User Interface

This page contains annotated screenshots of most UI components, detailing the configuration options of each field across Nodes, Networks, DNS, Ext Clients, Users, and more.

Here is an arcade showing a walkthrough of our new UI.

AuthenticationCopied!

SignupCopied!

When you start Netmaker for the first time, you will be prompted to create a superadmin account from the UI like below

Username: Enter a unique username for the admin user.
Password: Enter a secure password for your new user.
Password Confirmation: Repeat the password for verification.
Signup with OAuth: Button to signup with OAuth. From v0.23.1, OAuth users will need further approval from a server admin to gain access.

LoginCopied!

Username: Enter your username.
Password: Enter your password.
Login: Button to login.
Login with OAuth: Button to login with OAuth.

DashboardCopied!

NetworksCopied!

CreateCopied!

Autofill: Provides sensible defaults for network details and makes up a name.
Network Name: The name of the network. Character limited, as this translates to the interface name on hosts (nm-<network name>)
Address Range: The CIDR of the network. Must be a valid IPv4 Subnet and should be a private address range.
Default Access Control: Indicates the default ACL value for a node when it joins in respect to it’s peers (enabled or disabled).

All DevicesCopied!

In simple terms, a device is a computer or machine running the netclient software. Netmaker UI allows an admin to conviniently view and configure some device settings remotely.

Devices InterfaceCopied!

Device Name: Friendly name of the device. Clicking it opens a view to allow admins manage nodes.
Endpoint: The public IP address of the device.
Public Port: Public port of the host.
Version: Indicates the version of netclient the host is running.
Health Status: Indicates the connectivity of the host.
Sync: Synchronise the host with the server; this triggers the host to pull latest network/server state.
Actions: Quick actions that can be performed on the host.

Device CreateCopied!

A device is automatically created on a server once a netclient (a machine running netclient) joins any network on the server.

Device DetailsCopied!

The following information is present under the host details tab:

ID: Unique identifier for the host
Name: Name of the host. Defaults to the machine’s name.
Version: Version of netclient the host is running.
Operating System: Operating system (OS) the machine is running.
Public Key: Public key of the host. distributed to other hosts.
MTU: Maximum Transmission Unit (MTU) of the host
Listen Port: The wiregaurd listen port.
Proxy Listen Port: The netclient proxy listen port. this is used if Proxy Enabled is set to true. (No longer available from v0.20.5)
Verbosity: Log verbosity (ranges from 1-4). Indicates level of detail the host (netclient) will output to logs.
Default Interface: Default network interface used by the host.
MAC Address: Media Access Control (MAC) address of the host machine.
Is Default: Indicates whether the node is a default device. Nodes that are default devices will automatically join any created network.
Debug: Flag to enable additional logging on client.
Proxy Enabled: Indicates whether a host is running netclient proxy. (No longer available from v0.20.5)
Is Static: Indicaates whether the host’s endpoint is static or not.
Interfaces: Lists the available network interface for the host.

A network can be deleted from the Network interface but all associated devices must be manually removed first.

NodesCopied!

Node InterfaceCopied!

Search Hosts: Look up a host by name.
Host Name: Name of host. By default set to hostname of machine.
Private Addresses: Private IPs of host within network.
Public Address: Public IP of host.
Status: Indicates how recently the host checked into the server. Displays “Warning” after 5 minutes and “Error” after 30 minutes without a check in. Does not explicitly indicate the health of the node’s virtual network connections; however a healthy host will check-in regularly.
Actions: Dropdown list of actions that can be performed on a host, including disconnecting and deleting the host.

A node pending deletion will be grayed out.

Create EgressCopied!

Egress Gateway Ranges: A comma-separated list of the subnets for which the gateway will route traffic. For instance, with Kubernetes this could be both the Service Network and Pod Network. For a standard VPN, Netmaker can use a list of the public CIDR’s (see the docs). Typically, this will be something like a data center network, VPC, or home network.
Interface: The interface on the machine used to access the provided egress gateway ranges. For instance, on a typical linux machine, the interface for public traffic would be “eth0”. Usually you will need to check on the machine first to find the right interface. For instance, on Linux, you can find the interface by running this: ip route get <address in subnet>.

Node DetailsCopied!

