Netclient Setup

As of v0.18.0 Netclient is now in its own standalone repo seperate from netmaker.

The UI has been updated for Mac and Windows,

netclient CLI

And the CLI has been updated.

netclient CLI

The Netclient manages WireGuard on client devices (nodes). This document walks through setting up the netclient on machines, including install, management, and uninstall.

The Netclient is supported on the following operating systems:

  • Linux (most distributions)

  • Windows

  • macOS

  • FreeBSD

For unsupported devices, please use the external client, which is just a static, vanilla, WireGuard configuration file, which can be added to any device that supports WireGuard.


Before adding the machine to a network, the netclient must be installed. A successful installation sets up the netclient executable on the machine and adds it as a system daemon. The daemon will listen for changes for any network it joins.

The client install does not add the client as a member of any network. Once the client is installed, you must run:

netclient join -t <token>

The following are install instructions for most operating systems.


Debian Distros (debian/ubuntu/mint/pop-os)

curl -sL '' | sudo tee /etc/apt/trusted.gpg.d/netclient.asc
curl -sL '' | sudo tee /etc/apt/sources.list.d/netclient.list
sudo apt update
sudo apt install netclient

Red Hat Distros (fedora/redhat/centos/rocky)

curl -sL '' | sudo tee /tmp/gpg.key
curl -sL '' | sudo tee /etc/yum.repos.d/netclient.repo
sudo rpm --import /tmp/gpg.key
sudo dnf check-update
sudo dnf install netclient

Arch Distros (arch/manjaro/endeavouros)

yay -S netclient

OpenWRT Distros (mips/mipsle)

curl -sfL | VERSION="<your netmaker version>" sh -

In case of failure refer to Advanced Client Installation Notes on OpenWRT


PowerShell script

. { iwr -useb } | iex; Netclient-Install -version "<your netmaker version>"

MSI Installer

Download Link:


Brew Install

brew tap gravitl/netclient
(optional) brew audit netclient
brew install netclient

GUI Installer

Download Link:


A FreeBSD package is coming soon. In the meantime, please use this install script:

curl -sfL | VERSION="<your netmaker version>" sh -


You can run Netclient using Docker instead of installing it on your local machine. To ensure that the correct commands are present in order to use Docker use these steps:

sudo apt-get update
sudo apt-get install -y docker-compose

After that you can proceed to join the network using the docker command from the access key for the network you wish to join. The docker command is available from the access key view in the Netmaker UI. To have the netclient docker container restart (eg after the system reboots) you’ll want to use the following option when running docker run:


If you prefer (e.g., when specifying a lot of environment variables), you can use a docker-compose.yml file such as the following instead of the docker run command:

version: "3.4"

        network_mode: host
        privileged: true
        restart: always
            - TOKEN=<networktoken>
            - '/etc/netclient:/etc/netclient'
        container_name: netclient
        image: 'gravitl/netclient:v0.18.0'

where <networktoken> is the Access Token available from the “Viewing your Access Key Details” window in the Netmaker UI.

If you are making a docker container on a server that already has a baremetal version of netclient on there, this will create a conflict. Netmaker will only make one host for that machine and not see the container as another node. Meanwhile on the client, both daemons will be running (bare metal and container), causing conflicts (both receive the peer updates) and the node becomes unreachable.

You can work around this by running the docker netclient using a seperate netclient folder and having host networking NOT enabled. Host networking must be turned off when running with multiple netclients. This means that the host will not have the private address of the container and it will be segmented.

Your compose would look more like this:

version: "3.4"

        privileged: true
        restart: always
            - TOKEN=<networktoken>
            - '/etc/netclient2:/etc/netclient'
        container_name: netclient2
        image: 'gravitl/new-netclient:v0.18.0'

By using this method, you can run many netclients on the same host and just incrementing up (netclient3, netclient4 ….. netclientN).


For docker netclient to function correctly as either ingress/egress gateway, you need to additionally run the following commands on the host machine:

  1. iptables -I DOCKER-USER -i netmaker -j ACCEPT

  2. iptables -I DOCKER-USER -o netmaker -j ACCEPT

Environment Variable

Docker Option Example




Network to perform specified action against. (default: “all”)


-e NETCLIENT_PASSWORD=’passwordvalueexample’

Password for authenticating with netmaker.



Reachable (usually public) address for WireGuard (not the private WG address).


-e NETCLIENT_MACADDRESS=’00:11:22:33:44:55’

Mac Address for this machine. Used as a unique identifier within Netmaker network.


-e NETCLIENT_PUBLICKEY=’pubkeyexample’

Public Key for WireGuard Interface.


-e NETCLIENT_PRIVATEKEY=’privatekeyexample’

Private Key for WireGuard Interface.



Port for WireGuard Interface.



Default PersistentKeepAlive for Peers in WireGuard Interface. (default: 0)


-e NETCLIENT_OS=’linux’

Operating system of machine (linux, darwin, windows, freebsd)



The service to call to obtain the public IP of the machine that is running netclient.


-e NETCLIENT_NAME=’netmakermachinename’

Identifiable name for machine within Netmaker network. (default: “do-docs-netclient”)



Local address for machine. Can be used in place of Endpoint for machines on the same LAN.



