This guide is for network administrators, MSPs, and ITSPs who need to provide secure access to, from, or through sites using a Netmaker VPN. It covers three specific scenarios:
In this overview we will define the key terms and scenarios that will be discussed throughout the guide.
A Site is any local network location. It could be an office LAN, a data center subnet, or a cloud VPC. You may need to provide access to, from, or through these sites, either accessing the entire location (via a gateway) or particular endpoints, using a VPN agent or client. A site might be alternatively referred to as an “environment”, “subnet”, or “network” (local network, private network).
Remote Access is the process of providing access to a site from users or machines, located somewhere outside the target environment.
Remote Access typically consists of a few elements.
Source: The endpoints, devices, or users making requests. These will be machines running a  VPN client. This will be the Remote Access Client, or a manually configured WireGuard VPN client, using a Client Config. Examples:
Destination: The site being accessed from the source. More specifically, this will be IP addresses at the site, typically a CIDR range or ranges (subnets), or specific endpoints (IP addresses). Remote Access ExplainerExamples:
Remote Gateway: This is the gateway used by the source machines to access the network. All traffic from source machines route through the remote gateway. In Netmaker terminology, today this is called the Remote Access Gateway (sometimes referred to as an Ingress Gateway or Client Gateway). The Remote Access Gateway is configured on a Host (endpoint) running the Netclient. This host is usually a Linux Server or Docker Container. This host must have a reliable public IP address, so it can be reachable from anywhere.
Examples:
Local Gateway: This is the gateway which routes traffic to the destination site (target network). This gateway is typically configured in one of two ways:
Your users or devices need to access a site remotely and securely. Ex:
Your users or devices need to access the internet via a server at a site. Ex:
Your users and devices at a site must have access to resources at a remote location. Ex:
“Site-to-Site” Networking. Two or more sites must have access to each other. Ex:
Netmaker has three primary ways to add devices and users to the VPN. Each has specific uses depending on the scenario and target device.
Server Agent:
Netclient
On-Demand User Client: Remote Access Client
Static Config File:
WireGuard VPN Config
The Netclient is meant to run on Linux and Windows servers that act as managed endpoints in the VPN. Servers added via the Netclient appear as Hosts in your dashboard, and can be configured as gateways to route endpoint traffic, such as Remote Access Gateways, Egress Gateway, and Relays.
The Remote Access Client can be provided to users so they can log into the VPN from their devices (workstation, phone). This integrates with any OIDC-compliant auth provider like Google or Azure AD. Users can then connect to networks on which they have been granted access.
Static WireGuard VPN config files can be generated on the Remote Access Gateway to integrate non-native devices, routers, or to configure an “always on” VPN for user devices. Config files can be customized based on the target device and integrated using any WireGuard compatible application.
Beyond the general type of VPN you are creating, you probably have specific requirements that will affect your setup. All of these can be configured with Netmaker, but you should be aware of your requirements ahead of time:
We will cover all these and more in later installations of the guide.
GETÂ STARTED