A VPN can be a lot of things. You might think you know what a VPN is…but do you really? A virtual private network just sends private traffic over a public network. But where is that traffic going, and for what purpose? After all, networks come in all shapes and sizes.
In this two-part tutorial, we will discuss four “types” of VPN’s, which could just be considered use cases, and set them up with WireGuard® and Netmaker, a free networking platform, in under 10 minutes:
Personal (Private Browsing)
Mesh (virtual LAN/WAN)
WireGuard® is a new and very fast VPN technology. Usually, VPN’s make your internet slower. With WireGuard®, the difference is negligible. Netmaker uses WireGuard® under the hood, and can simplify setting up environments from homelab to enterprise-scale.
Let’s start by describing the 4 types of VPN’s. Then, we’ll set up a Netmaker server with a single command. Finally, we’ll go through each type of VPN and walk through a quick example setup. As a note, these tutorials expect some basic Linux skills. If you haven’t touched a terminal before, you may want to skip these.
In part one, we’ll cover Personal and Remote Access VPN’s for home use. These use cases are pretty easy to set up. In part two, we’ll discuss Site-to-Site and Mesh VPN’s, which are much more complicated, and geared towards business use cases.
First, a disclaimer. A VPN can have many, many topologies. Here, we break it down into four rough “categories”, but keep in mind as we move through the tutorials that in reality, a VPN could take on many arbitrary designs. These are just some helpful and common ways to break it down.
Most people are familiar with this type of VPN. If you’ve ever used a paid VPN service for your personal computer, it was probably this. This type of VPN is also actually a “Remote Access” VPN like in #2, but has a different purpose.
How it works is, before any of your network traffic hits the internet, it is first encrypted and then routed through some company’s servers. This way, no one knows the source of the traffic, giving you some anonymity.
Have you ever had to use a corporate VPN? If you’re working remote, like many people are in 2021, the answer is probably yes.
This type of VPN is actually very similar to the “personal” VPN, with one key difference: rather than routing your traffic to the internet, the VPN “server” can route your traffic to the corporate network. However, it is very often also routing your traffic for the general internet! That way, they can stop you from playing video games and browsing Reddit all day.
By accessing the corporate network via the VPN, you can access company applications and services (HR, payroll, etc) that aren’t on the public internet.
Unless you work in network engineering, you’ve probably never encountered this one. Still, you’ve probably experienced it without even knowing. Let’s say you have two offices, A and B. A and B need to talk to each other and share services, but they’re on different networks! Rather than expose all these services to the internet, they can set up a “Site-to-Site” VPN that bridges the two networks with a private link.
This is currently one of the least common VPN’s because of its complexity, but it is growing in popularity. You will most likely encounter this if you work in advanced computing topics like multi-cloud, Kubernetes, or IoT. In a mesh VPN, every single device has a direct VPN connection to every other device. This can be useful for creating “flat” networks, where you don’t have to route traffic through other devices, which would increase latency or decrease security.
Now that we’ve described the four use cases, let’s demonstrate them with four examples, using Netmaker and WireGuard®. In each example, we will set up a different VPN using the same Netmaker server, which can create and manage many networks:
Personal: **We will set up a VPN, and use it to access **the internet from our phone.
Remote Access: **We will set up a VPN, and use it to access **our **home network **from our phone.
Site-to-Site: We will set up a VPN, and use it to make a private subnet accessible from a cloud environment and vice-versa.
Mesh: We will set up a VPN, and connect VM’s in different clouds together so they can coordinate.
In part one, we will cover the first two examples, which are more relevant to individuals, and then in part two we’ll move on to site-to-site and mesh VPN’s, which are more relevant to organizations.
A Netmaker server will manage our various networks. Netmaker is a platform for deploying and automating WireGuard-based networks. We’re going to be running the quick install. The instructions can also be found in the README on GitHub.
To deploy Netmaker, you will need a cloud VM, or really any machine with a public IP. I’m using a $5/mo Digital Ocean Droplet (You can get $100 in free credit here using our referral code).
We recommend deploying a Ubuntu 20.04 instance. It is most important that you remember to **open the firewall **for your VM, and configure security groups if necessary. The following ports must be open and reachable on the machine:
443 (TCP and UDP)
53 (TCP and UDP)
If you are using DigitalOcean, those ports will already be open. Once you’ve created a VM and opened the ports, deploying Netmaker is a breeze. Just run the following command:
ssh root@yourhost sudo wget -qO - https://raw.githubusercontent.com/gravitl/netmaker/develop/scripts/nm-quick.sh | bash -s -- -v true -c 10
This command will install WireGuard® and some other local dependencies, deploy Netmaker, and configure Netmaker with **two networks: **A default (peer-to-peer) network, and a “VPN” network (this is what the options -v true -c 10 add).
