look at each of these and how to use them for the most common use cases: internet access, and remote access to resources.

Internet Access

 On the left hand sidebar, click to the“internet-access-vpn” Network.

On the dashboard, you will see a “Host” which has been set up on your server. This has been set as an “InternetGateway”, which means it can route traffic to the internet from other connected devices.

To use it, all you have to do is  download the Remote Access Client from here.

After installing the Remote Access Client, open it up, it should look something like this:

As this is a self-hosted instance you have to enter the server URL which looks something like api.yourdomain.com. 

Enter your username and password that you used initially for creating the Super-Admin,Netmaker offers fine-grained access control, you can read more about it here.

After you log in, you can see there are two options for connecting to our self-hosted Netmaker instance:

We are going to use the “internet-access-vpn” as it is configured as an Internet Gateway and Click on Connect:

Amazing!!! You are connected to your own self-hosted VPN. All your internet traffic is now routed through the server.

Accessing Your VPN with WireGuard Config Files

Don’t want to use our Remote Access Client? No problem. You can easily use the WireGuard client to connect to your Self Hosted Netmaker VPN. 

  1. Generate a config: On the dashboard, navigate to the Remote Access tab and click the "Create Config" button on the right-hand side.

2. A modal will open where you can optionally give a Client ID and modify some Advanced Settings, here we’ll go with default values:

The config is generated and ready to be used:

3. Click on the ID, if you go with the default options then the ID would be assigned randomly.

4. From here you can download the config.

5. You can enable or disable the config, or just delete it. The Advanced Settings are still available and you can update the Client Config even after it is created.

Cleanup 

If you don’t need an internet access VPN, you may want to delete the network, which is straightforward:

  1. First, remove all Hosts from the "internet-access-vpn" network.
  2. Go to the Hosts tab, where you can quickly remove Hosts:

After removing all the hosts, you can delete the network from the Network Settings Button.

Remote Access

You can use Netmaker to access your home network, office, or servers from anywhere in the world. Just install the netclient target devices to make them accessible remotely. If you install the netclient in a local environment, set it as a gateway, and make the whole local network accessible over the VPN. Let’s walk through this scenario, with the example of accessing a homelab. 

Go to the Hosts tab and navigate to Add Hosts and then click on “Add New Host”:

Select an Enrollment Key for your network. This key tells your netclient which network to join with proper access privileges. You can create additional Enrollment Keys from the dashboard.

Follow the installation guide for your operating system. For this example, we will need either a Linux or Docker client.

After netclient is successfully installed, you just have to add it to your network using the enrollment key. It’s as simple as running a single command shown on the dashboard.

The new Host will appear on your network.

Now, we’ll set the new host as an Egress Gateway to the home network.

To do this, navigate over to the Egress tab and click on “Create Egress” and add the host as an egress gateway.

You can now use the Remote Access Client and connect to the “netmaker” network to access all the devices in your home network, completely securely. Or, use the WireGuard config files, as shown in the previous section.

DNS

Optionally, if you have a DNS server set up in the local network, go to your Remote Access tab, and edit the gateway. You can enter the IP of the local DNS server here, and your client will apply the settings, so you can access resources using DNS names rather than IP addresses.

WireGuard Config Gateway

Rather than use the netclient as your gateway to a local network, you can generate a WireGuard config file, as shown in previous steps, and add the local network in the Advanced Settings. You will need to add forwarding rules on the device, which can be helped with Post Up and Post Down commands. You can even add this config to a Router! You can then access the network using the Remote Access Client, or another config file, as shown previously.

After Your Trial:

Loving what you see? Great! You can either keep the PRO license or switch to our community edition. The choice is yours.

There’s a lot more you can do with Netmaker, from building Mesh VPN’s to integrating Edge environments. If you’d like to start learning more, check out our docs at docs.netmaker.io 

Welcome to the future of networking – you're going to love it here!

Conclusion

Netmaker automates many of the complex tasks involved in setting up a WireGuard VPN, making it easier for individuals and businesses to create their own self-hosted VPNs. Opting for a self-hosted VPN can be a wise choice, and if you decide to go this route, we hope this article sheds light on some of the available options and their potential benefits. However, it's important to note that the structure of the network and the desired performance are crucial factors in determining the most suitable options.

Set Up Your Self-Hosted VPN with Netmaker 

Try Netmaker Pro free for 14 days and create your own high-performance, fully-controlled VPN network. 

Get Started Free

Browse Solutions

‍

Set Up Your Self-Hosted VPN with Netmaker
Try Netmaker PRO free for 14 days and create your own high-performance, fully-controlled VPN network.
Get Started FreeBrowse Solutions
More posts
November 20, 2024
What Is Digital Infrastructure? Importance for Modern Networks
Networking
November 18, 2024
SD-WAN Solutions: Benefits and How to Choose the Right One
SDN
Netmaker
Networking
November 14, 2024
Why SD-LAN? Features & Advantages for Smarter LAN Management
Networking
Netmaker

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Get Started
Request Demo

WireGuard is a registered trademark of Jason A. Donenfeld.

Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).
PreferencesReject
Accept