Merge pull request #296 from gravitl/develop

Develop

about.rst

@@ -21,7 +21,7 @@ Netmaker is a tool for creating and managing virtual overlay networks. If you ha
 Netmaker takes these machines and creates a flat network so that they can all talk to each other easily and securely. 
 If you're familiar with AWS, it's like a VPC but made up of arbitrary computers. From the machine's perspective, all these other machines are in the same neighborhood, even if they're spread all over the world.
 
-Beyond creating a flat network, Netmaker introduces Ingress and Egress, which are gateways that control the flow of traffic into and out of the network. Netmaker also has ACLs, which control exactly which machines can reach each other. The end result is you can create much more complex networks than a simple mesh.
+Beyond creating a flat network, Netmaker introduces Remote Access Gateway and Egress, which are gateways that control the flow of traffic into and out of the network. Netmaker also has ACLs, which control exactly which machines can reach each other. The end result is you can create much more complex networks than a simple mesh.
 
 .. image:: images/netmaker-advanced.png
    :width: 80%

egress-gateway.rst

@@ -53,14 +53,14 @@ Use Cases
 1) Remote Access
 -------------------
 
-A common scenario would be to combine this with an "Ingress Gateway" to create a simple method for accessing a home or office network. Such a setup would typically have only two nodes: the ingress and egress gateways. The Ingress Gateway should usually be globally accessible, which makes the Netmaker server itself a good candidate. This means you need only the Netmaker server as the Ingress, and one additional machine (in the private network you wish to reach), as the Egress.
+A common scenario would be to combine this with a "Remote Access Gateway" to create a simple method for accessing a home or office network. Such a setup would typically have only two nodes: the remote access and egress gateways. The Remote Access Gateway should usually be globally accessible, which makes the Netmaker server itself a good candidate. This means you need only the Netmaker server as the Remote Access Gateway, and one additional machine (in the private network you wish to reach), as the Egress.
 
 .. image:: images/egress2.png
    :width: 80%
    :alt: Gateway
    :align: center
 
-In some scenarios, a single node will act as both ingress and egress! For instance, you can enable acess to a VPC using your Netmaker server, deployed with a public IP. Traffic comes in over the public IP (encrypted of course) and then routes to the VPC subnet via the egress gateway.
+In some scenarios, a single node will act as both remote access gateway and egress! For instance, you can enable acess to a VPC using your Netmaker server, deployed with a public IP. Traffic comes in over the public IP (encrypted of course) and then routes to the VPC subnet via the egress gateway.
 
 .. image:: images/egress3.png
    :width: 50%
@@ -108,3 +108,51 @@ Advanced Use Cases
    https://www.reddit.com/r/PFSENSE/comments/vb4r3s/ip6_masquerading
 
 
+
+Egressing External Clients
+============================
+
+Unmanaged external clients that are directly connected to a Remote Access Gateway can also act as egressing machines. The idea is the same as egress gateways. The only difference is that Netclient is necessary with egress gateways, whilst only Wireguard is needed with egressing external clients. This feature is provisioned for situations or scenarios where installation of Netclient is not ideal or even possible. For example most VPN routers support WireGuard, but they are available only as plugins that are tailormade or closely coupled with the router's firmware or user interface. 
+While there are ways to make Netclient work for some routers, the integration could get cumbersome, obsolete, or compromising. Of course this feature is also applicable for simple or ad-hoc networking purposes so long as the external client supports iptables and IP forwarding.
+
+At the time of this writing, this feature only supports Linux-based external clients. But the remote machines can be anything, provided they are in the same local network as one of the egressing external client's network interface.
+
+Configuring Egressing External Clients
+----------------------------------------
+
+The configuration is pretty much the same as Egress Gateways. First, make sure that iptables is installed and IP forwarding is enabled. Please refer to your distro's documentation on how to do this. For Ubuntu you might do:
+
+.. code-block::
+
+   #update
+   apt-get update
+
+   #install iptables
+   apt-get install iptables
+
+   #enable IP forwarding
+   sysctl -w net.ipv4.ip_forward=1
+
+
+You can then responsibly specify the applicable egress ranges on the external client's VPN configuration, specifically in the "Additional Addresses" field as shown in the image below. It goes without saying that you can specify single addresses such as `172.16.1.2/32`.
+
+.. image:: images/integration-config-additional-addresses.jpg
+   :width: 80%
+   :alt: Client additional IP addresses range
+   :align: center
+
+Your Netmaker server will then pick up the egress ranges and propagate it to all the other managed devices in the netmaker network. And of course you can edit them anytime when necessary. For more information on how to create or edit client VPN configurations, please refer to these links:
+
+   - https://docs.netmaker.io/external-clients.html#adding-clients-to-a-gateway
+   - https://docs.netmaker.io/integrating-non-native-devices.html#generating-a-wireguard-configuration-file-on-remote-access-gateway
+
+In some cases you might need to add POSTROUTING rules. In Ubuntu, you might do:
+
+.. code-block::
+
+   #get the name of the specific network interface of the egressing client machine
+   # that is associated with the egress ranges that you have specified 
+   ip a
+
+   #add the necessary POSTROUTING rule, say the interface name is `eth1`
+   iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

