BIG THANKS Brian, for all your hard work and clear explanations you do in your video's. Very much appreciated!! Keep up the good work and stay safe my friend. Greetings from The Netherlands

@AwesomeOpenSource

Жыл бұрын

Thanks, will do!

Another great video! Thanks for sharing.

@AwesomeOpenSource

Жыл бұрын

My pleasure, and thanks for making such a great product for us!

@TheLMFAOZ

Жыл бұрын

Would be cool if it could integrate with Crowdsec to give a little bit more of protection... I have on my end Suricata and Crowdsec (along with other stuff) to keep prying eyes from touching my portals and I feel that with Netmaker I'll lose that visibility / control / "security" layer. But I dig the concept. Interesting stuff!

When I started watching your I learned a lot things. thank you 😊 good bless you

@AwesomeOpenSource

Жыл бұрын

Glad to know I helped, and my pleasure.

This is Great, thanks alot! Please bring more Netmaker Videos.

@AwesomeOpenSource

Жыл бұрын

I'll see what I can do.

I love your videos I learned very much from you. I have my own way to access my home lab not so elegant 😅 . The new Beta firmware from Fritzbox has wireguard you need 2 minutes to setup and works great for me. Greetings from Germany

@AwesomeOpenSource

Жыл бұрын

That is awesome!

@SaquPvP

Жыл бұрын

Also using wireguard in my fritzbox, its pretty simple. Locally i use npm as a reverse proxy, with DNS Challenge for TLS Certificates. DNS points to local IPs in my network.

@LakedaimonII

Жыл бұрын

Its cool, but It works with 1 device only. Do they change It?

Cool, great coverage...👍

@AwesomeOpenSource

Жыл бұрын

Thank you so much 😀

Already make this topology, but I am using key-network with zerotier, I'll try with netmaket, thank you, great tutorial,

@AwesomeOpenSource

Жыл бұрын

I tried zero-tier a few years ago, and it was ok, but I never liked the inconsistent speeds I got from it, and I could never find all of the information to self host it. Haven't looked in a while though.

Hi Brian, now you've finally piqued my interest - now I have to test it :-) Thanks for your video and this cool open source tool.

@AwesomeOpenSource

Жыл бұрын

My pleasure!

@Glatze603

Жыл бұрын

@@AwesomeOpenSourcei, in my opinion NPM isn‘t secure enough for running on a cloud server - no MFA, no fido2 support, no oauth support. Netmaker is a really great solution for tunneling servers or services from different networks securely with wireguard and it is right, that you do not have to open ports in your internal firewall, but with this solution you bypass your personal firewall completely. It would be better to use an endpoint in the dmz of your lan, so that you have to create separate firewall rules in order to allow access to services in your lan! The problem I see is not the transport from npm to your lan (it is wireguard-protected!), but the endpoint npm itself. If someone get access to this server, he has access to all services you have configured in it. So you have to harden this server and the software itself does not offer this.

@Glatze603

Жыл бұрын

In addition to my first post, I would strongly recommend to either only release applications that natively support MFA, or alternatively to integrate a layer / application such as Authelia in order to be able to establish MFA for every application you want to host. That´s the best method to avoid fishing. It's still the ease of logging into the NPM admin panel that worries me.

@Glatze603

Жыл бұрын

Concerning the communication, you are absolutely right, that netmaker makes a fantastic job with really great performance (it takes 20 times less time than with tailscale, to backup my 4 GB great archives from a cloud-server to my internal backup-server). I would love to see more videos about different use cases of netmaker 🙂

Thanks for sharing

Very interesting solution! Following kinda the same idea, I have a free oracle VPS where I have nginx and using that nginx to proxypass using stream upstream through wireguard tunnel with my centos box from home. wireguard is just a simple tunnel for communication used in split tunneling mode between vps and my box from home. Pls note that no 80 or 443 tcp ports are used but other high ports. On my centos box also I have similar nginx setup which points to my IP cameras from my LAN. RDP is available from internet following the same method. Pretty simple, no port forward opened on my home router, not to mention that my ISP doesn't provide fixed IP but dynamic :)

@AwesomeOpenSource

Жыл бұрын

Nice setup!