Indicates if client is static by default (will not change addresses automatically).



WireGuard address for machine within Netmaker network.


-e NETCLIENT_ADDRESSIPV6=’2001:0db8:85a3:0000:0000:8a2e:0370:7334’

WireGuard address for machine within Netmaker network.



WireGuard local network interface name.



Address + API Port (e.g. of Netmaker server.


-e NETCLIENT_ACCESSKEY=’47e5364ebc00dc0b’

Access Key for signing up machine with Netmaker server during initial ‘add’.


-e NETCLIENT_ACCESSTOKEN=’accesstokenhere’

Access Token for signing up machine with Netmaker server during initial ‘add’.



Host server (domain of API) [Example:]. Do not include “http(s)://” use it for the Single Sign-on along with the network parameter


-e USER_NAME=’myuser’

User name provided upon joins if joining over basic auth is desired.



Local Range if network is local, for instance



Sets private dns if ‘yes’. Ignores if ‘no’. Will retrieve from network if unset. (default: “yes”)



Sets endpoint to local address if ‘yes’. Ignores if ‘no’. Will retrieve from network if unset.



Turns on udp holepunching if ‘yes’. Ignores if ‘no’. Will retrieve from network if unset.



Sets ip forwarding on if ‘on’. Ignores if ‘off’. On by default. (default: “on”)


-e NETCLIENT_POSTUP=’postupcommandhere’

Sets PostUp command for WireGuard.


-e NETCLIENT_POSTDOWN=’postdowncommandhere’

Sets PostDown command for WireGuard.



Installs daemon if ‘on’. Ignores if ‘off’. On by default. (default: “on”)



Checks for IP changes if ‘yes’. Ignores if ‘no’. Yes by default. (default: “yes”)



Netclient Verbosity level 1. (default: false)



Netclient Verbosity level 2. (default: false)



Netclient Verbosity level 3. (default: false)



Netclient Verbosity level 4. (default: false)

Joining a Network

The join command provides the following flags with short descriptions on what each one does.

netclient CLI

With a token:

netclient join -t <token>

With username/password:

netclient join -n <net name> -u <username> -s api.<netmaker domain>
(example: netclient join -n mynet -u admin -s

With SSO (oauth must be configured):

netclient join -n <net name> -s api.<netmaker domain>

With docker:

docker run -d --network host  --privileged -e TOKEN=<TOKEN> -v /etc/netclient:/etc/netclient --name netclient gravitl/netclient:<CURRENT_VERSION>

Again, if you are making a docker container on an already existing baremetal netclient, you will have to modify the join command like this for example:

docker run -d --privileged -e TOKEN=<TOKEN> -v /etc/netclient2:/etc/netclient --name netclient2 gravitl/new-netclient:<CURRENT_VERSION>

And again host networking will be turned off in this case and will not have the private address of the contianer and it will be segmented.

These commands will be available to copy and paste in the access keys section of your netmaker UI. You can set the verbosity to a level 0-4 with the flag -v <number 0-4> in the join command if you need more info about the join.

To join on the GUI with Windows or Mac, just click the ADD NEW button and you will be given a choice of token or Username/Password.

netclient join through GUI

Choose token and you will be taken to a screen where you will enter the Access Token found in the access keys tab of the netmaker UI.

netclient token screen

Choose Username/Password and you will be taken to this screen:

netclient username and password screen

You can fill out these fields by parsing out the Join via Basic Auth part of the Access Key Details

netclient snippet of access key details

The Server name will be in the <netmaker api domain> and the network will be in the <network-name> placeholder. Username and password is the same as you would use to sign into your netmaker dashboard.

If the join was successful, you should see the network on the GUI.

netclient GUI showing a connected network

You should be able to click on that network and see the details page on that network.

netclient GUI network details

Managing Netclient

Connecting/Disconnecting from a network

You can connect/disconnect from the network from either the netclient, or from the UI. in the last image above, you can see the connect/disconnect switch is located in the network details of the GUI.

From the CLI, you can use the following:

netclient connect <network_name>
netclient disconnect <network_name>

You can also disconnect and reconnect from the UI. Click on the node you want to disconnect/reconnect and click on edit.

On the bottom, you should see a switch labeled connected like this one. toggle the switch and hit submit. That client will connect or disconnect accordingly.

connect/disconnect button

If you disconnected from the CLI, This switch should be off.

Leave a network

In the GUI, the leave network button is located in the network details. You can also leave from the CLI with the following command.

netclient leave <network>

List Networks

netclient list

Use a different version

Netclient as of v0.18.0 has an option to choose which version of netclient you would like to use. This only applies to versions v0.18.0 and later.

netclient use <version>

Netclient also has an auto-update feature as of v0.18.0


Leave a network:

Uninstall from CLI:

netclient uninstall

Uninstall using package manager (use equivalent command for your OS):

apt remove netclient

With a Mac, just go to applications in your finder and throw netclient in the trash bin, or use

brew uninstall netclient

if it was installed through Homebrew

With windows go to “Add or remove programs” in your system settings and remove netclient.