I love your videos I learned very much from you. I have my own way to access my home lab not so elegant 😅 . The new Beta firmware from Fritzbox has wireguard you need 2 minutes to setup and works great for me. Greetings from Germany
Also using wireguard in my fritzbox, its pretty simple. Locally i use npm as a reverse proxy, with DNS Challenge for TLS Certificates. DNS points to local IPs in my network.
Would be cool if it could integrate with Crowdsec to give a little bit more of protection... I have on my end Suricata and Crowdsec (along with other stuff) to keep prying eyes from touching my portals and I feel that with Netmaker I'll lose that visibility / control / "security" layer. But I dig the concept. Interesting stuff!
BIG THANKS Brian, for all your hard work and clear explanations you do in your video's. Very much appreciated!! Keep up the good work and stay safe my friend. Greetings from The Netherlands
Very interesting solution! Following kinda the same idea, I have a free oracle VPS where I have nginx and using that nginx to proxypass using stream upstream through wireguard tunnel with my centos box from home. wireguard is just a simple tunnel for communication used in split tunneling mode between vps and my box from home. Pls note that no 80 or 443 tcp ports are used but other high ports. On my centos box also I have similar nginx setup which points to my IP cameras from my LAN. RDP is available from internet following the same method. Pretty simple, no port forward opened on my home router, not to mention that my ISP doesn't provide fixed IP but dynamic :)
I tried zero-tier a few years ago, and it was ok, but I never liked the inconsistent speeds I got from it, and I could never find all of the information to self host it. Haven't looked in a while though.
@@AwesomeOpenSourcei, in my opinion NPM isn‘t secure enough for running on a cloud server - no MFA, no fido2 support, no oauth support. Netmaker is a really great solution for tunneling servers or services from different networks securely with wireguard and it is right, that you do not have to open ports in your internal firewall, but with this solution you bypass your personal firewall completely. It would be better to use an endpoint in the dmz of your lan, so that you have to create separate firewall rules in order to allow access to services in your lan! The problem I see is not the transport from npm to your lan (it is wireguard-protected!), but the endpoint npm itself. If someone get access to this server, he has access to all services you have configured in it. So you have to harden this server and the software itself does not offer this.
In addition to my first post, I would strongly recommend to either only release applications that natively support MFA, or alternatively to integrate a layer / application such as Authelia in order to be able to establish MFA for every application you want to host. That´s the best method to avoid fishing. It's still the ease of logging into the NPM admin panel that worries me.
Concerning the communication, you are absolutely right, that netmaker makes a fantastic job with really great performance (it takes 20 times less time than with tailscale, to backup my 4 GB great archives from a cloud-server to my internal backup-server). I would love to see more videos about different use cases of netmaker 🙂
if you put your wireguard server/netmaker server with NPM on your cloud vps you can achieve the same thing.... it also means you dont need to open any ports or worry about isp nat, just install client on each server in your homelab.
@@AwesomeOpenSource just wanted to point it out as it let's you use cloud hosted homelab projects on linode etc without their traffic going in and then out your home network. Ie put nextcloud on a linode, restrict the docker port to vpnaddress:exposedport:service port. Excellent video and thanks for spreading the use of some of my favorite services :)
I do the same over zerotier. Basically create a virtual network in zerotier Add the droplet and my home machine to zerotier And set Nginx on the droplet
Great video Brian. As always. 😊 I have a doubt. I have a datacenter at my home. Am planning to build another at my office (30km away). With this setup, can I not use the cloud server? I mean, for my house, my office is gonna be my cloud and vice versa.
You can, certainly. You'll need to ensure all the ports are open for communication through the firewall at the office. You'll want to make sure your machine running the Netmaker server has all the necessary ports open and forwarded through the firewall. Also, best to make sure it's a static LAN IP on that machine.
Hi Brian, Thank you for your awesome tutorial. I wonder how is the upload/download speed of this method compared to open NAT/Ngnix proxy vs VPN. If you could, please share the result in another video. Thank you and appreciated.
Since this uses Wireguard, you get aroun d95% of the normal open NAT speed you'd usually get. Wireguard is much faster (in general) than OpenVPN, and older VPN systems. It all depends on how you setup OpenVPN, but as a home user, Wireguard out of the box is ridiculously fast.
The method has been updated a bit on the netmaker side since this video, but you can just set individual A records / CNAMEs on the root domain if you want to.
