From 998419ead1666e25d30465cbde41827084f10e9c Mon Sep 17 00:00:00 2001 From: Abhishek K <32607604+abhishek9686@users.noreply.github.com> Date: Wed, 24 Jan 2024 21:08:54 +0530 Subject: [PATCH 1/6] Update install.rst --- install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.rst b/install.rst index c408206e..d3958f23 100644 --- a/install.rst +++ b/install.rst @@ -22,7 +22,7 @@ After trial period ends: a. if you wish to continue using PRO :- - i. check these steps to obtain pro license ``_ + i. check these steps to obtain pro license ``_ ii. Run `/root/nm-quick.sh -u` b. if you wish to downgrade to community version From e4fbd7fe2442eacc0d89c9b4843b79eec8408c88 Mon Sep 17 00:00:00 2001 From: Abhishek K <32607604+abhishek9686@users.noreply.github.com> Date: Wed, 24 Jan 2024 21:10:14 +0530 Subject: [PATCH 2/6] Update manual-install.rst --- manual-install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manual-install.rst b/manual-install.rst index 70f9be59..a43244de 100644 --- a/manual-install.rst +++ b/manual-install.rst @@ -247,7 +247,7 @@ Extra Steps for Pro ----------------------------------------------------------------------------------------------------- 1. Visit ``_ to create your account on the Netmaker SaaS platform. -2. Create a tenant of type ``self-hosted`` to obtain a license key. more details in :doc:`Netmaker Professional setup <./pro/pro-setup>` +2. Create a tenant of type ``On-Prem`` to obtain a license key. more details in :doc:`Netmaker Professional setup <./pro/pro-setup>` 3. Retrieve Tenant ID and license key from the tenant's settings tab. 4. Place the licence key and tenant ID in the netmaker.env file. 5. In the netmaker.env file, change the METRICS_EXPORTER and PROMETHEUS from off to on. From d9e2d42c792936884a0352fbd3d78686aa12bde8 Mon Sep 17 00:00:00 2001 From: Abhishek K <32607604+abhishek9686@users.noreply.github.com> Date: Wed, 24 Jan 2024 21:17:45 +0530 Subject: [PATCH 3/6] Update install.rst --- install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.rst b/install.rst index d3958f23..3e757bdc 100644 --- a/install.rst +++ b/install.rst @@ -22,7 +22,7 @@ After trial period ends: a. if you wish to continue using PRO :- - i. check these steps to obtain pro license ``_ + i. check these steps to obtain pro license ``_ ii. Run `/root/nm-quick.sh -u` b. if you wish to downgrade to community version From e58e84ad75684ee31aaf144aa7ca2f807c3c50e1 Mon Sep 17 00:00:00 2001 From: Abhishek K <32607604+abhishek9686@users.noreply.github.com> Date: Wed, 7 Feb 2024 01:11:18 +0530 Subject: [PATCH 4/6] Update install.rst --- install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install.rst b/install.rst index 3e757bdc..ae3b0da1 100644 --- a/install.rst +++ b/install.rst @@ -15,7 +15,7 @@ Choose the install method that makes sense for you. **IMPORTANT:** Notes on Installation - Due to the high volume of installations, the auto-generated domain has been rate-limited by the certificate provider. For this reason, we **strongly recommend** using your own domain. Using the auto-generated domain may lead to a failed installation due to rate limiting. -**IMPORTANT:** From v0.22.0 the install script will install PRO version of netmaker with a 30-day free trial, for you to try out full capabilities of netmaker. +**IMPORTANT:** From v0.22.0 the install script will install PRO version of netmaker with a 14-day free trial, for you to try out full capabilities of netmaker. After trial period ends: ========================= From 01f1c0ceac745859c0b766eb41323ce27601eea5 Mon Sep 17 00:00:00 2001 From: NEETweeb Date: Thu, 18 Jul 2024 00:39:46 +0800 Subject: [PATCH 5/6] Update advanced-client-install.rst --- advanced-client-install.rst | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/advanced-client-install.rst b/advanced-client-install.rst index f35311e6..d7d9d1ee 100644 --- a/advanced-client-install.rst +++ b/advanced-client-install.rst @@ -188,6 +188,51 @@ An admin creates an enrollment key in the "Enrollment Keys" section of the UI. U For first time installations, you can run the Install Command. For additional networks, simply run ``netclient join -t ``. +Firewall Settings +====================== + +On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard. + +On Linux, these necessary ports are needed to be opened: + + - UDP