how-to-guides.rst

@@ -16,10 +16,10 @@ In the Netmaker UI, that node is set as an "egress gateway." Range(s) are specif
 
    egress-gateway
 
-Ingress Gateway/External Clients
-=================================
+Remote Access Gateway/External Clients
+======================================
 
-Netmaker allows for "external clients" to reach into a network and access services via an Ingress Gateway. So what is an "external client"? An external client is any machine which cannot or should not be meshed. This can include:
+Netmaker allows for "external clients" to reach into a network and access services via an Remote Access Gateway. So what is an "external client"? An external client is any machine which cannot or should not be meshed. This can include:
         - Phones
         - Laptops
         - Desktops

integrating-non-native-devices.rst

@@ -7,15 +7,15 @@ Integrating Non-native Devices
 Introduction
 ===============
 
-Netmaker manages WireGuard configurations through the Netclient and the Remote Access Client (RAC) installed on the hosts and on the external clients repectively. Basically Netmaker makes WireGuard configurations, which are inherently static, dynamic. As you setup and change your network, Netmaker propagates these changes in the configuration to the affected machines installed with either Netclient or RAC.
+Netmaker manages WireGuard configurations through the Netclient and the Remote Access Client (RAC) installed on the hosts and on the external clients respectively. Basically Netmaker makes WireGuard configurations, which are inherently static, dynamic. As you setup and change your network, Netmaker propagates these changes in the configuration to the affected machines installed with either Netclient or RAC.
 
 However in some cases, it might not be ideal or even possible to install Netclient or RAC on some of your machines/devices. In these cases, Netmaker will rely upon your intervention to install WireGuard on these machines/devices and then to manually set up or change their WireGuard configurations whenever necessary. Basically, you just need to get the current WireGuard configuration (or VPN config files) from your Netmaker Remote Access Gateway and then stick it to your device in order for it to connect to your Netmaker network.
 
 
 Generating a WireGuard Configuration File on Remote Access Gateway
 =====================================================================
 
-Netmaker allows you to generate and manage your VPN configuration files. For instructions on how to make a node a Remote Access Gateway and on how to create/generate VPN configuration files, please refer to the "Ingress Gateway/External Clients" section under the "How-to-Guides".
+Netmaker allows you to generate and manage your VPN configuration files. For instructions on how to make a node a Remote Access Gateway and on how to create/generate VPN configuration files, please refer to the "Remote Access Gateway/External Clients" section under the "How-to-Guides".
 
 You can also get the WireGuard VPN configuration by following these steps:
 
@@ -46,7 +46,8 @@ Once you have the configuration information or the configuration file, you can n
 Routers and Firewall Appliances (Virtual or Bare metal)
 ========================================================
 
-While Netclient can be installed on some routers and firewall appliances after which you can then configure as egress gateways, it is generally ideal to use these devices' built-in VPN feature for seamless integration. Since most modern VPN routers and firewalls today support WireGuard, they can connect to a Netmaker network as an external client, after which you can then responsibly expose the resources behind them by inputting specific IP address ranges in the 'Additional Addresses' field.
+While Netclient can be installed on some routers and firewall appliances after which you can then configure as egress gateways, it is generally ideal to use these devices' built-in VPN feature for seamless integration. Since most modern VPN routers and firewalls today support WireGuard, they can connect to a Netmaker network as an external client, after which you can then responsibly expose the resources behind them by inputting specific IP address ranges in the 'Additional Addresses' field. For more information on the Egressing External Clients, please refer to this link: https://docs.netmaker.io/egress-gateway.html#egressing-external-clients.
+
 
 .. image:: images/integration-config-additional-addresses.jpg
    :width: 80%
@@ -123,7 +124,7 @@ If you're trying to connect to a Netmaker Internet Gateway, then click on the 'A
    :alt: pfSense create an internet gateway
    :align: center
 
-G. If you just need to connect to an Internet Gateway, you don't need to do this step. Otherwise create a Firewall rule for WireGuard, allowing traffic between it and the target resource. For this guide we are going to allow ICMP traffic between WireGuard tunnel interface and the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to what is shown in the screenshot below
+G. If you just need to connect to an Internet Gateway, you don't need to do this step. Otherwise, create a Firewall rule allowing traffic from the Netmaker network to the target resource. In this guide we are going to allow ICMP traffic to the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to what is shown in the screenshot below
 