Another question about security for the netmaker interface: considering that this is widely served in the open internet, would you somehow be doing a video on how to protect it with an OAuth provider (like Google) since it's supported? I already followed your your tutorial and have it running. THANK YOU! I have also put a few security measures in place including login to netmaker host machine via ssh with keys only as well as running Crowsec. But I was just thinking that an extra security like integrating an OAuth provider would make it stronger. Thoughts?
If I run the two I show, it's about $12 US per month. You can, however, run the proxy on the same server as the Netmaker server, and it would be half that.
@@AwesomeOpenSource Brian question... if NPM and Netmaker runs on the same server, is it still safe to use? Or is it safer if Netmaker is on a separate VPS and NPM is on a separate VPS.... in terms of security...
@@AwesomeOpenSource Trying to run both on the same server. I can't get nginx running because netmaker is running on port 443 already. Any suggestions??
Just very last question, if I understand correctly, Netmaker server (VPS) is orchestrating the configurations, key exchanges for nodes, clients etc...so its more like control plane. Is it creating full mesh topology for data connection or they need to pass server anyway? So data from reverse proxy will go via wireguard tunnel directly to your home computer and than to app? Or data pass the path from client to reverse proxy then to netmaker server and then to home gateway? Something like Tailscale does? Also I see limitation that egress gateway can setup just one subnet and one interface...if i have netclient installed on computer with multiple NICs and subnets? Tailscale got feature router subnet, how to do this over netmaker? Thank you.
Yes, Netmaker is there as a control plane, but once the client or wireguard config is on a client machine, they make a peer to peer connection if they can., and they should be able to. As for the ingress and egress gateways, that's more of a middle man. The external clients get access through the gateway to a peer (as I understand it) since their configs are not auto-updated like the netmaker client machines (running the netclient) are.
Hello, thanks for a great video. Just a question. What is benefit of this solution over selhosted NGINX, behind FW with static public IP. So only 443 is forwarded from FW to NGINX and with proper security setup you should be fine as well. Than backend connection from nginx to all apps is via LAN only. If connection from external client to VPS nginx (your cloud machine) is "standard" HTTPS than setup with selfhosted nginx is pretty same...with less machines in between...or?
If you don't have a static IP at home, this is a great way to deal with that. If your ISP gives you a static IP, this may not be as useful for you. This was really part two of the videos, showing additional capabilities of Wireguard VPN with Netmaker helping you get various networks setup and talking much more easily than setting up all the configuration files by hand (IMO anyway).
@@AwesomeOpenSource Got your point...anyway I am just thinking to try it even i have static IP. The idea that i would not need to open any port inbound is not bad. What risk is that VPS will be compromised if you do proper security measures...and still, your home net should be protected and your home IP not revealed even when VPS went down...just thinking about security advantages of this setup...
@@AwesomeOpenSource I actually want to expose this to the public but the steps you're taking are a bit unclear to me from the video. Seems like you're skipping over some important steps to take in netmaker
Let me see what I can do. I think the issue we hit there is that both of those applications expect to have port 80 and 443 access. So you hit a conflict. Let me think about how it could be done.
@@AwesomeOpenSource Yes this is my issue. I'm confused with the video between what's VPS and what's home server. It appeared that you installed netmaker on the same server NPM was installed on but now I'm thinking that must not be the case... I thought when you mention "netmaker server" that you were referring to it by name, not that it's a separate server or maybe I'm still not understanding. Do you have a server dedicated to netmaker in this example? Another VPS running NPM and then your homelab all meshed together? Netmake UI has been updated since this video as well, maybe it's worth making another? My specific case is that I have one VPS and all my other services like nextcloud, GitLab etc are hosted on my home server which is running from a VM in virtualbox. Netmaker is awesome because I'm behind a CGNAT and that's why I found it but not a lot of resources out there yet and it's quite difficult to get setup how one would like. Anyway thanks for all you do!
Thanks Brian!! Really great video. Was wondering if you could expound a little on a comparison of a couple of the technolgies that are similar in concept to this? I'm trying to wrap my head around the different technologies that help to secure a homelab or cloud based small business network and having a hard time seeing what my exact options are so I can make an informed decision. Future video idea maybe? Thanks for all you do man!!
Question: You speak of NPM and Netmaker, yet Netmaker depends on Traefik which also uses port 443 like NPM. Can you explain the work around so that NPM receives the inbound request and forwards to Netmaker?