and TCP ports 51821-51830 + - TCP ports 80 and 443 + - UDP and TCP port 53 for DNS + +In some cases, depending on the nature of your network setup, these ports may need to be opened as well: + + - UDP ports 19302 & 3478 for STUN + - TCP port 3479 for TURN + - TCP ports 1883 & 8883 for MQTT + - TCP ports 8083 & 8084 for EMQX Websocket + - TCP port 8081 for the NM API + +If the public port is not in the range of 51821-51830, set a static one and allow that port + +For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices. + +For example, in UFW you may do: + +.. code-block:: + + #set firewall to log only the blocked traffic + ufw logging low + +.. code-block:: + + #clear out the current logs + cat /dev/null | sudo tee /var/log/ufw.log +​ +.. code-block:: +​ #reload ufw + ufw reload + +.. code-block:: + #filter the logs + cat /var/log/ufw.log | grep -e -e + + + Managing Netclient ===================== From 848fdcc3c7a3d29edff0093a5903f2ebaaae1b3b Mon Sep 17 00:00:00 2001 From: NEETweeb Date: Mon, 22 Jul 2024 14:34:41 +0800 Subject: [PATCH 6/6] Update manual-install.rst --- manual-install.rst | 55 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/manual-install.rst b/manual-install.rst index a43244de..22ddafd9 100644 --- a/manual-install.rst +++ b/manual-install.rst @@ -87,7 +87,10 @@ At this point you should have all the system dependencies you need. 3. Open Firewall =============================== -Make sure firewall settings are set for Netmaker both on the VM and with your cloud security groups (AWS, GCP, etc). +Netmaker Server +----------------- + +Make sure firewall settings are set for Netmaker on the VM and with your cloud security groups (AWS, GCP, etc) or with your router (or firewall appliance). Make sure the following ports are open both on the VM and in the cloud security groups: @@ -104,6 +107,9 @@ Make sure the following ports are open both on the VM and in the cloud security sudo ufw allow proto tcp from any to any port 3479 sudo ufw allow proto tcp from any to any port 8089 sudo ufw allow 51821:51830/udp + sudo ufw allow proto tcp from any to any port 53 + sudo ufw allow proto udp from any to any port 53 + It is also important to make sure the server does not block forwarding traffic (it will do this by default on some providers). To ensure traffic will be forwarded: @@ -119,6 +125,53 @@ It is also important to make sure the server does not block forwarding traffic ( - allow 3479/tcp from all - allow 8089/tcp from all - allow 51821-51830/udp from all + - allow 53/tcp from all + - allow 53/UDP form all + + +Machines Running Netclient +------------------------------ + +As we already know, Netclient manages WireGuard on client devices (nodes). As its name suggests, Netclient is a client in a mesh topology, thus it needs to communicate with the server and with the other clients as well. Netclient will detect local changes and send them to the server when necessary. A change in IP address or port will lead to a network update to keep everything in sync. +It goes without saying that in almost all cases it is imperative that firewall must be up and running on any device that is connected to a network, especially the internet. Firewalls are inherently restrictive for good reasons. And by default, it doesn't allow any traffic that Netclient would use to function properly. + +On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard. + +On Linux, these necessary ports are needed to be opened: + +- UDP and TCP ports 51821-51830 +- TCP ports 80 and 443 +- UDP and TCP port 53 for DNS + +In some cases, depending on the nature of your network setup, these ports may need to be opened as well: + +- UDP ports 19302 & 3478 for STUN +- TCP port 3479 for TURN +- TCP ports 1883 & 8883 for MQTT +- TCP ports 8083 & 8084 for EMQX Websocket +- TCP port 8081 for the NM API + +If the public port is not in the range of 51821-51830, set a static one and allow that port + +For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices. + +For example, in UFW you may do: + +.. code-block:: + + #set firewall to log only the blocked traffic + ufw logging low + + #clear out the current logs + cat /dev/null | sudo tee /var/log/ufw.log + + #reload ufw + ufw reload + + #filter the logs + cat /var/log/ufw.log | grep -e -e + + 4. Prepare MQ ========================