@bcm50

Жыл бұрын

Could you help me accomplish something similar?

@salapolivalenta77

Жыл бұрын

@@bcm50 Give me an email and I can explain.

Great video

@AwesomeOpenSource

Жыл бұрын

Glad you enjoyed it

I do the same over zerotier. Basically create a virtual network in zerotier Add the droplet and my home machine to zerotier And set Nginx on the droplet

@Mikesco3

Жыл бұрын

This avoids the need for a static IP and also avoids punching holes in my firewall

@AwesomeOpenSource

Жыл бұрын

I used zerotier a bit, but never could get all the instructions to fully self host it, so kind of gave up on it. Need to take another look.

if you put your wireguard server/netmaker server with NPM on your cloud vps you can achieve the same thing.... it also means you dont need to open any ports or worry about isp nat, just install client on each server in your homelab.

@AwesomeOpenSource

Жыл бұрын

Indeed, you can do this on a single server. Just wanted to sepaarate them for clarity.

@michaelmoloney4080

Жыл бұрын

@@AwesomeOpenSource just wanted to point it out as it let's you use cloud hosted homelab projects on linode etc without their traffic going in and then out your home network. Ie put nextcloud on a linode, restrict the docker port to vpnaddress:exposedport:service port. Excellent video and thanks for spreading the use of some of my favorite services :)

I enjoyed it;... ROFL... But it still went over my head...

@AwesomeOpenSource

Жыл бұрын

If you want some help / more info, jump over to discuss.opensourceisawesome.com and ask questions in the help-me-please channel.

Thanks

@AwesomeOpenSource

Жыл бұрын

Welcome

Useful

@AwesomeOpenSource

Жыл бұрын

Glad you think so!

Hi Brian, Thank you for your awesome tutorial. I wonder how is the upload/download speed of this method compared to open NAT/Ngnix proxy vs VPN. If you could, please share the result in another video. Thank you and appreciated.

@AwesomeOpenSource

9 ай бұрын

Since this uses Wireguard, you get aroun d95% of the normal open NAT speed you'd usually get. Wireguard is much faster (in general) than OpenVPN, and older VPN systems. It all depends on how you setup OpenVPN, but as a home user, Wireguard out of the box is ridiculously fast.

Another question about security for the netmaker interface: considering that this is widely served in the open internet, would you somehow be doing a video on how to protect it with an OAuth provider (like Google) since it's supported? I already followed your your tutorial and have it running. THANK YOU! I have also put a few security measures in place including login to netmaker host machine via ssh with keys only as well as running Crowsec. But I was just thinking that an extra security like integrating an OAuth provider would make it stronger. Thoughts?

@AwesomeOpenSource

Жыл бұрын

I'll look into it in the future.

@Glatze603

Жыл бұрын

Take a look at the netmaker documentation - it´s not too complecated.

Just very last question, if I understand correctly, Netmaker server (VPS) is orchestrating the configurations, key exchanges for nodes, clients etc...so its more like control plane. Is it creating full mesh topology for data connection or they need to pass server anyway? So data from reverse proxy will go via wireguard tunnel directly to your home computer and than to app? Or data pass the path from client to reverse proxy then to netmaker server and then to home gateway? Something like Tailscale does? Also I see limitation that egress gateway can setup just one subnet and one interface...if i have netclient installed on computer with multiple NICs and subnets? Tailscale got feature router subnet, how to do this over netmaker? Thank you.

@AwesomeOpenSource

Жыл бұрын

Yes, Netmaker is there as a control plane, but once the client or wireguard config is on a client machine, they make a peer to peer connection if they can., and they should be able to. As for the ingress and egress gateways, that's more of a middle man. The external clients get access through the gateway to a peer (as I understand it) since their configs are not auto-updated like the netmaker client machines (running the netclient) are.

Brian, may i ask what is that dasboard you show on 9:38? Isnt it Heimdall is it? Can you please tell more about it? Thank you.