Edit Edit the node’s details
Default ACLs View the node’s Access Control List (ACL)
Metrics View the node’s metrics
Host View the node’s associated host
Delete Delete the node
Endpoint: The (typically public) IP of the machine, which peers will use to reach it, in combination with the port. If changing this value, make sure Roaming is turned off, since otherwise, the node will check to see if there is a change in the public IP regularly and update it.
Dynamic Endpoint: The endpoint may be changed automatically. Switching this off (indicating static endpoint) means the endpoint will stay the same until you change it. This can be good to set if the machine is a server sitting in a location that is not expected to change. It is also good to have this switched off for Remote Access gateway, Egress, and Relay Servers, since they should be in a reliable location.
Listen Port: The port used by the node locally. This value is ignored if UDP Hole Punching is on, because port is set dynamically every time interface is created. If UDP Hole Punching is off, the port can be set to any reasonable (and available) value you’d like for the local machine.
IP Address: The primary private IP address of the node. Assigned automatically by Netmaker but can be changed to whatever you want within the Network CIDR.
IPv6 Address: (Only if running dual stack) the primary private IPv6 address of the node. Assigned automatically by Netmaker but can be changed to whatever you want within the Network CIDR.
Local Address: The “locally reachable” address of the node. Other nodes will take note of this to see if this node is on the same network. If so, they will use this address instead of the public “Endpoint.” If running a few nodes inside of a VPC, home network, or similar, make sure the local address is populated correctly for faster and more secure inter-node communication.
Node Name: The name of the node within the network. Hostname by default but can be anything (within the character limits).
Public Key: (Uneditable) The public key of the node, distributed to other peers in the network.
Persistent Keepalive: How often packets are sent to keep connections open with other peers.
Last Modified: Timestamp of the last time the node config was changed.
Node Expiration Datetime: If a node should become invalid after a length of time, you can set it in this field, after which time, it will lose access to the network and will not populate to other nodes. Useful for scenarios where temporary access is granted to 3rd parties.
Last Checkin: Unix timestamp of the last time the node checked in with the server. Used to determine generic health of node.
MAC Address: The hardware Media Access Control (MAC) address of the machine. Used to be used as the unique ID, but is being depreciated.
Egress Gateway Ranges: If Egress is enabled, the gateway ranges that this machine routes to.
Local Range: If IsLocal has been enabled on the network, this is the local range in which the node will look for a private address from it’s local interfaces, to use as an endpoint.
Node Operating System: The OS of the machine.
MTU: The MTU that the node will use on the interface. If “wg show” displays a valid handshake but pings are not working, many times the issue is MTU. Making this value lower can solve this issue. Some typical values are 1024, 1280, and 1420.
Network: The network this node belongs to.
Node ACL Rule The current ACL rule for this node in the network
Is DNS On: DNS is solely handled by resolvectl at the moment, which is on many Linux distributions. For anything else, this value should remain off. If you wish to configure DNS for non-compatible systems, you must do so manually.
Is Local: If on, will only communicate over the local address (Assumes IsLocal tuned to ‘yes’ on the network level.)
Connected Indicates whether the node has is connected to the network

Remote AccessCopied!

Gateway Name / IP Address: Information about which Node is the Remote Access Gateway.
Add Client Config: Button to generate a new Remote Access Client configuration file.
Client ID: The randomly-generated name of the client. Click on the ID to change the name to something sensible.
IP Address: The private ip address of the ext client.
QR Code: If joining form iOS or Android, open the WireGuard app and scan the QR code to join the network.
Download Client Configuration: If joining from a laptop/desktop, download the config file and run “wg-quick up /path/to/config”
Delete: Delete the ext client and remove its network access.

DNSCopied!

DNS Name: The private DNS entry. Must end in “.<network name>” (added automatically). This avoids conflicts between networks.
IP Address: The IP address of the entry. Can be anything (public addresses too!) but typically a node IP.
Select Node Address: Select a node name to populate its IP address automatically.

Create / Edit UsersCopied!

Username: Specify Username.
Password: Specify password.
Confirm Password: Confirm password.
Make Admin: Make into a server admin or “super admin”, which has access to all networks and server-level settings.
Networks: If not made into an “admin”, select the networks which this user has access to. The user will be a “network admin” of these networks, but other networks will be invisible/unaccessible.

