Netmaker Operations Field Guide - Overview

This guide is for network administrators, MSPs, and ITSPs who need to provide secure access to, from, or through sites using a Netmaker VPN. It covers three specific scenarios:

• Remote access to sites
• Remote access from sites
• Internet access through sites

In this overview we will define the key terms and scenarios that will be discussed throughout the guide.

What is a Site?

A Site is any local network location. It could be an office LAN, a data center subnet, or a cloud VPC. You may need to provide access to, from, or through these sites, either accessing the entire location (via a gateway) or particular endpoints, using a VPN agent or client. A site might be alternatively referred to as an “environment”, “subnet”, or “network” (local network, private network).

What is Remote Access?

Remote Access is the process of providing access to a site from users or machines, located somewhere outside the target environment.

Remote Access typically consists of a few elements.

Source: The endpoints, devices, or users making requests. These will be machines running a  VPN client. This will be the Remote Access Client, or a manually configured WireGuard VPN client, using a Client Config. Examples:

• A laptop
• A phone
• A server
• An IoT device
• A router

Destination: The site being accessed from the source. More specifically, this will be IP addresses at the site, typically a CIDR range or ranges (subnets), or specific endpoints (IP addresses). Remote Access ExplainerExamples:

• A cloud VPC
• An office network
• A kubernetes cluster in a data center
• A database

Remote Gateway: This is the gateway used by the source machines to access the network. All traffic from source machines route through the remote gateway. In Netmaker terminology, today this is called the Remote Access Gateway (sometimes referred to as an Ingress Gateway or Client Gateway). The Remote Access Gateway is configured on a Host (endpoint) running the Netclient. This host is usually a Linux Server or Docker Container. This host must have a reliable public IP address, so it can be reachable from anywhere.

Examples:

• The netclient running in a docker container in your cloud
• The netclient running in a linux server in your data center (with a public IP)

Local Gateway: This is the gateway which routes traffic to the destination site (target network). This gateway is typically configured in one of two ways:

• Egress Gateway: The most common scenario is to use an Egress Gateway. The Egress Gateway, like the Remote Access Gateway, must run on a Host running the Netclient, but does not require a public IP, allowing it to run in private environments. On Netmaker, you configure which IPs are accessible via the gateway. This creates a split tunnel VPN for end users and devices.  
• Internet Gateway: This has the same requirements as the Egress Gateway, but is used to access the internet via a full tunnel VPN.
• VPN Config File: If access must be configured on a device which cannot run the netclient, such as a Router, you can generate a VPN Config File on your Remote Access Gateway, specify the Allowed IPs of the target environment, and run the file on the gateway device, e.g. on a Router using the WireGuard plugin. The VPN configuration can be run using any WireGuard runtime or plugin, and WireGuard can be run on most devices.

Remote Access to a Site

Your users or devices need to access a site remotely and securely. Ex:

• Employees need to access an office network remotely
• Engineers need to access a data center remotely
• Application running on-prem needs to access cloud VPC

Internet Access through a Site

Your users or devices need to access the internet via a server at a site. Ex:

• Employees need to access the internet through the office network
• Customers need to access the internet through a server you manage

Remote Access from a Site

Your users and devices at a site must have access to resources at a remote location. Ex:

• Engineers need to access the data center subnet from the office network
• Data center resources needs access to cloud services

Remote Access between Sites

“Site-to-Site” Networking. Two or more sites must have access to each other. Ex:

• Multiple office branches
• Hybrid cloud environment
• VPC Peering

VPN Client Types

Netmaker has three primary ways to add devices and users to the VPN. Each has specific uses depending on the scenario and target device.

Server Agent:

Netclient

On-Demand User Client: Remote Access Client

Static Config File:

WireGuard VPN Config

The Netclient is meant to run on Linux and Windows servers that act as managed endpoints in the VPN. Servers added via the Netclient appear as Hosts in your dashboard, and can be configured as gateways to route endpoint traffic, such as Remote Access Gateways, Egress Gateway, and Relays.

The Remote Access Client can be provided to users so they can log into the VPN from their devices (workstation, phone). This integrates with any OIDC-compliant auth provider like Google or Azure AD. Users can then connect to networks on which they have been granted access.

Static WireGuard VPN config files can be generated on the Remote Access Gateway to integrate non-native devices, routers, or to configure an “always on” VPN for user devices. Config files can be customized based on the target device and integrated using any WireGuard compatible application.

Scenario-Specific Considerations

Beyond the general type of VPN you are creating, you probably have specific requirements that will affect your setup. All of these can be configured with Netmaker, but you should be aware of your requirements ahead of time:

• Adding a router to the VPN
• Using a Linux device to route traffic to the local network
• Configuring routing rules on a local network to route traffic via one VPN client, so that other devices on the network do not require the VPN client
• Granting access only to specific devices on the local network, not to the entire network.
• Segmenting access based on user groups
• Creating a split-tunnel or full-tunnel VPN, or combining the two
• Configuring private DNS on the devices
• Integrating a local auth provider
• Configuring always-on, on-demand, or temporary (expiring) access to the network

We will cover all these and more in later installations of the guide.