DocsAPI

Site-to-Site and Routers

OverviewCopied!

In this section we will giev an overview of how to integrate routers into your Netmaker network, in order to create site-to-site connectivity. We will discuss two methods using Netmaker:

  1. Using Static Clients and applying them to Routers

  2. Using the Netclient, Egress, and additional routes in the local network

The first approach creates a hub-and-spoke site-to-site network, where traffic passes through a “hub” before reaching other sites. The second approach gives direct site to-site connectivity, creating a peer-to-peer network of routers.

Using Static Clients On the RouterCopied!

Following the previous sections, you should have a Remote Access Gateway and be familiar with how to set DNS, as well as how to add Additional Addresses to a client config.

For our example we will assume you have two sites, Site A and Site B, which need to be connected.

Press the “Create Config” button and use the value “SiteA” on the “Client ID” field for uniquely identifying the static client configuration for SiteA. After that, add the network address with subnet for the SiteA local network on the “Additional Addresses” field so that other peers (SiteB) will be able to reach those network addresses and access relevant resources. 

We will also set a DNS server address which is hosted inside the SiteA network for relevant internal hostname resolution.

Next we repeat the same steps to add SiteB with the “Client ID” of SiteB. In the “Additional Addresses” field, add the network subnet of the SiteB local network.

Now we need to apply these files to routers at each site.

Here, we’ll show the steps for MikroTik RouterOS. The steps will be different depending on your Router, but in general you will need to:

  1. Install the WireGuard plugin

  2. Create a WireGuard interface, using the config file

  3. Add routes so that the local site can access the other site

Note that in most Router WireGuard plugins, you will need to manually enter the information from your configuration file, rather thanuploading it directly.

To add the interface we:

  1. Go to the WireGuard section

  2. Click Add New

  3. Give an interface name (any will do)

  4. Add the private key from the config file

  5. Hit Apply/OK

  6. Go to Peers

  7. Add the Peer information from the config file

  8. Apply it to the interface from step #3

  9. Click Apply/OK

Next, you need to add routes, to advertise the newly available networks to the devices on the local network.

  1. Go to ‘IP -> Routes' 

  2. Click “Add New”

  3. Type the name of the new WireGuard interface from the last section, including a % prefix

  4. Enter the allowed ip address range to the “Dst. Address” field.

  5. Press “Apply” and then “OK” to save the routes. 

  6. For multiple allowed ip address ranges, multiple routes need to be created following this same procedure.

Follow these same steps on the Site B router, and the two sites should be able to begin communicating over the VPN.

Direct Site-to-Site with NetclientCopied!

The above procedure is relatively straightforward, and works directly with the Routers. However, the result is a hub-and-spoke network, which is not ideal, and also, using static WireGuard files can be problematic, if any information needs to be updated or sites are added. 

There is an alternative approach using the Netclient, which we’ll discuss here.

Ensure Non-Overlapping NetworksCopied!

The local networks at the sites should not have overlapping address ranges with those of other sites. For example, connecting two sites with 192.168.1.0/24 networks will not work. Similarly, connecting one site with 192.168.1.0/24 and another with 192.168.0.0/16 will cause issues. So, we need to make sure that we have different network ranges for different sites such as 192.168.1.0/24 for SiteA and 192.168.2.0/24 for SiteB etc.

Install Netclient at SitesCopied!

Install Netclient on one Linux machine at each site. It is recommended to install netclient on a dedicated linux server, virtual private linux server or using a docker container. These machines should typically be behind a router on the local network (LAN) or in the demilitarized zone (DMZ). In a VPC environment without gateways or routers, choose a machine that has direct internet access. Follow the install netclient docs for this part: https://docs.netmaker.io/docs/netclient#installation

Set Up Egress GatewaysCopied!

Designate the machines installed with Netclient at each site as Egress Gateways in the Netmaker network using the Netmaker web UI as shown below.

Then, click the “Add external route” to expose the whole or part of the site’s private network by specifying the network ranges in the “external ranges” field as shown below.

Then press “Update Egress” to save the external routes.

By this point we now have dedicated egress gateways in every environment that are capable of forwarding traffic to and from the network over the VPN. However, currently, they can only send traffic to the sites because there is nothing telling the local devices how to reach the egress gateway, which is what we’ll do next. You should choose from the three methods described earlier on:

  1. For No Router or No Gateway Environments (Like VPC’s)

  2. For NAT Router Environments Using the Virtual Router Method

  3. For NAT Router Environments Using the Static Routing Method

For No Router or No Gateway Environments (Like VPC’s)Copied!

It is not uncommon to have a Virtual Private Cloud (VPC) network without a gateway or router to centralize internet traffic. You might have a setup similar to the one shown in the image below.

Setting up secure site-to-site connectivity can be straightforward or a bit tedious depending on the capabilities of your VPC as allowed by your cloud provider. For example, Amazon allows you to set route tables on your VPC independent of the virtual machines in the VPC network, while DigitalOcean, with its limited features, does not.