You would indeed need to do some port forwarding in those proxies in order to make it all work. Alternatively, Netmaker has a different install that will not use Traefik (I belive). You could ask over at their Discord thought to be sure.
How to set up a situation where access from inside a LAN goes directly to a server (like tnas.*) but still allows external access according to your layout in this video? If I want to up or download a multi-gigabyte file to a NAS, I do not want that traffic going out my internet connection and then back in to ie; tnas.*. Also, possibly related, how to enable some kind of split-DNS so SSL certs also work internally as well as direct internal LAN access?
So, if you setup the two machines with either the netclient, or the config file as an external client (just a name), it will connect directly as a peer. That's the beauty of wireguard. If you have the machines both on the same wireguard network they will try first to connect directly as peers.
Run it on your own server. It's open source. If you want them to host it for you, adn / or you want any of their extra features, then you can look at some of the payed tiers of service to help support the continued development.
How about a situation where one has Proxmox and plenty of local resources. Would it be possible to expose one VM via typical port forwarding and use that VM(s) to host Netmaker + Netclient + Nginx Proxy Manager instead of paying for an otherwise redundant VPS?
Does this work for pure tcp traffic non wrb traffic? I have an NVR that needs app access on high media port that is just tcp based I would like to secure this way?
You will want to setup a port mapping on the service in netmaker using 443, so you can map some other port to it (e.g. 9443:443). Then run NPM on 443, and amke sure you're forwarding any requests for netmaker on to that port 9443 through NPM.
I am attempting to follow this procedure but it is not complete or I don't have the same thing like the access key with all the cool script. all I have is the (raw) Enrollment Key without already builded script
@@AwesomeOpenSource Thanks for your reply In fact I think the CE is simply different from the EE edition and don't provide the same level of friendlyness . This is ok a bit frustrating. ;)
Hello. Would you be able to create guide for connect Sophos Site To Site vpn to Strongswan (ipsec) or OpenVPN (ssl) ? I know you recommended in pas Sophos, I like it a bit more then pfsense for ease of use. But now I cannot make the Site to site vpn work to my Debian Docker server, it seems to fail on Phase 1 even when I am using same protocols on both sides. Thank you for your good work!
I've never recommended Sophos. I think you have my channel confused with @TheDigitalLife. I only advocate for open source software. I'm sure @ChristianLampa would love to hear from you though. He's got a great channel with tons of excellent information.
Hi Brian one question about a dns provider if i am not running mail in a box for dns frpm what i read cloud flare is not good for netmaker what are my options for dns?
@@AwesomeOpenSource here is the info from the docs Note on Cloudflare: Many of our users use Cloudflare for DNS. Cloudflare has limitations on subdomains you must be aware of, which can cause issues once Netmaker is deployed. Cloudflare will also proxy connections, which MQ does not like. This can be disabled in the Cloudflare dashboard. If setting up your Netmaker server using Cloudflare for DNS, be aware that the configuration of Cloudflare may cause problems with Netmaker which must be resolved, and at this point, Netmaker is not providing guidance on this setup.
Yeah, t's not that it won't work, it's just that they (Netmaker) know people run into problems, but they give you the mmitigation steps there. I think ... I just think... if you don't use proxied DNS entries, and if you haven't run out of DNS entries, as netmaker needs like 4 or 5, then you should be fine.
hahahahaha...noooooooooooo...althought, when longhorn was a think v1 was reallllllly good, and super lean on RAM...then v2 came out and...well, you know the rest.
Any way to do this on docker? I have been using cloud flare tunnels and want to be able use the tunnel to connect to iOS apples for example Nextcloud or seafile the tunnel only works on the web browser not any apps.
The issue with tunneling to an app directly is it doesn't usually have it's own network, but instead uses the host netowrk connection. I think that's where the issue really lies.
Npm does have a docker, and does work for the nextcloud app, whether you use docker snap or host it on nginx I think there's even a docker for the cloudflare tunnels too. I can tell you wireguard and Npm work well with nextcloud.
If you stay with community version, no monetary cost. If you want some additional features, you can opt for the enterprise version. They have a pricing page you can look at if interested.
I fail to view how is this more secure than just opening the ports at home. I mean, if someone hijacks the server with NPM then they can access the home network just fine, and that means attacking it just fine. (well maybe L2 attacks doesn't work, but still a major risk).
Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network. Creating tunnels is just another layer in adding security, not a complete security profile. You should run a firewall in front of cloud servers as well, and you should use other mitigations like accessing from specific IPs if you can using ACLs, and so on.
