I am currently using Netmaker for routing routing all traffic out of a server in which I control the IP address in order to whitelist that IP address in certain services. This way users that need access to those services only need to connect to the Netmaker network.
Current setup
Single node configured as ingress and egress gateway. Egress gateway ranges are 0.0.0.0/0.
All other clients are added as external clients for the following reasons:
I need to add 0.0.0.0/0 and ::/0 to AllowedIPs section of wireguard config manually
I need to add DNS = x.x.x.x to Interface section of wireguard config manually
Proposal 1
Remove the check mentioned above.
It would still work because the public endpoint would still be accessible through the gateway
Will probably change the route of the packets since they will go through the gateway, so maybe it could be added as a opt-in feature
Proposal 2
Invert the logic and configure wireguard so that certain IP addrs (the public endpoint IP addrs of the peers) are not present in AllowedIPs
I don't think wireguard config supports this functionality out of the box
I don't know how to calculate the IP ranges that would exclude certain addresses from a certain range
Proposal 3
Allow defining domains in addition to IP ranges on the egress gateway config. This avoids the need to define a 0.0.0.0/0 egress gateway for my use case. (I can do the same manually but the IP addresses of the services are dynamic).
Netmaker server could resolve this domains into IP addresses in a certain time interval or on check-in and add them to AllowedIPs of wireguard config dynamically as it does when other nodes are added to the network.
This has the advantage of keeping the traffic through the gateway server lower because only specific traffic gets routed through it.
I am actually using this approach on the nodes of a k8s cluster where I use Terraform to resolve the IP addresses for certain domains and add them to the config generated by Netmaker's external client config.
Priority
I would say proposal 1 is a must have just for the sake of supporting the internet gateway use-case with Netclient and proposal 3 would be really awesome to have.
I am currently using Netmaker for routing routing all traffic out of a server in which I control the IP address in order to whitelist that IP address in certain services. This way users that need access to those services only need to connect to the Netmaker network.
Current setup
Single node configured as ingress and egress gateway. Egress gateway ranges are
0.0.0.0/0
. All other clients are added as external clients for the following reasons:0.0.0.0/0
to AllowedIPs due to this check https://github.com/gravitl/netmaker/blob/develop/netclient/server/grpc.go#L230:L2320.0.0.0/0
and::/0
to AllowedIPs section of wireguard config manuallyDNS = x.x.x.x
to Interface section of wireguard config manuallyProposal 1
Remove the check mentioned above.
Proposal 2
Invert the logic and configure wireguard so that certain IP addrs (the public endpoint IP addrs of the peers) are not present in
AllowedIPs
Proposal 3
Allow defining domains in addition to IP ranges on the egress gateway config. This avoids the need to define a
0.0.0.0/0
egress gateway for my use case. (I can do the same manually but the IP addresses of the services are dynamic).AllowedIPs
of wireguard config dynamically as it does when other nodes are added to the network.Priority
I would say proposal 1 is a must have just for the sake of supporting the internet gateway use-case with Netclient and proposal 3 would be really awesome to have.