@AwesomeOpenSource

Жыл бұрын

It's called Dashy, and I have a couple of videos on it. kzread.info/dash/bejne/g6eFt9yupKrHoqQ.html and kzread.info/dash/bejne/lq2p1I-HdNHNcsY.html

Hello, thanks for a great video. Just a question. What is benefit of this solution over selhosted NGINX, behind FW with static public IP. So only 443 is forwarded from FW to NGINX and with proper security setup you should be fine as well. Than backend connection from nginx to all apps is via LAN only. If connection from external client to VPS nginx (your cloud machine) is "standard" HTTPS than setup with selfhosted nginx is pretty same...with less machines in between...or?

@AwesomeOpenSource

Жыл бұрын

If you don't have a static IP at home, this is a great way to deal with that. If your ISP gives you a static IP, this may not be as useful for you. This was really part two of the videos, showing additional capabilities of Wireguard VPN with Netmaker helping you get various networks setup and talking much more easily than setting up all the configuration files by hand (IMO anyway).

@janstasik9094

Жыл бұрын

@@AwesomeOpenSource Got your point...anyway I am just thinking to try it even i have static IP. The idea that i would not need to open any port inbound is not bad. What risk is that VPS will be compromised if you do proper security measures...and still, your home net should be protected and your home IP not revealed even when VPS went down...just thinking about security advantages of this setup...

Awesome

@AwesomeOpenSource

Жыл бұрын

Thank you.

Thanks Brian!! Really great video. Was wondering if you could expound a little on a comparison of a couple of the technolgies that are similar in concept to this? I'm trying to wrap my head around the different technologies that help to secure a homelab or cloud based small business network and having a hard time seeing what my exact options are so I can make an informed decision. Future video idea maybe? Thanks for all you do man!!

@AwesomeOpenSource

Жыл бұрын

Sure, let me ssee what I can come up with.

How to set up a situation where access from inside a LAN goes directly to a server (like tnas.*) but still allows external access according to your layout in this video? If I want to up or download a multi-gigabyte file to a NAS, I do not want that traffic going out my internet connection and then back in to ie; tnas.*. Also, possibly related, how to enable some kind of split-DNS so SSL certs also work internally as well as direct internal LAN access?

@AwesomeOpenSource

Жыл бұрын

So, if you setup the two machines with either the netclient, or the config file as an external client (just a name), it will connect directly as a peer. That's the beauty of wireguard. If you have the machines both on the same wireguard network they will try first to connect directly as peers.

Thank you for the video! Is a wildcard domain needed? Or is it possible to use A records of the root domain? Thank you ☺️

@AwesomeOpenSource

10 ай бұрын

The method has been updated a bit on the netmaker side since this video, but you can just set individual A records / CNAMEs on the root domain if you want to.

legend

@AwesomeOpenSource

Жыл бұрын

Thank you.

Question: You speak of NPM and Netmaker, yet Netmaker depends on Traefik which also uses port 443 like NPM. Can you explain the work around so that NPM receives the inbound request and forwards to Netmaker?

@AwesomeOpenSource

Жыл бұрын

You would indeed need to do some port forwarding in those proxies in order to make it all work. Alternatively, Netmaker has a different install that will not use Traefik (I belive). You could ask over at their Discord thought to be sure.

Great video Brian. As always. 😊 I have a doubt. I have a datacenter at my home. Am planning to build another at my office (30km away). With this setup, can I not use the cloud server? I mean, for my house, my office is gonna be my cloud and vice versa.

@AwesomeOpenSource

Жыл бұрын

You can, certainly. You'll need to ensure all the ports are open for communication through the firewall at the office. You'll want to make sure your machine running the Netmaker server has all the necessary ports open and forwarded through the firewall. Also, best to make sure it's a static LAN IP on that machine.

@gabrielporto.mikrotik

Жыл бұрын

@@AwesomeOpenSource Great to know Brian. Thank you for your answer.

Hi for this implementation is necessary the enterprise license os te community is good ? Excellent content by the way tks

@AwesomeOpenSource

8 күн бұрын

At the time, all functions were done with the community edition. Can't say whether that has changed over time or not.