@@AwesomeOpenSource Thanks for replying. But I'm not entirely bought in the "Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network" thing. I mean, if you have a plain home network, yeah it's a improvement as long as you configure proper ACL for the VPN in the home server and don't allow the remote server to access all of your home network. In the other hand, if you have DMZ with proper firewalling, them opening a port is not that much of a risk. Sure exposing your IP may make you a target for DDOS and having your IP obscured like this may be the difference between only your site being down or all your home internet being down, but homelabers do not tend to be the target of DDOS.
Big pro here is that you can do this if you dont have a public ip at all at home. also you get around unsafe vendor appliances by using up to date software instead. But, if someone gets access to your VPS, they will get instant access to your whole homenetwork aswell.
Argh, this is not correct. Opening an outbound connection is not punching through a firewall.; it's just called accessing the internet. One simple firewall rule could prevent this from working.
An outbound firewall rule could indeed prevent this from working. Bu the idea is you can gain access to your home services without opening ports inboundn on your firewall.
If you put the netmaker/wireguard server in the cloud and have your devices connect to it it works on mobile, usually the issue is mobile providers don't allow you to open incoming ports. The data usage would be your issue :)
That's why I love this solution. I understand that is not practical but is a way for tech people living away from urban areas/offgrid to enjoy the freedom of hosting their own services. Also I can get a good deal for unlimited mobile data.
@@AwesomeOpenSource Because it's a whole extra level and layer of complication that I cannot easily integrate into my normal LXC and KVM infrastructure. Docker offers me no advantage over native apps and makes server management more complex than it needs to be. I've got some full email/vhost LXC containers running in 250 MB ram. That is just not possible when using dockerized equivalents.
![Chino Pacas - Smith (ft. Junior H & Fuerza Regida) [Video Visualizador Oficial]](http://i.ytimg.com/vi/BVK6k56X30Y/mqdefault.jpg)
![Gunna - HIM ALL ALONG [Official Visualizer]](http://i.ytimg.com/vi/HiCxoDeo0hc/mqdefault.jpg)
I love your videos I learned very much from you.
I have my own way to access my home lab not so elegant 😅 . The new Beta firmware from Fritzbox has wireguard you need 2 minutes to setup and works great for me.
Greetings from Germany
That is awesome!
Also using wireguard in my fritzbox, its pretty simple. Locally i use npm as a reverse proxy, with DNS Challenge for TLS Certificates. DNS points to local IPs in my network.
Its cool, but It works with 1 device only. Do they change It?
Another great video! Thanks for sharing.
My pleasure, and thanks for making such a great product for us!
Would be cool if it could integrate with Crowdsec to give a little bit more of protection... I have on my end Suricata and Crowdsec (along with other stuff) to keep prying eyes from touching my portals and I feel that with Netmaker I'll lose that visibility / control / "security" layer.
But I dig the concept. Interesting stuff!
BIG THANKS Brian, for all your hard work and clear explanations you do in your video's. Very much appreciated!! Keep up the good work and stay safe my friend. Greetings from The Netherlands
Thanks, will do!
This is Great, thanks alot! Please bring more Netmaker Videos.
I'll see what I can do.
When I started watching your I learned a lot things. thank you 😊 good bless you
Glad to know I helped, and my pleasure.
Very interesting solution! Following kinda the same idea, I have a free oracle VPS where I have nginx and using that nginx to proxypass using stream upstream through wireguard tunnel with my centos box from home. wireguard is just a simple tunnel for communication used in split tunneling mode between vps and my box from home. Pls note that no 80 or 443 tcp ports are used but other high ports. On my centos box also I have similar nginx setup which points to my IP cameras from my LAN. RDP is available from internet following the same method. Pretty simple, no port forward opened on my home router, not to mention that my ISP doesn't provide fixed IP but dynamic :)
Nice setup!
Could you help me accomplish something similar?
@@bcm50 Give me an email and I can explain.
Already make this topology, but I am using key-network with zerotier, I'll try with netmaket, thank you, great tutorial,
I tried zero-tier a few years ago, and it was ok, but I never liked the inconsistent speeds I got from it, and I could never find all of the information to self host it. Haven't looked in a while though.
Hi Brian, now you've finally piqued my interest - now I have to test it :-) Thanks for your video and this cool open source tool.
My pleasure!