Do not clear the output, which contains valuable information for configuring the network. You may want to save this in a text editor. Example output:
checking for root permissions... setting flags... checking for root permissions... checking dependencies... setting caddyfile... setting docker-compose... starting containers...visit dashboard.nm.148-188-172-168.nip.io to log in creating default network (10.101.0.0/16) creating default key configuring netmaker server as ingress gateway finished configuring server and network. You can now add clients. **For Linux and Mac clients, install with the following command:** curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/develop/scripts/netclient-install.sh | sudo KEY=eyaJjbb3JcaiaaefI6IjE0N5y4xOa6aDeIeuMTcyaaLjaE2OCIsImFwaWNviJhcGkubm0uMTQ3LTE4Maefi0xNzItMTY4Lm5pcC5pbaDMiLCJhcGloba3NaefiYXBpLm5tLjEa0Ny0xODItMTsrgaBjd2dwb3J0IjoiIiwiZ3JwY3dncHViasrgiIiwiZ3JwaY3dnZW5kxfahiOiIaifQ== sh - **For Windows clients, perform the following from powershell, as administrator:** 1. Make sure WireGuardNT is installed - https://download.wireguard.com/windows-client/wireguard-installer.exe 2. Download netclient.exe - wget https://github.com/gravitl/netmaker/releases/download/latest/netclient.exe 3. Install Netclient - powershell.exe .\netclient.exe join -t eyaJjbb3JcaiaaefI6IjE0N5y4xOa6aDeIeuMTcyaaLjaE2OCIsImFwaWNviJhcGkubm0uMTQ3LTE4Maefi0xNzItMTY4Lm5pcC5pbaDMiLCJhcGloba3NaefiYXBpLm5tLjEa0Ny0xODItMTsrgaBjd2dwb3J0IjoiIiwiZ3JwY3dncHViasrgiIiwiZ3JwaY3dnZW5kxfahiOiIaifQ== 4. Whitelist C:\ProgramData\Netclient in Windows Defender **For Android and iOS clients, perform the following steps:** 1. Log into UI at dashboard.nm.147-182-172-168.nip.io 2. Navigate to "EXTERNAL CLIENTS" tab 3. Select the gateway and create clients 4. Scan the QR Code from WireGuard app in iOS or Android Netmaker setup is now complete. You are ready to begin using Netmaker. creating vpn network (10.201.0.0/16) configuring netmaker server as vpn inlet... configuring netmaker server vpn gateway... creating client configs... finished configuring vpn server. **To configure clients, perform the following steps:** **1. log into dashboard.nm.148-188-172-168.nip.io** **2. Navigate to "EXTERNAL CLIENTS" tab** **3. Download or scan a client config (vpnclient-x) to the appropriate device** **4. Follow the steps for your system to configure WireGuard on the appropriate device** **5. Create and delete clients as necessary. Changes to netmaker server settings require regenerating ext clients.** **Netmaker setup is now complete. You are ready to begin using Netmaker.**
This last part (highlighted) is what we will use for our first VPN.
As we discussed earlier, a personal VPN allows you to browse the web with some anonymity. Typically, you pay a company to host the VPN for you. Here, we have just deployed our own VPN server, so we will use that instead.
By running the Netmaker install script with the optional “-v true” command, Netmaker set up a Personal (Private Browsing) VPN for us. All we need to do is follow those last steps of output.
**To configure clients, perform the following steps:** **1. log into dashboard.nm.148-188-172-168.nip.io** **2. Navigate to "EXTERNAL CLIENTS" tab** **3. Download or scan a client config (vpnclient-x) to the appropriate device** **4. Follow the steps for your system to configure WireGuard on the appropriate device** **5. Create and delete clients as necessary. Changes to netmaker server settings require regenerating ext clients.**
1. Navigate to the dashboard and create an admin user.
2. Log in with your new admin user.
3. You are taken to the home screen. Click on EXTERNAL CLIENTS in the upper right.
4. Configure Client:
Netmaker configured 10 VPN clients, which can be used to connect with WireGuard®. At this point, you need to decide which device(s) will use the VPN. These devices need WireGuard installed. For our tutorial, I will be connecting from Mac, which means installing from the Apple store.
Once you have the app, open it, and click “Add Tunnel”. You can then click “Create from QR Code”, and scan the QR code of one of the clients (e.g., vpnclient-1.