How about a situation where one has Proxmox and plenty of local resources. Would it be possible to expose one VM via typical port forwarding and use that VM(s) to host Netmaker + Netclient + Nginx Proxy Manager instead of paying for an otherwise redundant VPS?

@AwesomeOpenSource

Жыл бұрын

You can absolutely do that, yes.

So it's similar to ZeroTier, gives static private IP to both machines, then you can use a proxy manager or something to forward stuff.

@AwesomeOpenSource

Жыл бұрын

It is, but it is fully self hostable, and for me much more consistent with speeds.

@Just5KY

Жыл бұрын

@@AwesomeOpenSource cool, I will give it a try then

Does this work for pure tcp traffic non wrb traffic? I have an NVR that needs app access on high media port that is just tcp based I would like to secure this way?

@AwesomeOpenSource

Жыл бұрын

Yes, you should be able to run through this network, just like you would any LAN.

Intersting video, with your VPS running (24/7) what do your costs shake out to be with this type of setup?

@AwesomeOpenSource

Жыл бұрын

If I run the two I show, it's about $12 US per month. You can, however, run the proxy on the same server as the Netmaker server, and it would be half that.

@i-am-you-tube

Жыл бұрын

@@AwesomeOpenSource Brian question... if NPM and Netmaker runs on the same server, is it still safe to use? Or is it safer if Netmaker is on a separate VPS and NPM is on a separate VPS.... in terms of security...

@s.uboxone

Жыл бұрын

@@AwesomeOpenSource Trying to run both on the same server. I can't get nginx running because netmaker is running on port 443 already. Any suggestions??

Any way to do this on docker? I have been using cloud flare tunnels and want to be able use the tunnel to connect to iOS apples for example Nextcloud or seafile the tunnel only works on the web browser not any apps.

@AwesomeOpenSource

Жыл бұрын

The issue with tunneling to an app directly is it doesn't usually have it's own network, but instead uses the host netowrk connection. I think that's where the issue really lies.

@michaelmoloney4080

Жыл бұрын

Npm does have a docker, and does work for the nextcloud app, whether you use docker snap or host it on nginx I think there's even a docker for the cloudflare tunnels too. I can tell you wireguard and Npm work well with nextcloud.

Hello. Would you be able to create guide for connect Sophos Site To Site vpn to Strongswan (ipsec) or OpenVPN (ssl) ? I know you recommended in pas Sophos, I like it a bit more then pfsense for ease of use. But now I cannot make the Site to site vpn work to my Debian Docker server, it seems to fail on Phase 1 even when I am using same protocols on both sides. Thank you for your good work!

@AwesomeOpenSource

Жыл бұрын

I've never recommended Sophos. I think you have my channel confused with @TheDigitalLife. I only advocate for open source software. I'm sure @ChristianLampa would love to hear from you though. He's got a great channel with tons of excellent information.

@nahakuu

Жыл бұрын

@@AwesomeOpenSource ach sorry :D you sound so similar :P

In this solution. is it limited by the bandwith limit of digital ocean droplet per month?

@AwesomeOpenSource

Жыл бұрын

I don't think so, as once the wireguard connection is established, you'll go Peer-to-peer in an lot of cases, but it's something to keep an eye on.

I didn't understand from the site how the licensing works. Which are the conditions for free (as in free beer) use?

@AwesomeOpenSource

Жыл бұрын

Run it on your own server. It's open source. If you want them to host it for you, adn / or you want any of their extra features, then you can look at some of the payed tiers of service to help support the continued development.

Trying to run both on the same server. I can't get nginx running because netmaker is running on port 443 already. Any suggestions?

@AwesomeOpenSource

11 ай бұрын

You will want to setup a port mapping on the service in netmaker using 443, so you can map some other port to it (e.g. 9443:443). Then run NPM on 443, and amke sure you're forwarding any requests for netmaker on to that port 9443 through NPM.

Hi Brian one question about a dns provider if i am not running mail in a box for dns frpm what i read cloud flare is not good for netmaker what are my options for dns?

@AwesomeOpenSource

Жыл бұрын

Cloudflare should be fine for setting your DNS records, you just want to turn off the proxied option when you set those records.