@@AwesomeOpenSourcei, in my opinion NPM isn‘t secure enough for running on a cloud server - no MFA, no fido2 support, no oauth support. Netmaker is a really great solution for tunneling servers or services from different networks securely with wireguard and it is right, that you do not have to open ports in your internal firewall, but with this solution you bypass your personal firewall completely. It would be better to use an endpoint in the dmz of your lan, so that you have to create separate firewall rules in order to allow access to services in your lan! The problem I see is not the transport from npm to your lan (it is wireguard-protected!), but the endpoint npm itself. If someone get access to this server, he has access to all services you have configured in it. So you have to harden this server and the software itself does not offer this.
In addition to my first post, I would strongly recommend to either only release applications that natively support MFA, or alternatively to integrate a layer / application such as Authelia in order to be able to establish MFA for every application you want to host. That´s the best method to avoid fishing. It's still the ease of logging into the NPM admin panel that worries me.
Concerning the communication, you are absolutely right, that netmaker makes a fantastic job with really great performance (it takes 20 times less time than with tailscale, to backup my 4 GB great archives from a cloud-server to my internal backup-server). I would love to see more videos about different use cases of netmaker 🙂
if you put your wireguard server/netmaker server with NPM on your cloud vps you can achieve the same thing.... it also means you dont need to open any ports or worry about isp nat, just install client on each server in your homelab.
Indeed, you can do this on a single server. Just wanted to sepaarate them for clarity.
@@AwesomeOpenSource just wanted to point it out as it let's you use cloud hosted homelab projects on linode etc without their traffic going in and then out your home network. Ie put nextcloud on a linode, restrict the docker port to vpnaddress:exposedport:service port. Excellent video and thanks for spreading the use of some of my favorite services :)
I enjoyed it;... ROFL...
But it still went over my head...
If you want some help / more info, jump over to discuss.opensourceisawesome.com and ask questions in the help-me-please channel.
Thanks for sharing
My pleasure.
I do the same over zerotier.
Basically create a virtual network in zerotier
Add the droplet and my home machine to zerotier
And set Nginx on the droplet
This avoids the need for a static IP and also avoids punching holes in my firewall
I used zerotier a bit, but never could get all the instructions to fully self host it, so kind of gave up on it. Need to take another look.
Great video Brian. As always. 😊
I have a doubt. I have a datacenter at my home. Am planning to build another at my office (30km away). With this setup, can I not use the cloud server? I mean, for my house, my office is gonna be my cloud and vice versa.
You can, certainly. You'll need to ensure all the ports are open for communication through the firewall at the office. You'll want to make sure your machine running the Netmaker server has all the necessary ports open and forwarded through the firewall. Also, best to make sure it's a static LAN IP on that machine.
@@AwesomeOpenSource Great to know Brian. Thank you for your answer.
Hi Brian, Thank you for your awesome tutorial. I wonder how is the upload/download speed of this method compared to open NAT/Ngnix proxy vs VPN. If you could, please share the result in another video. Thank you and appreciated.
Since this uses Wireguard, you get aroun d95% of the normal open NAT speed you'd usually get. Wireguard is much faster (in general) than OpenVPN, and older VPN systems. It all depends on how you setup OpenVPN, but as a home user, Wireguard out of the box is ridiculously fast.
Cool, great coverage...👍
Thank you so much 😀
Brian, may i ask what is that dasboard you show on 9:38? Isnt it Heimdall is it? Can you please tell more about it? Thank you.
It's called Dashy, and I have a couple of videos on it. ruclips.net/video/QsQUzutGarA/видео.html and ruclips.net/video/dyur-NDngBc/видео.html
Hi for this implementation is necessary the enterprise license os te community is good ?
Excellent content by the way tks
At the time, all functions were done with the community edition. Can't say whether that has changed over time or not.
Thank you for the video!
Is a wildcard domain needed? Or is it possible to use A records of the root domain?
Thank you ☺️
The method has been updated a bit on the netmaker side since this video, but you can just set individual A records / CNAMEs on the root domain if you want to.
Another question about security for the netmaker interface: considering that this is widely served in the open internet, would you somehow be doing a video on how to protect it with an OAuth provider (like Google) since it's supported?
I already followed your your tutorial and have it running. THANK YOU!
I have also put a few security measures in place including login to netmaker host machine via ssh with keys only as well as running Crowsec. But I was just thinking that an extra security like integrating an OAuth provider would make it stronger. Thoughts?
I'll look into it in the future.
Take a look at the netmaker documentation - it´s not too complecated.