Node Graph Copied!

View all nodes in your network, zoom in, zoom out, and search for node names. hover: Hover over a node to see its direct connections.

Access Control ListsCopied!

Reset: Reset your changes without submitting.
Allow All: Enable all p2p connections
Block All: Disable all p2p connections. Makes building up a Zero Trust network easier.
(allowed): Click to switch a connection to “deny.” Note that node names are higlighted on the side and top to track location.
(blocked): Click to switch a connection to “allow.”
Submit Changes: Click once you are ready to submit. Will send message to update relevant nodes in network.

UsersCopied!

Netmaker v0.30.0 comes with a revamped user management, for easy onboarding of users (including bulk onboarding) and fine-grained permissioning.

Under the User Management section, available for super admins and admins only, you will see all active users, groups (Pro), roles (Pro), invites and pending users. Ypu can manage users from this section of the dashboard.

All active users are listed here. You can search for a user by name or email. You can also see the different groups the user belongs to and their platform access level.

You can view and update a user's details by clicking on the user's name. From this modal, you can change user details including: password, groups, network roles, and platform access level.

Creating/Inviting a UserCopied!

Creating a new user is easy. Click on the Add a User button at the top right to begin the process.

There are two ways to create a user:

Basic Auth: Fill in the user's details and click Create User.
User Invite: Enter the different email addresses of the users you want to invite. They will receive an email with a link to create their account (Ensure you have set up the SMTP client for emailing).

Basic Auth

Username: Enter a unique username of the user.
Password: Choose a password for the user. User's are advised to change their password after logging in.
Confirm Password: Confirm the password for the user.
Platform Access Level: Select the platform access level for the user. The platform access level determines the user's access to the platform as a whole, rather than a specific network. Admin/Superadmins are able to access all networks and server-level settings. Platform users are able to access a limited set of the dasboard. Service users are not able to access the dashboard: they are only able to access networks via our RAC app.
Groups: Select the groups the user will belong to.
Additional Roles Per Network: Select the network roles the user will have per network.

Invite a User

Email Address(es): Enter the email addresses of the users you want to invite. Separate multiple email addresses with a comma. No spaces
Platform Access Level: Select the platform access level for the user. The platform access level determines the user's access to the platform as a whole, rather than a specific network.
Groups: Select the groups the users will belong to.
Additional Roles Per Network: Select the network roles the users will have per network.

After inviting a user, they will receive an email with a link to create their account. The user will be prompted to create a password or continue via OAuth, and will be able to access the platform with the permissions you have set. See screenshots below:

Continue invite with email/password (basic auth)

Continue invite with OAuth (Social provider)

User GroupsCopied!

Netmaker v0.25.0 re-introduces user groups, which allow you to group users together and assign permissions to the group. This feature is available for Pro users only. A group, in theory, is simply a collection or network roles. A group can have multiple users (members) and multiple roles.

Under the User Management section, you will see the Groups tab. Here, you can create, edit, and delete groups.

Create a Group

To create a new group, click on the Create Group button at the top right.

Group Name: Enter a unique name for the group.
Description: Enter a description for the group.
Associated Network Roles: Select the roles the group will have, for each network. A group can have multiple roles.
Group Members: Select the users that will be members of the group.
Create Group: Click to create the group.

A created group can be viewed and edited by clicking on the group name in the groups list. It can also be deleted from the list/table view.

User invitesCopied!

On the Users interface, you will see the Invites tab. Here, you can view all invites and send new invites.

Each invite has a unique magic link that can be used to create an account. This link can be sent to the invitee via email or other means.

You can clear all invites by clicking on the Clear All Invites button at the top right, or delete individual invites by clicking on the Delete button next to the invite.

Pending UsersCopied!

Under the User Management section, you will see the Pending Users tab. Here, you can view all pending users and approve or reject them.

Pending users automatically join the platform as service users by default. This means they can only access networks via the RAC app. Their permissions can be changed by an admin or superadmin after approval.

You can approve or reject pending users by clicking on the Approve or Reject button next to the user. You can also deny all pending users by clicking on the Deny All Users button at the top right.