How to Implement

  1. Enable "NAT for egress traffic" on the Egress Gateway to allow incoming traffic from other sites.

  2. If your VPC allows it, add static routes destined to (1) every remote site, (2) the Netmaker network, and (3) all other egress ranges and external client address ranges. Route all this traffic through the local network address of the Egress Gateway. Maintain these routes, as any changes to the VPN settings will require corresponding manual updates to the static routes.

  3. If it is not possible to add routes at the VPC level, you might have to add all these identical static routes to each machine in your VPC that needs connectivity with the other sites.

For NAT Router Environments Using the Virtual Router MethodCopied!

In this method, machines in a private site network that need to access resources in other sites point to the local Egress Gateway as the default gateway. The Egress Gateway, in turn, points to the router as the default gateway, routing all internet traffic to the router while routing all VPN traffic to the Netmaker tunnel. The following image illustrates the idea:

In the image, the arrows represent the default gateway that the devices point to. They do not represent [fully] the connecting cables. The following descriptions explains the flow of traffic:

  1. Each site has a direct tunnel connection to all other sites, forming a mesh network.

  2. Traffic flows from Site1EgressRange1 to Site2EgressRange2 as follows: Site1EgressRange1 → Site1EgressGateway → Through the tunnel → Site2EgressGateway → Site2EgressRange2. “Through the tunnel” in physical terms is flow of traffic from [Site1Router1] => [the Internet] => [Site2Router2], and vice versa.

  3. Traffic from EgressRange to the internet flows as follows: EgressRange → EgressGateway → Router → the Internet.

  4. Flow of traffic for other machines/devices (that don’t need to be in the VPN network) to the internet is through [Smartphone] => [Router] => [the Internet]

How to implement

  1. As mentioned, ensure that the default gateway on each client machine is set to the Egress Gateway.

  2. Disable "NAT for egress traffic" on the Egress Gateway.

Advantages:

  • Easy to implement.

  • No need to add and maintain static routes.

  • Fewer network traffic hops. Source IPs are preserved.

  • Tunnel traffic is faster than the Static Route method.


Disadvantages and Workarounds

  • DHCP server setup might be tricky as network resources need to point to two potential default gateways (router or Egress Gateway). Use VLANs to separate network resources.

  • The Egress Gateway might get overloaded with internet traffic. Use Link Aggregation to increase speed and bandwidth.

  • Manually set network address settings if the router or switch doesn’t support VLAN or external DHCP server.

For NAT Router Environments Using the Static Routing MethodCopied!

This method involves adding and maintaining static routes on the router, making the implementation seamless for client machines. The default gateway for network resources remains the router, which forwards outgoing VPN traffic to the Egress Gateway. The following image illustrates the idea:

In the image, the green arrows represent the flow of incoming and outgoing VPN traffic. The following descriptions are some examples to illustrate the flow of traffic:

  1. Each site has a direct tunnel connection to all the other sites, thus a mesh connection.

  2. Incoming VPN traffic goes through the [Site1-EgressGateway] => [Client]

  3. Outgoing VPN traffic goes through the [Client] => [Router] => [Site1-EgressGateway]

  4. In physical sense, flow of incoming and outgoing traffic is going to be [Site2Client] => [Site2Router] => [Site2-EgressGateway] => [Through the tunnel] => [Site1Router] => [Site1-EgressGateway] => [Site1Client]

“Through the tunnel” in physical terms is flow of traffic from [Site2Router] => [the Internet] => [Site1Router], and vice versa.



How to implement

  1. Enable "NAT for egress traffic" on the Egress Gateway to allow incoming traffic from other sites.

  2. At each site's router, add static routes destined to (1) every remote site, (2) the Netmaker network, and (3) all other egress ranges and external client address ranges. Route all this traffic through the local network address of the Egress Gateway. Maintain these routes, as any changes to the VPN settings will require corresponding manual updates to the static routes.

NOTE: If you are using any sort of management software for devices on the local network, then you can simply push these routes to each machine via the Egress Gateway.

Advantages

  • Seamless integration.

  • All internet traffic goes directly through the router.

  • No need for additional DHCP configurations.

Disadvantages and Workarounds

  • Constant need to add and maintain static routes. Use management software to push these routes via the Egress Gateway.

  • Additional network traffic hop, per site.

  • Source IPs aren’t preserved.

  • Slower than the first method.


ISP Failover

For multiple ISP links, let your router, firewall appliance (FWA), or manageable switch handle internet load balancing and failover. Refer to your device’s user manual or documentation for more information. There will be some momentary breakage in connection when internet traffic fails over to another ISP, but Netmaker should be able to handle the public IP change as it does with dynamic public IP addresses.


Next StepsCopied!

This concludes our sections on setting up you networking infrastructure using the Netclient and Static Clients. By this point, everything should be configured, and you can set up access for your users.

Previous Page

Deploying Static WireGuard

Next Page

Granting Access to Your VPN