DocsAPI

Gateways

Secure routing and access across any network barrier

Introduction

With the release of Netmaker v0.90.0, we’ve simplified things by combining the Remote Access and Relay functionalities into a single feature called Gateways. This new unified approach simplifies the management of secure device connections and ensures reliable network access, whether for remote devices connecting through Remote Access Gateways or nodes behind restrictive network configurations like CGNAT, Double NAT, or firewalls that require Relay functionality.

Here’s how Gateways work:

  1. Remote Access – This feature allows unmanaged devices, including smartphones, laptops, desktops, routers, and IoT devices, to securely connect to a Netmaker network via a Remote Access Gateway. It enables remote devices to access the network securely, without requiring full mesh connectivity.

  2. Relay – For devices behind CGNAT, Double NAT, or restrictive firewalls, the Relay functionality ensures continuous connectivity by routing traffic through a Relay Server, keeping communication intact even when direct access isn’t possible.

With the introduction of the unified Gateways feature in v0.9.0, we’ve combined Remote Access and Relay to simplify remote connections and overcome network restrictions, ensuring stable and secure communication across various network setups.

How Gateways Work

A Gateway is a publicly reachable node in your Netmaker network that performs one or both of the following functions:

  • Remote Access: Provides entry for Remote Access Clients using the Netmaker Desktop App or WireGuard configuration files. These clients, such as smartphones, laptops, desktops, and IoT devices, connect to the gateway to securely access network services.

  • Relay: Routes traffic for nodes that cannot establish direct peer-to-peer connections due to network restrictions (e.g., NAT or firewalls).

Configuring a Gateway

Step 1: Create a Gateway

  1. Navigate to the Gateways interface of your network in the Netmaker dashboard.

  2. Click Create Gateway and select a node to act as the gateway. This node must have a public IP address (not behind a NAT).

    • If unsure, the Netmaker server is a good default choice.

Internet Gateway Configuration

Starting from Netmaker v1.0.0, a new Internet Gateway feature is available directly from the Gateways screen. This functionality allows designated gateway nodes to route traffic from your Netmaker network to the public internet, enabling scenarios such as full-tunnel VPN access for remote clients.

Only Linux devices can be configured as internet gateways. However, Windows, macOS, and Linux devices can connect to an existing internet gateway. Remote clients can also connect to internet gateways using WireGuard configuration files or the Netmaker Desktop application. Smartphones can connect through the mobile Client App.

Creating an Internet Gateway

  1. Go to the Gateways interface in the Netmaker dashboard.

  2. Click Create Gateway.

  3. Select a Linux node with a public IP to act as the Internet Gateway (similar to a VPN server).

  4. Toggle the Internet Gateway option.

  5. Click Create Gateway to finalize setup.

A node can only be connected to one Internet Gateway, regardless of how many networks it's part of.

A node connected to an Internet Gateway cannot itself act as a gateway (chaining is not supported).

Connecting Nodes to an Internet Gateway

  1. Click on the gateway entry in the Gateways table to expand its details.

  2. Click the Connected Nodes tab if not already selected.

  3. Click Add Connected Nodes.

  4. Select one or more nodes to route traffic through this Internet Gateway.

By default, connected nodes are placed in split tunnel mode, meaning they route only internal (VPN) traffic through the gateway, while regular internet traffic still uses their local network.

To enable full tunnel mode (routing all traffic, including internet-bound), toggle Route All Traffic on the connected node entry.

Removing an Internet Gateway

  1. Navigate to the Gateways interface.

  2. Click the meatballs menu (⋯) on the gateway and select Edit to open the edit modal.

  3. Toggle off the Internet Gateway switch.

  4. Save your changes.

Relay Configuration

Adding Relayed Nodes

  1. Navigate to the Connected Nodes tab of your created Gateway.

  2. Click Add Connected Node and select the node that requires relaying.

  3. The selected node will now route its traffic through the gateway.

Auto Relays Option

When adding a new node to the network, you can pre-configure it as a relayed node by:

  1. Generating an enrollment key and specifying the relay and network.

  2. Using the enrollment key during the node setup to automatically configure it as a relayed node.

Create WireGuard Config Files

  1. You can manually create a WireGuard config file directly from the Nodes interface.

    1. From the left sidebar, open the Nodes page and click on the Config File tab.

    2. Click +Add config file.

    3. Fill in the required details:

      • Node name: Assign a unique name to identify the client.

      • Gateway: Select the gateway the node should connect to.

      • Public Key (Optional): Use a client-specific public key if available.

      • DNS (Optional): Define a custom DNS server for the client.

      • Address (Optional): Specify a static IP address or subnet for the node.

      • Additional Addresses (Optional): Add multiple IP addresses if required.

      • Post Up / Post Down (Optional): Include optional scripts to run when the client connects or disconnects.

    4. Click Create Config to add the node.

    5. The node will appear under the Nodes list and its configuration can also be found in the gateway’s Conf Files tab.

  2. Alternatively, you can create a configuration file directly from the gateway’s Conf Files tab.

    1. Click Create Config in the Conf Files tab of your gateway.

    2. Optionally, configure the following parameters (leave blank for auto-generation):

      • Name: Assign a unique name to the client.

      • Public Key: Enhance security with a client-specific public key.

      • DNS: Specify a custom DNS server for the client.

      • Additional Addresses: Assign multiple IP addresses to the client.

      • Post Up: Add a custom script to execute after the client connects.

      • Post Down: Add a custom script to execute after the client disconnec

  3. Download the WireGuard configuration file (conf file) or scan the QR code for unmanaged devices (e.g., routers, IoT devices, desktops) that support WireGuard.

Example WireGuard Configuration:

[Interface]
Address = 100.70.101.254/32,fd3c:2f98:6bb1:2e37:ffff:ffff:ffff:fffe/128
PrivateKey = UJBMEgy5KlWq/lpDy/3k2FewP1nlSjchOkIhYazA+Fo=
MTU = 1420
DNS = 1.1.1.1



[Peer]
PublicKey = KsHJHPJO4b6sviElK1XdGkw3M+oQFYJbVKnXBlLGGFA=
AllowedIPs = 100.70.101.0/24,fd3c:2f98:6bb1:2e37::/64,192.168.1.0/24
Endpoint = 134.122.28.173:443
PersistentKeepalive = 20

Once configured, the external client can securely connect to the network through the gateway. You can disable or delete the client at any time from the Nodes Interface.

Connected Users

You can view and manage connected desktop clients directly from the Nodes screen.

The Connected Users tab under your gateway provides another way to monitor and manage connections established via the Netmaker Desktop App.

For each connected user, you can:

  • View their WireGuard configuration file.

  • Delete the node if required.