DocsAPI

Gateways

Secure routing and access across any network barrier

IntroductionCopied!

With the release of Netmaker v0.90.0, we’ve simplified things by combining the Remote Access and Relay functionalities into a single feature called Gateways. This new unified approach simplifies the management of secure device connections and ensures reliable network access, whether for remote devices connecting through Remote Access Gateways or nodes behind restrictive network configurations like CGNAT, Double NAT, or firewalls that require Relay functionality.

Here’s how Gateways work:

  1. Remote Access – This feature allows unmanaged devices, including smartphones, laptops, desktops, routers, and IoT devices, to securely connect to a Netmaker network via a Remote Access Gateway. It enables remote devices to access the network securely, without requiring full mesh connectivity.

  2. Relay – For devices behind CGNAT, Double NAT, or restrictive firewalls, the Relay functionality ensures continuous connectivity by routing traffic through a Relay Server, keeping communication intact even when direct access isn’t possible.

With the introduction of the unified Gateways feature in v0.9.0, we’ve combined Remote Access and Relay to simplify remote connections and overcome network restrictions, ensuring stable and secure communication across various network setups.

How Gateways WorkCopied!

A Gateway is a publicly reachable node in your Netmaker network that performs one or both of the following functions:

  • Remote Access: Provides entry for Remote Access Clients using the Netmaker Desktop App or WireGuard configuration files. These clients, such as smartphones, laptops, desktops, and IoT devices, connect to the gateway to securely access network services.

  • Relay: Routes traffic for nodes that cannot establish direct peer-to-peer connections due to network restrictions (e.g., NAT or firewalls).

Configuring a GatewayCopied!

Step 1: Create a Gateway

  1. Navigate to the Gateways interface of your network in the Netmaker dashboard.

  2. Click Create Gateway and select a node to act as the gateway. This node must have a public IP address (not behind a NAT).

    • If unsure, the Netmaker server is a good default choice.

  3. Optionally, set a default DNS server for clients that will connect through the gateway.

Internet Gateway ConfigurationCopied!

Starting from Netmaker v1.0.0, a new Internet Gateway feature is available directly from the Gateways screen. This functionality allows designated gateway nodes to route traffic from your Netmaker network to the public internet, enabling scenarios such as full-tunnel VPN access for remote clients.

Only Linux devices can be configured as internet gateways. However, Windows, macOS, and Linux devices can connect to an existing internet gateway. Remote clients can also connect to internet gateways using WireGuard configuration files or the Netmaker Desktop application. Smartphones can connect through the mobile Client App.

Creating an Internet Gateway

  1. Go to the Gateways interface in the Netmaker dashboard.

  2. Click Create Gateway.

  3. Select a Linux node with a public IP to act as the Internet Gateway (similar to a VPN server).

  4. Toggle the Internet Gateway option.

  5. Set a Default Client DNS to avoid DNS leaks.

  6. Click Create Gateway to finalize setup.

A node can only be connected to one Internet Gateway, regardless of how many networks it's part of.

A node connected to an Internet Gateway cannot itself act as a gateway (chaining is not supported).

Connecting Nodes to an Internet Gateway

  1. Click on the gateway entry in the Gateways table to expand its details.

  2. Click the Connected Nodes tab if not already selected.

  3. Click Add Connected Nodes.

  4. Select one or more nodes to route traffic through this Internet Gateway.

By default, connected nodes are placed in split tunnel mode, meaning they route only internal (VPN) traffic through the gateway, while regular internet traffic still uses their local network.

To enable full tunnel mode (routing all traffic, including internet-bound), toggle Route All Traffic on the connected node entry.

Removing an Internet Gateway

  1. Navigate to the Gateways interface.

  2. Click the meatballs menu (⋯) on the gateway and select Edit to open the edit modal.

  3. Toggle off the Internet Gateway switch.

  4. Save your changes.

Relay ConfigurationCopied!

Adding Relayed Nodes

  1. Navigate to the Connected Nodes tab of your created Gateway.

  2. Click Add Connected Node and select the node that requires relaying.

  3. The selected node will now route its traffic through the gateway.

Auto Relays Option

When adding a new node to the network, you can pre-configure it as a relayed node by:

  1. Generating an enrollment key and specifying the relay and network.

  2. Using the enrollment key during the node setup to automatically configure it as a relayed node.

Generating WireGuard Config FilesCopied!

  1. Click Create Config in the Conf Files tab of your gateway.

  2. Optionally, you can configure the following parameters (leave blank for auto-generation)

    • Name: Assign a unique name to the client.

    • Public Key: Enhance security with a client-specific public key.

    • DNS: Specify a custom DNS server for the client.

    • Additional Addresses: Assign multiple IP addresses to the client.

    • Post Up: Add a custom script to execute after the client connects.

    • Post Down: Add a custom script to execute after the client disconnects.

  3. Download the WireGuard configuration file (conf file) or scan the QR code for unmanaged devices (e.g., routers, IoT devices, desktops) that support WireGuard.

Example WireGuard Configuration:

[Interface]
Address = 100.70.101.254/32,fd3c:2f98:6bb1:2e37:ffff:ffff:ffff:fffe/128
PrivateKey = UJBMEgy5KlWq/lpDy/3k2FewP1nlSjchOkIhYazA+Fo=
MTU = 1420
DNS = 1.1.1.1



[Peer]
PublicKey = KsHJHPJO4b6sviElK1XdGkw3M+oQFYJbVKnXBlLGGFA=
AllowedIPs = 100.70.101.0/24,fd3c:2f98:6bb1:2e37::/64,192.168.1.0/24
Endpoint = 134.122.28.173:443
PersistentKeepalive = 20

Once configured, the external client can securely connect to the network through the gateway. You can disable or delete the client at any time from the Nodes Interface.

Connected UsersCopied!

The Connected Users tab displays users connected via the Netmaker Desktop App. For each user, you can view their WireGuard configuration file and toggle the interface on or off.