All network operations scenarios consist of plugging together different components of Netmaker,  much like Lego’s! While there are many different scenarios, you will use the same components of Netmaker to bring it all together. So, it is helpful to gain a general understanding of these components and how they work together:

Netmaker Components

• Netmaker Server: All scenarios start with having a Netmaker server. This can be deployed either On-Prem or in our Cloud environment (SaaS). For standard scenarios we recommend SaaS, since it is the easiest way to get started. If you have specific data privacy requirements or need custom OAuth, then you will want to deploy On-Prem.
• Network: In all scenarios, you will need at least one network. You will need multiple, if you are providing access to different sites, or if you are segmenting access to the same site between different groups of users / devices. A Network in Netmaker is simply a logical, virtual subnet. It is a VPN. And in Netmaker, you can manage many. A Network can be IPv6, IPv4, or both.
• Netclient: All scenarios will require at least one Netclient (and the most basic scenarios require only one!). This is the “local VPN configurator” agent of Netmaker. The Netclient can act as an Egress Gateway, Remote Access Gateway, Internet Gateway, or Relay, which is why we need it.
• Host: Netclients added to the network appear as “Hosts” in the system. A Host exists in two locations, Globally, and in the Network Scope. Global Host settings include things like the hostname and MTU, and take effect across networks (a Host can be a part of multiple networks). Network-Scoped settings include things like the virtual address on the network, and gateway settings (like setting it as a Remote Access Gateway). This allows a single device to act as a gateway in multiple networks, while maintaining segmentation.
• Remote Access Gateway: All remote access scenarios, and many site-to-site scenarios, require the Remote Access Gateway. The Remote Access Gateway enables us to do three powerful things:some text
  • Allow users to authenticate and access the network from their devices using the Remote Access Client.
  • Allows access to and from any device that supports WireGuard using a static VPN config file.
  • Allows access to and from sites via routers configured with a WireGuard VPN config file. 

At its core, the Remote Access Gateway manages “VPN Config Files”, which are WireGuard-compatible config files that can be run on most devices. For users, these files are generated dynamically via the Remote Access Client, and for devices and routers, static files can be generated, customized, and applied to the devices.

• Egress Gateway: Many scenarios require accessing a subnet at a site, which can be done using an Egress Gateway. This is a device running the netclient inside the VPN Network (The alternative is to use a “VPN Config File” as mentioned above). There are pros and cons to be considered with both approaches, collectively referred to as  “local gateways,” however, for most standard use cases, we recommend using an Egress Gateway to access local sites.
• Internet Gateway: The internet gateway is a configuration very similar to the Egress Gateway, with one key difference: It creates a full tunnel VPN. If you want your users to access the internet via a device on the network (for instance, routing internet traffic through the office), use the Internet Gateway feature.
• Relay Server: In some scenarios, you will need an intermediary server, when routing between sites that are particularly restrictive. The relay will route traffic between netclients when they cannot reach each other directly.

Additional Components

There are standard components that come into play when configuring your network that are not specific to the Netmaker server/client configuration. It is important to have an understanding of these key components.

• Public Linux Server: Most scenarios will require at least one linux server which is public-facing. This means it is deployed in a cloud environment, or you have configured routing/firewall rules in a data center or office network so that the server has a reliable endpoint for the VPN at <public ip>:<port>. This server typically acts as Remote Access Gateway, Egress Gateway, Relay Server, Internet Gateway, Netmaker Server (for on-prem setups), or some combination of the four!
• Router Configuration: If you want traffic to go through a router, you will have to configure the router. The specifics will depend on your scenario, but most likely, the router will need to be configured with WireGuard and a VPN Config File, which is attached to a Remote Access Gateway. Alternatively, you may need to set up rules on the Router to route traffic through a local device that is running the netclient.
• Routing Configuration: If you are configuring a network so that devices can route traffic through the VPN, without needing the VPN client, then they will need to have routing rules that tell them where to send traffic. This must either be done on the router (as explained above), or, if that is not an option, by configuring all devices on the network with additional routing rules. For instance, adding a routing rule to your VPC to send VPN-bound traffic via the device in the environment running the VPN client.
• WireGuard: When integrating any device into the network, it must run WireGuard. Our installers install WireGuard automatically, but for non-native and router device integration, they must run WireGuard. Most devices support WireGuard, and you may need to learn how to configure WireGuard on specific target devices.

Planning Your Setup

Here is a list of questions that will help you determine what you need for your setup. By answering these questions, you’ll understand which configuration options you must understand as you move through the guide. Below, we’ve also provided a flow chart which similarly helps you to determine what you need.