@beauthompson5338

Жыл бұрын

@@AwesomeOpenSource here is the info from the docs Note on Cloudflare: Many of our users use Cloudflare for DNS. Cloudflare has limitations on subdomains you must be aware of, which can cause issues once Netmaker is deployed. Cloudflare will also proxy connections, which MQ does not like. This can be disabled in the Cloudflare dashboard. If setting up your Netmaker server using Cloudflare for DNS, be aware that the configuration of Cloudflare may cause problems with Netmaker which must be resolved, and at this point, Netmaker is not providing guidance on this setup.

@AwesomeOpenSource

Жыл бұрын

Yeah, t's not that it won't work, it's just that they (Netmaker) know people run into problems, but they give you the mmitigation steps there. I think ... I just think... if you don't use proxied DNS entries, and if you haven't run out of DNS entries, as netmaker needs like 4 or 5, then you should be fine.

I am attempting to follow this procedure but it is not complete or I don't have the same thing like the access key with all the cool script. all I have is the (raw) Enrollment Key without already builded script

@AwesomeOpenSource

Жыл бұрын

The UI has been recently updated. I'm planning an update video, but you'll definitely want to look into their docs to get a feel for the changes.

@emmanuelmeikle5318

Жыл бұрын

@@AwesomeOpenSource Thanks for your reply In fact I think the CE is simply different from the EE edition and don't provide the same level of friendlyness . This is ok a bit frustrating. ;)

Hello, could you please do for cdp open source software I’m really struggling for finding open source software ?

@AwesomeOpenSource

Жыл бұрын

What is cdp?

@ddrci88

Жыл бұрын

@@AwesomeOpenSource customer data platform , like this kzread.info/dash/bejne/Y2d6zMSzlJCznKQ.html

What is that "Home Lab" site? What did you create that with?

@AwesomeOpenSource

Жыл бұрын

I use Dashy for that. kzread.info/dash/bejne/g6eFt9yupKrHoqQ.html

@gatolibero8329

Жыл бұрын

@@AwesomeOpenSource thanks

If I understand this correctly, the domain you expose isn't actually public? You still need to be connected via vpn to the network right?

@AwesomeOpenSource

6 ай бұрын

No, I'm exposing a public domain in this case, but you can create a local domain and use it through the VPN if you prefer.

@PremiumGerman

6 ай бұрын

@@AwesomeOpenSource But how? Ingress does require clients don't they?

@PremiumGerman

6 ай бұрын

@@AwesomeOpenSource I actually want to expose this to the public but the steps you're taking are a bit unclear to me from the video. Seems like you're skipping over some important steps to take in netmaker

Could you please make a video where you run both NPM and net maker on the same server?

@AwesomeOpenSource

7 ай бұрын

Let me see what I can do. I think the issue we hit there is that both of those applications expect to have port 80 and 443 access. So you hit a conflict. Let me think about how it could be done.

@papazig911

3 ай бұрын

@@AwesomeOpenSource Yes this is my issue. I'm confused with the video between what's VPS and what's home server. It appeared that you installed netmaker on the same server NPM was installed on but now I'm thinking that must not be the case... I thought when you mention "netmaker server" that you were referring to it by name, not that it's a separate server or maybe I'm still not understanding. Do you have a server dedicated to netmaker in this example? Another VPS running NPM and then your homelab all meshed together? Netmake UI has been updated since this video as well, maybe it's worth making another? My specific case is that I have one VPS and all my other services like nextcloud, GitLab etc are hosted on my home server which is running from a VM in virtualbox. Netmaker is awesome because I'm behind a CGNAT and that's why I found it but not a lot of resources out there yet and it's quite difficult to get setup how one would like. Anyway thanks for all you do!

is there a way to authenticate visitors to a domain?

@AwesomeOpenSource

Жыл бұрын

If you use NGinX Proxy Manager, you can set Basic Auth rules and IP Address filtering rules to make sure the user is allowed to visit the site.

can the vps and netmaker be on same box?

@AwesomeOpenSource

Жыл бұрын

Yes they can.

Will this work under CGNAT?

@AwesomeOpenSource

Жыл бұрын

It should, yes.

