Securing remote access to your DigitalOcean droplet with Netmaker can significantly enhance the security and management of your network. Netmaker is an open-source network management solution that allows you to create secure, scalable, and high-performance virtual private networks (VPNs) using WireGuard. Below is a step-by-step guide to setting up Netmaker to secure remote access to your DigitalOcean droplets:
Step 1: Set Up a DigitalOcean Droplet for Netmaker-
Create a Droplet:
- Log in to your DigitalOcean account.
- Create a new droplet using Ubuntu 22.04 LTS.
- Choose a droplet size appropriate for your needs (2GB RAM is a good starting point).
- Add your SSH key for secure access.
- Choose a data center region.
- Click "Create Droplet".
-
Access Your Droplet:
- Open a terminal on your local machine.
-
Connect to your droplet using its IP address:
ssh root@your_droplet_ip
-
Update Your System:
sudo apt update sudo apt upgrade -y -
Install Docker:
sudo apt install -y docker.io sudo systemctl start docker sudo systemctl enable docker -
Install Docker Compose:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
-
Clone the Netmaker Repository:
git clone https://github.com/gravitl/netmaker.git cd netmaker -
Configure Environment Variables:
-
Create an
.envfile in the root of thenetmakerdirectory and populate it with the necessary environment variables:
nano .env -
Create an
-
Example .env configuration:
SERVER_NAME=netmaker SERVER_IP=your_droplet_ip SERVER_PORT=443 API_PORT=8081 DASHBOARD_PORT=8082 MQ_USERNAME=netmaker MQ_PASSWORD=changeme -
Start Netmaker with Docker Compose:
sudo docker-compose up -d
-
Install WireGuard:
-
On
Ubuntu:
sudo apt install wireguard -
On
macOS:
brew install wireguard-tools -
On
Windows:
Download and install WireGuard from the official website.
-
On
Ubuntu:
-
Generate WireGuard Keys:
wg genkey | tee privatekey | wg pubkey > publickey -
Configure WireGuard Client:
-
Create a configuration file (e.g.,
wg0.conf):
-
Create a configuration file (e.g.,
-
Example
wg0.conf:[Interface] PrivateKey = your_private_key Address = 10.0.0.2/24 DNS = 1.1.1.1 [Peer] PublicKey = server_public_key Endpoint = your_droplet_ip:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 21 -
Start WireGuard:
-
On
Ubuntu/macOS:
sudo wg-quick up wg0 -
On
Windows:
-
Import the
wg0.conffile into the WireGuard application and activate the tunnel.
-
Import the
-
On
Ubuntu/macOS:
-
Access Netmaker Dashboard:
- Open a web browser and navigate to https://your_droplet_ip:8082.
- Log in with the default credentials or the ones you configured.
-
Add Machines to the Network:
- Use the Netmaker dashboard to add new nodes (machines) to your WireGuard network.
- Follow the instructions provided in the Netmaker documentation to securely connect additional devices.
-
Enable UFW Firewall:
sudo ufw allow OpenSSH sudo ufw allow 443/tcp sudo ufw allow 51820/udp sudo ufw enable -
Set Up SSL with Let’s Encrypt:
-
Install Certbot:
sudo apt install certbot sudo apt install python3-certbot-nginx -
Obtain an SSL certificate:
sudo certbot --nginx -d your_domain
-
Install Certbot:
-
Configure Nginx for SSL:
- Edit the Nginx configuration to use the obtained SSL certificate:
sudo nano /etc/nginx/sites-available/default -
Ensure the configuration includes:
server { listen 443 ssl; server_name your_domain; ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem; location / { proxy_pass http://localhost:8082; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } -
Restart Nginx:
sudo systemctl restart nginx
By following these steps, you will have set up a secure remote access network using Netmaker on DigitalOcean. This will enable you to manage and secure your droplets and other connected devices with ease.