Activate the tunnel and visit whatsmyip.org. You will see that your IP address is now the IP of the server. Congrats! You have set up your own personal VPN.
Now, are you ready to take it to the next level?
Remember what we said about “Remote Access” VPN’s? Typically they are used to access a work environment. However, you probably don’t have access to configure your corporation’s network access controls. For this tutorial, let’s just assume you want to access your home network. It actually works quite similarly.
For this, we need a “gateway” into our home network. That could be a router, or it could be a device on the network. Netmaker does not offer “official” support for routers yet (though it can be run on, for instance, OpenWRT), so we’re going to use a device on the network, namely, my personal computer.
To create a gateway with Netmaker, we need the address range, and the local network interface to use. First, from my computer, I’ll check what networks I have access to:
afeiszli@alex-sys76:~$ ip route default via 192.168.40.1 dev wlo1 proto dhcp metric 600 **192.168.40.0/24 dev wlo1 proto kernel scope link src 192.168.40.75 metric 600**
Okay, so based on this, my local network is 192.168.40.0/24, and I access this network over the wlo1 interface. Now, time to install the netclient.
If you recall from the install, two networks were created, default and VPN. We’re going to use the **default **network for this setup. In the output from the install, there was a section with instructions for installing on various devices:
**For Linux and Mac clients, install with the following command:** curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/develop/scripts/netclient-install.sh | sudo KEY=eyaJjbb3JcaiaaefI6IjE0N5y4xOa6aDeIeuMTcyaaLjaE2OCIsImFwaWNviJhcGkubm0uMTQ3LTE4Maefi0xNzItMTY4Lm5pcC5pbaDMiLCJhcGloba3NaefiYXBpLm5tLjEa0Ny0xODItMTsrgaBjd2dwb3J0IjoiIiwiZ3JwY3dncHViasrgiIiwiZ3JwaY3dnZW5kxfahiOiIaifQ== sh - **For Windows clients, perform the following from powershell, as administrator:** 1. Make sure WireGuardNT is installed - https://download.wireguard.com/windows-client/wireguard-installer.exe 2. Download netclient.exe - wget https://github.com/gravitl/netmaker/releases/download/latest/netclient.exe 3. Install Netclient - powershell.exe .\netclient.exe join -t eyaJjbb3JcaiaaefI6IjE0N5y4xOa6aDeIeuMTcyaaLjaE2OCIsImFwaWNviJhcGkubm0uMTQ3LTE4Maefi0xNzItMTY4Lm5pcC5pbaDMiLCJhcGloba3NaefiYXBpLm5tLjEa0Ny0xODItMTsrgaBjd2dwb3J0IjoiIiwiZ3JwY3dncHViasrgiIiwiZ3JwaY3dnZW5kxfahiOiIaifQ==
Keep in mind, a gateway can only be installed on Linux devices currently. Luckily, my computer runs Linux! So we just have to run that first command.
curl -sfL https://raw.githubusercontent.com/gravitl/netmaker/develop/scripts/netclient-install.sh | sudo KEY=xxxxxx sh - checking dependencies... wireguard wireguard is installed no $VERSION provided, fallback to latest OS Version = Linux Netclient Version = latest Binary = netclient 2021/10/31 11:42:06 [netclient] node created on remote server...updating configs 2021/10/31 11:42:06 [netclient] retrieving peers 2021/10/31 11:42:07 [netclient] starting wireguard 2021/10/31 11:42:08 [netclient] joined default
Great! We’re now in the network. Going to the dashboard, we can now turn this machine into a gateway.
A small icon indicates that the machine is now a gateway:
Now, if I add a new machine that is outside of my home network, it will be able to access anything on that network. For instance, I’ve deployed a Wordpress site that lives on 192.168.40.30:
Now, how can I access this site from the road? Let’s use an External Client, just like we did for the personal VPN:
We click the little plus button and confirm, and presto!
Now, connect from your phone just like before (using the WireGuard® app), and…
Nice! I now have home network access from the road.
We could have easily created the “home gateway” node on our “VPN” network, and have both in one! Secure access to our home network, and secure access to the internet. That’d be pretty great, right? If interested, I’m going to challenge you to set that up on your own.
This concludes Part 1 of our tutorial on the four types of VPN’s. Subscribe to stay notified of part two, where we’ll cover how to configure a Site-to-Site virtual network, and a mesh VPN network. That really gets into some heavy networking stuff, and is meant for more advanced users. In the meantime, feel free to check out more examples for running Netmaker on our Resources Page.
**Disclaimer:* WireGuard is a registered trademark of Jason A. Donenfeld.*