Hi what os u use

@cont8155

Жыл бұрын

Windows Longhorn

@AwesomeOpenSource

Жыл бұрын

Currently for my desktop I use Kubuntu 22.04. I used Ubuntu 22.04 for the servers in the video as well.

@AwesomeOpenSource

Жыл бұрын

hahahahaha...noooooooooooo...althought, when longhorn was a think v1 was reallllllly good, and super lean on RAM...then v2 came out and...well, you know the rest.

Great video. Gitlab name?

@AwesomeOpenSource

Жыл бұрын

gitlab.com/bmcgoang is my Gitlab URL where you can find my projects.

I fail to view how is this more secure than just opening the ports at home. I mean, if someone hijacks the server with NPM then they can access the home network just fine, and that means attacking it just fine. (well maybe L2 attacks doesn't work, but still a major risk).

@AwesomeOpenSource

Жыл бұрын

Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network. Creating tunnels is just another layer in adding security, not a complete security profile. You should run a firewall in front of cloud servers as well, and you should use other mitigations like accessing from specific IPs if you can using ACLs, and so on.

@cazador517

Жыл бұрын

@@AwesomeOpenSource Thanks for replying. But I'm not entirely bought in the "Keeping the ports close on your home firewall, keeps people from having as much of a direct attack vector on your home network" thing. I mean, if you have a plain home network, yeah it's a improvement as long as you configure proper ACL for the VPN in the home server and don't allow the remote server to access all of your home network. In the other hand, if you have DMZ with proper firewalling, them opening a port is not that much of a risk. Sure exposing your IP may make you a target for DDOS and having your IP obscured like this may be the difference between only your site being down or all your home internet being down, but homelabers do not tend to be the target of DDOS.

@kson2659

Жыл бұрын

Big pro here is that you can do this if you dont have a public ip at all at home. also you get around unsafe vendor appliances by using up to date software instead. But, if someone gets access to your VPS, they will get instant access to your whole homenetwork aswell.

cost ?

@AwesomeOpenSource

6 ай бұрын

If you stay with community version, no monetary cost. If you want some additional features, you can opt for the enterprise version. They have a pricing page you can look at if interested.

Would it be possible using this method to host services on mobile data? I think this is crazy enough to work.

@AwesomeOpenSource

Жыл бұрын

As longa s you don't have data limits, I suppose it would work.

@michaelmoloney4080

Жыл бұрын

If you put the netmaker/wireguard server in the cloud and have your devices connect to it it works on mobile, usually the issue is mobile providers don't allow you to open incoming ports. The data usage would be your issue :)

@user-qc6kg9bk2t

Жыл бұрын

That's why I love this solution. I understand that is not practical but is a way for tech people living away from urban areas/offgrid to enjoy the freedom of hosting their own services. Also I can get a good deal for unlimited mobile data.

I'd love to use Nginx Proxy Manager, but I refuse to use docker, and there is no native install method... so no NPM for me.

@AwesomeOpenSource

Жыл бұрын

Why do you dislike Docker?

@MarkConstable

Жыл бұрын

@@AwesomeOpenSource Because it's a whole extra level and layer of complication that I cannot easily integrate into my normal LXC and KVM infrastructure. Docker offers me no advantage over native apps and makes server management more complex than it needs to be. I've got some full email/vhost LXC containers running in 250 MB ram. That is just not possible when using dockerized equivalents.

@kson2659

Жыл бұрын

Try caddy reverse proxy. No UI, but the config is a single simple file. Runs as binary :)

@ig00g1e

Жыл бұрын

@@kson2659 thanks man!

This program looks great but the license is kinda sh*t. Not real FOSS. I'd rather build it myself.

@AwesomeOpenSource

Жыл бұрын

Andrew it's always an option to build something yourself, for sure.

Argh, this is not correct. Opening an outbound connection is not punching through a firewall.; it's just called accessing the internet. One simple firewall rule could prevent this from working.

@AwesomeOpenSource

Жыл бұрын

An outbound firewall rule could indeed prevent this from working. Bu the idea is you can gain access to your home services without opening ports inboundn on your firewall.