Intersting video, with your VPS running (24/7) what do your costs shake out to be with this type of setup?
If I run the two I show, it's about $12 US per month. You can, however, run the proxy on the same server as the Netmaker server, and it would be half that.
@@AwesomeOpenSource Brian question... if NPM and Netmaker runs on the same server, is it still safe to use? Or is it safer if Netmaker is on a separate VPS and NPM is on a separate VPS.... in terms of security...
@@AwesomeOpenSource Trying to run both on the same server. I can't get nginx running because netmaker is running on port 443 already. Any suggestions??
Just very last question, if I understand correctly, Netmaker server (VPS) is orchestrating the configurations, key exchanges for nodes, clients etc...so its more like control plane. Is it creating full mesh topology for data connection or they need to pass server anyway? So data from reverse proxy will go via wireguard tunnel directly to your home computer and than to app? Or data pass the path from client to reverse proxy then to netmaker server and then to home gateway? Something like Tailscale does? Also I see limitation that egress gateway can setup just one subnet and one interface...if i have netclient installed on computer with multiple NICs and subnets? Tailscale got feature router subnet, how to do this over netmaker? Thank you.
Yes, Netmaker is there as a control plane, but once the client or wireguard config is on a client machine, they make a peer to peer connection if they can., and they should be able to. As for the ingress and egress gateways, that's more of a middle man. The external clients get access through the gateway to a peer (as I understand it) since their configs are not auto-updated like the netmaker client machines (running the netclient) are.
Hello, thanks for a great video. Just a question. What is benefit of this solution over selhosted NGINX, behind FW with static public IP. So only 443 is forwarded from FW to NGINX and with proper security setup you should be fine as well. Than backend connection from nginx to all apps is via LAN only. If connection from external client to VPS nginx (your cloud machine) is "standard" HTTPS than setup with selfhosted nginx is pretty same...with less machines in between...or?
If you don't have a static IP at home, this is a great way to deal with that. If your ISP gives you a static IP, this may not be as useful for you. This was really part two of the videos, showing additional capabilities of Wireguard VPN with Netmaker helping you get various networks setup and talking much more easily than setting up all the configuration files by hand (IMO anyway).
@@AwesomeOpenSource Got your point...anyway I am just thinking to try it even i have static IP. The idea that i would not need to open any port inbound is not bad. What risk is that VPS will be compromised if you do proper security measures...and still, your home net should be protected and your home IP not revealed even when VPS went down...just thinking about security advantages of this setup...
Great video
Glad you enjoyed it
If I understand this correctly, the domain you expose isn't actually public? You still need to be connected via vpn to the network right?
No, I'm exposing a public domain in this case, but you can create a local domain and use it through the VPN if you prefer.
@@AwesomeOpenSource But how? Ingress does require clients don't they?
@@AwesomeOpenSource I actually want to expose this to the public but the steps you're taking are a bit unclear to me from the video. Seems like you're skipping over some important steps to take in netmaker
So it's similar to ZeroTier, gives static private IP to both machines, then you can use a proxy manager or something to forward stuff.
It is, but it is fully self hostable, and for me much more consistent with speeds.
@@AwesomeOpenSource cool, I will give it a try then
Could you please make a video where you run both NPM and net maker on the same server?
Let me see what I can do. I think the issue we hit there is that both of those applications expect to have port 80 and 443 access. So you hit a conflict. Let me think about how it could be done.
@@AwesomeOpenSource Yes this is my issue. I'm confused with the video between what's VPS and what's home server. It appeared that you installed netmaker on the same server NPM was installed on but now I'm thinking that must not be the case... I thought when you mention "netmaker server" that you were referring to it by name, not that it's a separate server or maybe I'm still not understanding. Do you have a server dedicated to netmaker in this example? Another VPS running NPM and then your homelab all meshed together? Netmake UI has been updated since this video as well, maybe it's worth making another? My specific case is that I have one VPS and all my other services like nextcloud, GitLab etc are hosted on my home server which is running from a VM in virtualbox. Netmaker is awesome because I'm behind a CGNAT and that's why I found it but not a lot of resources out there yet and it's quite difficult to get setup how one would like. Anyway thanks for all you do!
Thanks
Welcome
legend
Thank you.
Thanks Brian!! Really great video. Was wondering if you could expound a little on a comparison of a couple of the technolgies that are similar in concept to this? I'm trying to wrap my head around the different technologies that help to secure a homelab or cloud based small business network and having a hard time seeing what my exact options are so I can make an informed decision. Future video idea maybe? Thanks for all you do man!!