 .. image:: images/integration-pfsense-fw-init.jpg
    :width: 80%
@@ -135,7 +136,7 @@ G. If you just need to connect to an Internet Gateway, you don't need to do this
    :alt: pfSense add firewall rule - form
    :align: center
 
-After saving the firewall rule, devices in your LAN should now be able to ping machines in your Netmaker network, and vice versa. Edit the firewall rule above or create one that would suit your needs. 
+After saving the firewall rule, nodes from your netmaker network should now be able to ping the egress ranges you've specified, and vice versa. Edit the firewall rule above or create another one specific to your needs.
 
 
 
@@ -181,7 +182,21 @@ F. go to Interfaces -> [OPT1], and then tick the 'Enable interface' and the 'Pre
    :alt: OPNsense enable WireGuard tunnel interface
    :align: center
 
-G. Create a Firewall rule for WireGuard allowing traffic between it and the target resource. For this guide we are going to allow ICMP traffic between WireGuard tunnel interface and the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to what is shown in the screenshot below
+G. Create a route to the Netmaker network by first creating a gateway. Go to System -> Gateways -> Configuration, then click on the add icon and specify the tunnel interface [OPT1] and its IP
+
+.. image:: images/integration-opnsense-add-gw.jpg
+   :width: 80%
+   :alt: OPNsense add gateway
+   :align: center
+
+H. Add the necessary routing entry. Go to System -> Routes -> Configuration, then click on the 'add' icon and specify a route to the Netmaker network via the gateway created in the previous step
+
+.. image:: images/integration-opnsense-add-routing-entry.jpg
+   :width: 80%
+   :alt: OPNsense add routing entry
+   :align: center
+
+I. Create a Firewall rule for WireGuard allowing traffic between it and the target resource. In this guide we are going to allow ICMP traffic between WireGuard tunnel interface and the LAN so that we can do pings. Go to Firewall -> Rules -> [OPT1] and add a rule similar to what is shown in the screenshot below
 
 .. image:: images/integration-opnsense-fw.jpg
    :width: 80%
@@ -211,14 +226,14 @@ WireGuard interface configuration:
 
 .. code-block::
 
-   /interface/WireGuard
+   /interface/wireguard
    add name=wg-netmaker mtu=1420 private-key="iMfHqGANXMJHGMBKwuo89txiU3/9edC20TxWpFtmU2Y="
 
 Peer configuration:
 
 .. code-block::
 
-   /interface/WireGuard/peers
+   /interface/wireguard/peers
    add allowed-address=10.40.70.0/24 endpoint-address=188.166.235.45 endpoint-port=51821 interface=wg-netmaker public-key="GM80g/eeXgkOrk0yYtdhhU73ETHffpojG2Ewd+N4kXI=" persistent-keepalive=20 client-dns=159.159.159.159
 
 IP and routing configuration:
@@ -230,7 +245,7 @@ IP and routing configuration:
    /ip/route
    add dst-address=10.40.70.0/24 gateway=wg-netmaker
 
-And that's it. Devices in your LAN should now be able to reach machines in your Netmaker network, and vice versa. 
+And that's it. Devices from your LAN should now be able to reach machines in your Netmaker network, and vice versa. 
 
 For more information, please refer to this guide from MikroTik's documentation page: https://help.mikrotik.com/docs/display/ROS/WireGuard.
 
@@ -278,7 +293,7 @@ E. go to Status -> WireGuard and make sure that a handshake has taken place. If
    :alt: OpenWrt - WireGuard tunnel status
    :align: center
 
-F. go to Network -> Firewall, and then add a zone allowing traffic between the WireGuard tunnel and the LAN. Please do add your own version of Firewall rule that is tight, specific and according to your needs
+F. go to Network -> Firewall, and then add a zone allowing traffic between the WireGuard tunnel and the LAN. Please do add your own version of Firewall rule that is tight and specific to your needs. Save and apply the changes made.
 
 .. image:: images/integration-openwrt-wg-fw.jpg
    :width: 80%

netclient.rst

@@ -195,7 +195,7 @@ By using this method, you can run many netclients on the same host and just incr
 
 
 **IMPORTANT:**
- For docker netclient to function correctly as either ingress/egress gateway, you need to additionally run the following commands on the host machine:
+ For docker netclient to function correctly as either remote access/egress gateway, you need to additionally run the following commands on the host machine:
 
   1. `iptables -I DOCKER-USER -i netmaker  -j ACCEPT`
   2. `iptables -I DOCKER-USER -o netmaker  -j ACCEPT`