Wireguard requires an open UDP port, by default 51820.
NetMaker, at least based on the quick install manual, asks you to open up the following:
- 443, 80 (tcp)
- 3479, 8089 (TURN, TURN api)
- 8085 (exporter EE)
- 1883, 8883, 8033, 18083 (if using EMQX)
But perhaps none of these are required for actual WAN/Wireguard connections and one needs only limited access to these ports in order to configure the software.
You can lock it down a good amount:
- 80 is only required for Caddy to request certificates. If you BYO certs, you can take that off
- TURN is optional, so if you disable TURN then dont need 3479 or 8089
- The remaining ports are only for specific features (EMQX and Prometheus exporter) which are not enabled by default.
So really, you could get it down to just 443. However, this should be better documented.
Also worth noting these are all server-side requirements. The actual WireGuard clients do not need these ports open.
i use fireguard through tailscale to access multiple machines over ssh, with their setup i was able to reduce exposure as i no longer need to open a port on the router
tailscale does this with their DERP servers
i doubt netmaker doesn't have an alternative to connect machines behind nat routers; that would be a serious disadvantage for soho setups