Sure, let me ssee what I can come up with.
Question: You speak of NPM and Netmaker, yet Netmaker depends on Traefik which also uses port 443 like NPM. Can you explain the work around so that NPM receives the inbound request and forwards to Netmaker?
You would indeed need to do some port forwarding in those proxies in order to make it all work. Alternatively, Netmaker has a different install that will not use Traefik (I belive). You could ask over at their Discord thought to be sure.
Useful
Glad you think so!
Awesome
Thank you.
How to set up a situation where access from inside a LAN goes directly to a server (like tnas.*) but still allows external access according to your layout in this video? If I want to up or download a multi-gigabyte file to a NAS, I do not want that traffic going out my internet connection and then back in to ie; tnas.*. Also, possibly related, how to enable some kind of split-DNS so SSL certs also work internally as well as direct internal LAN access?
So, if you setup the two machines with either the netclient, or the config file as an external client (just a name), it will connect directly as a peer. That's the beauty of wireguard. If you have the machines both on the same wireguard network they will try first to connect directly as peers.
I didn't understand from the site how the licensing works. Which are the conditions for free (as in free beer) use?
Run it on your own server. It's open source. If you want them to host it for you, adn / or you want any of their extra features, then you can look at some of the payed tiers of service to help support the continued development.
Great video. Gitlab name?
gitlab.com/bmcgoang is my Gitlab URL where you can find my projects.
How about a situation where one has Proxmox and plenty of local resources. Would it be possible to expose one VM via typical port forwarding and use that VM(s) to host Netmaker + Netclient + Nginx Proxy Manager instead of paying for an otherwise redundant VPS?
You can absolutely do that, yes.
Does this work for pure tcp traffic non wrb traffic? I have an NVR that needs app access on high media port that is just tcp based I would like to secure this way?
Yes, you should be able to run through this network, just like you would any LAN.
Trying to run both on the same server. I can't get nginx running because netmaker is running on port 443 already. Any suggestions?
You will want to setup a port mapping on the service in netmaker using 443, so you can map some other port to it (e.g. 9443:443). Then run NPM on 443, and amke sure you're forwarding any requests for netmaker on to that port 9443 through NPM.
I am attempting to follow this procedure but it is not complete or I don't have the same thing like the access key with all the cool script. all I have is the (raw) Enrollment Key without already builded script
The UI has been recently updated. I'm planning an update video, but you'll definitely want to look into their docs to get a feel for the changes.
@@AwesomeOpenSource Thanks for your reply In fact I think the CE is simply different from the EE edition and don't provide the same level of friendlyness . This is ok a bit frustrating. ;)
Hello. Would you be able to create guide for connect Sophos Site To Site vpn to Strongswan (ipsec) or OpenVPN (ssl) ?
I know you recommended in pas Sophos, I like it a bit more then pfsense for ease of use.
But now I cannot make the Site to site vpn work to my Debian Docker server, it seems to fail on Phase 1 even when I am using same protocols on both sides.
Thank you for your good work!
I've never recommended Sophos. I think you have my channel confused with @TheDigitalLife. I only advocate for open source software. I'm sure @ChristianLampa would love to hear from you though. He's got a great channel with tons of excellent information.
@@AwesomeOpenSource ach sorry :D you sound so similar :P
Hi Brian one question about a dns provider if i am not running mail in a box for dns frpm what i read cloud flare is not good for netmaker what are my options for dns?
Cloudflare should be fine for setting your DNS records, you just want to turn off the proxied option when you set those records.
@@AwesomeOpenSource here is the info from the docs
Note on Cloudflare: Many of our users use Cloudflare for DNS. Cloudflare has limitations on subdomains you must be aware of, which can cause issues once Netmaker is deployed. Cloudflare will also proxy connections, which MQ does not like. This can be disabled in the Cloudflare dashboard. If setting up your Netmaker server using Cloudflare for DNS, be aware that the configuration of Cloudflare may cause problems with Netmaker which must be resolved, and at this point, Netmaker is not providing guidance on this setup.
Yeah, t's not that it won't work, it's just that they (Netmaker) know people run into problems, but they give you the mmitigation steps there. I think ... I just think... if you don't use proxied DNS entries, and if you haven't run out of DNS entries, as netmaker needs like 4 or 5, then you should be fine.