• Server Deployment (All Scenarios):
  • SaaS is the easiest way to get started, but review the flow chart to see if you may want to deploy on-prem instead.
• Local Gateway (All Scenarios):
  • Are you only configuring access to or through the site?
    • If yes, deploy a Netclient in the local environment on a Linux box and set it as an Internet Gateway or Egress Gateway.
  • Does the site have a router which you would like to use as the local gateway?
    • If the router has a compatible WireGuard plugin, generate a VPN Config File on your Remote Access Gateway and deploy it on the device.
    • If the router is not compatible, deploy an egress gateway and set routes via the router to route through the gateway (deployed on a local Linux server).
  • If deploying a Netclient, is the environment’s network very restricted?
    • If so, you likely need another Host/Netclient in the cloud to act as a Relay to this client.
• Remote Gateway (Most Scenarios):
  • Can you set up a Linux server or docker container which is reachable through the VPN over the public internet?
    • If it is behind a router or gateway, set up routing rules so that <public ip>:<port> will route to the Linux server.
• Routing Rules (Remote access from, Site to Site):
  • If you want to configure access from a site and cannot deploy on the Router, configure static routes for all machines in the environment.
• Client Access (Remote Access to):
  • Are you creating a Split Tunnel or Full Tunnel VPN for your users?
    • Split Tunnel is provided via Egress, Full Tunnel via Internet Gateway.
  • Do you need to segment access based on users, devices, clients?
    • If so, design your setup with multiple networks and/or gateways.
  • Do your users need on-demand access, or should the VPN be always on?
    • If on-demand, provide remote access client.
    • If always-on, configure devices with a static WireGuard config file.

How Should You Deploy Your Server?

How Should You Deploy Your Local Gateway?

How Should You Configure Your Remote Gateway?

How many Hosts do you need?

This sounds like a lot, but in basic scenarios, you likely will have just one or two Hosts, managed by the Netclient. To review, in most scenarios you will have A Remote Gateway (accessed by Clients) and a Local Gateway. Sometimes, these can be the same device!

For instance, in the case of cloud VPC access or Internet Access, you can simply deploy a device which has a public IP and access to the VPC (or internet). From Netmaker, you can then set it as both a Remote Access Gateway and an Egress Gateway, and you are all set!

Additionally, for on-prem / self-hosted deployments, you may even be able to have this host be on the Netmaker server itself, meaning that, besides the end user devices, there is only one device you need to manage.

In more complex scenarios, with multiple networks, you may need to segment access to the same site, based on user groups. In such a case, you will need multiple Remote Access Gateways and multiple Egress Gateways, each on their own network. However, even in this case, remember that a single, physical host running the netclient can simultaneously act as a gateway in multiple networks. Meaning, you can have an arbitrary number of networks, with different logical gateways, all running on one or two hosts.

In short, you may need to deploy just one Host (Netclient), or maybe 2-3, or maybe many, depending on your scenario. It is good to plan ahead and think through the best structure for your setup.

Glossary

Some terms will appear repeatedly throughout this guide. If you are unfamiliar with these terms, you can refer back to this glossary to get some context.

Authentication & Authorization (OAuth / OIDC/ 2FA): Methods for users to securely identify themselves, and be granted access to a network. Typically integrated with a company’s identity service like Microsoft 365.

VPN Config File: A static WireGuard config file, generated from a Remote Access Gateway, which can be run with WireGuard on any device, making it accessible from, and able to access, the Netmaker network. 

Clients: Devices added to the network using a Config file or using the Remote Access Client, via a Remote Access Gateway

Remote Access Gateway: A device (managed by netclient) which routes traffic to and from “Clients”.

Egress Gateway: A device (managed by netclient) which routes traffic to remote IP addresses outside the VPN. For instance, a local office network, a cloud VPC, or specific Endpoints

Internet Gateway: A device (managed by netclient) which routes traffic to the internet from devices in the VPN. For instance, route internet traffic via a machine in the local office network.

Endpoint: A single device, typically (but not always) with a single IP address. Represented by a Host / Netclient.

Host: In Netmaker, a Host is a physical device, which has been enrolled with the Netmaker server via Netclient. A host can be a part of one or more VPN networks.

Local Gateway: A machine routing traffic to the local network from the VPN. This can be either an “Egress Gateway”, which requires running the Netclient, or a manually configured “Client” via VPN Config File, which requires just WireGuard.

Netclient: An agent, binary, and service that runs on a device in order to manage VPN settings and  integrate it into the VPN network created by Netmaker. It receives updates automatically from the server and configures WireGuard (the VPN protocol). The netclient can also set the device as a “gateway” in order to route traffic to/from remote devices.

Netmaker (server): The control plane of Netmaker. Typically interacted with via the Dashboard (UI) in order to create, configure, and manage virtual networks. Often referred to as the “server.”

‍Remote Access: Securely accessing an ip address, website, or computing resource from outside of the local network. For instance, if you have a service running in the cloud, accessing it from your home computer.

Remote Access Client: Netmaker’s remote access solution, which end users install on their devices to access remote sites, via a gateway, typically using some form of authentication.

Router / Firewall: A device sitting in front of the site, that routes traffic to, from, and between devices at the site, and typically also blocks certain traffic into/out of the network.

Site: A location, typically with its own local network. For instance, devices on an office network can reach each other over a local network, without having to go over the internet.

Subnet: A range of ip addresses, typically on a private or local network, which have direct access to each other.

VPC: “Virtual private cloud” - A private subnet within a cloud environment, where you can deploy machines with access to each other, typically deployed in a way so that they are inaccessible directly from the public internet.

‍WireGuard: A VPN protocol used to encrypt traffic between devices. This is the protocol used by Netmaker, via the netclient (which manages WireGuard) or via the Clients / Client Config files, which are unmanaged WireGuard connections to the network. WireGuard is a supported software on most devices, including phones, computers, and routers, and typically has software available for controlling it (like the netclient).