Hi what os u use
Windows Longhorn
Currently for my desktop I use Kubuntu 22.04. I used Ubuntu 22.04 for the servers in the video as well.
hahahahaha...noooooooooooo...althought, when longhorn was a think v1 was reallllllly good, and super lean on RAM...then v2 came out and...well, you know the rest.
What is that "Home Lab" site? What did you create that with?
I use Dashy for that. ruclips.net/video/QsQUzutGarA/видео.html
@@AwesomeOpenSource thanks
Any way to do this on docker? I have been using cloud flare tunnels and want to be able use the tunnel to connect to iOS apples for example Nextcloud or seafile the tunnel only works on the web browser not any apps.
The issue with tunneling to an app directly is it doesn't usually have it's own network, but instead uses the host netowrk connection. I think that's where the issue really lies.
Npm does have a docker, and does work for the nextcloud app, whether you use docker snap or host it on nginx I think there's even a docker for the cloudflare tunnels too. I can tell you wireguard and Npm work well with nextcloud.
In this solution. is it limited by the bandwith limit of digital ocean droplet per month?
I don't think so, as once the wireguard connection is established, you'll go Peer-to-peer in an lot of cases, but it's something to keep an eye on.
Will this work under CGNAT?
It should, yes.
Hello, could you please do for cdp open source software I’m really struggling for finding open source software ?
What is cdp?
@@AwesomeOpenSource customer data platform , like this ruclips.net/video/13Fjbzd-MlA/видео.html
cost ?
If you stay with community version, no monetary cost. If you want some additional features, you can opt for the enterprise version. They have a pricing page you can look at if interested.
I fail to view how is this more secure than just opening the ports at home. I mean, if someone hijacks the server with NPM then they can access the home network just fine, and that means attacking it just fine. (well maybe L2 attacks doesn't work, but still a major risk).
Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network. Creating tunnels is just another layer in adding security, not a complete security profile. You should run a firewall in front of cloud servers as well, and you should use other mitigations like accessing from specific IPs if you can using ACLs, and so on.
@@AwesomeOpenSource Thanks for replying. But I'm not entirely bought in the "Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network" thing. I mean, if you have a plain home network, yeah it's a improvement as long as you configure proper ACL for the VPN in the home server and don't allow the remote server to access all of your home network. In the other hand, if you have DMZ with proper firewalling, them opening a port is not that much of a risk. Sure exposing your IP may make you a target for DDOS and having your IP obscured like this may be the difference between only your site being down or all your home internet being down, but homelabers do not tend to be the target of DDOS.
Big pro here is that you can do this if you dont have a public ip at all at home. also you get around unsafe vendor appliances by using up to date software instead. But, if someone gets access to your VPS, they will get instant access to your whole homenetwork aswell.
is there a way to authenticate visitors to a domain?
If you use NGinX Proxy Manager, you can set Basic Auth rules and IP Address filtering rules to make sure the user is allowed to visit the site.
can the vps and netmaker be on same box?
Yes they can.
Argh, this is not correct. Opening an outbound connection is not punching through a firewall.; it's just called accessing the internet. One simple firewall rule could prevent this from working.
An outbound firewall rule could indeed prevent this from working. Bu the idea is you can gain access to your home services without opening ports inboundn on your firewall.
This program looks great but the license is kinda sh*t. Not real FOSS. I'd rather build it myself.
Andrew it's always an option to build something yourself, for sure.
Would it be possible using this method to host services on mobile data? I think this is crazy enough to work.
As longa s you don't have data limits, I suppose it would work.
If you put the netmaker/wireguard server in the cloud and have your devices connect to it it works on mobile, usually the issue is mobile providers don't allow you to open incoming ports. The data usage would be your issue :)
That's why I love this solution. I understand that is not practical but is a way for tech people living away from urban areas/offgrid to enjoy the freedom of hosting their own services. Also I can get a good deal for unlimited mobile data.
I'd love to use Nginx Proxy Manager, but I refuse to use docker, and there is no native install method... so no NPM for me.
Why do you dislike Docker?
@@AwesomeOpenSource Because it's a whole extra level and layer of complication that I cannot easily integrate into my normal LXC and KVM infrastructure. Docker offers me no advantage over native apps and makes server management more complex than it needs to be. I've got some full email/vhost LXC containers running in 250 MB ram. That is just not possible when using dockerized equivalents.
Try caddy reverse proxy. No UI, but the config is a single simple file. Runs as binary :)
@@kson2659 thanks man!