# Gateways Secure routing and access across any network barrier {% embed url="" %} ## Introduction Gateways are a unified approach to providing several advanced features for secure user connections reliable network access behind restrictive networks (CGNAT, Double NAT, or firewalls) and more. How Gateways work: * WireGuard Clients - Allows unmanaged devices (smartphones, laptops, desktops, routers, IoT devices) to securely connect to a Netmaker network via WireGuard. * Relay / Auto Relay - For devices behind CGNAT, Double NAT, or restrictive firewalls, Relay functionality routes traffic through a gateway to maintain connectivity when direct access isn’t possible. * Internet Gateway - Provides full tunnel access to the internet for connected devices via the Gateway. * User Access - The Gateway is how your end users will access the network over Netmaker Desktop and Mobile. ## How Gateways Work A Gateway is a publicly reachable node in your Netmaker network that performs one or both of the following functions: * Remote Access: Provides entry for Remote Access Clients using the Netmaker Desktop App or WireGuard configuration files. These clients connect to the gateway to securely access network services.

* Relay: Routes traffic for nodes that cannot establish direct peer-to-peer connections due to network restrictions (e.g., NAT or firewalls).

## Configuring a Gateway {% stepper %} {% step %} ### Create a Gateway * Navigate to the Gateways interface of your network in the Netmaker dashboard.

* Click Create Gateway and select a node to act as the gateway. This node must have a public IP address (not behind a NAT). * If unsure, the Netmaker server is a good default choice.

{% endstep %} {% step %} ### Internet Gateway Starting from Netmaker v1.0.0, an Internet Gateway option is available from the Gateways screen. This lets designated gateway nodes route traffic from your Netmaker network to the public internet (e.g., full-tunnel VPN access for remote clients). * Only Linux devices can be configured as Internet Gateways. Windows, macOS, and Linux devices can connect to an existing Internet Gateway. * Remote clients can connect to Internet Gateways using WireGuard config files, the Netmaker Desktop app, or the mobile Client App. Creating an Internet Gateway: * Go to the Gateways interface.

* Click Create Gateway. * Select a Linux node with a public IP to act as the Internet Gateway.

* Toggle the Internet Gateway option.

* Click Create Gateway to finalize setup. Notes: * A node can only be connected to one Internet Gateway, regardless of how many networks it's in. * A node connected to an Internet Gateway cannot itself act as a gateway (chaining is not supported). {% endstep %} {% step %} ### Connecting Nodes to an Internet Gateway * Click the gateway entry in the Gateways table to expand its details. * Click the Connected Nodes tab. * Click Add Connected Nodes.

* Select one or more nodes to route traffic through this Internet Gateway.

Default behavior: * Connected nodes are placed in split tunnel mode (only internal/VPN traffic routes through the gateway; regular internet traffic uses their local network). To enable full tunnel mode (route all traffic, including internet-bound), toggle Route All Traffic on the connected node entry.

{% endstep %} {% step %} ### Removing an Internet Gateway * Navigate to the Gateways interface. * Click the meatballs menu (⋯) on the gateway and select Edit to open the edit modal. * Toggle off the Internet Gateway switch. * Save your changes. {% endstep %} {% endstepper %} ## Relay Configuration {% stepper %} {% step %} ### Adding Relayed Nodes * Navigate to the Connected Nodes tab of your created Gateway.

* Click Add Connected Node and select the node that requires relaying.

* The selected node will now route its traffic through the gateway.

{% endstep %} {% step %} ### Relay Node on Enrollment When adding a new node to the network, you can pre-configure it as a relayed node by: * Generating an enrollment key and specifying the relay and network.

* Using the enrollment key during node setup to automatically configure it as a relayed node. {% endstep %} {% endstepper %} ## Create WireGuard Config Files {% stepper %} {% step %} ### From the Nodes Interface * From the left sidebar, open the Nodes page and click on the Config File tab. * Click +Add config file.

* Fill in the required details: * Node name: Assign a unique name to identify the client. * Gateway: Select the gateway the node should connect to. * Public Key (Optional): Use a client-specific public key if available. * DNS (Optional): Define a custom DNS server for the client. * Address (Optional): Specify a static IP address or subnet for the node. * Additional Addresses (Optional): Add multiple IP addresses if required. * Post Up / Post Down (Optional): Include optional scripts to run when the client connects or disconnects.

* Click Create Config to add the node. * The node will appear under the Nodes list and its configuration can also be found in the gateway’s Conf Files tab.

{% endstep %} {% step %} ### From the Gateway’s Conf Files Tab * Click Create Config in the Conf Files tab of your gateway.

* Optionally configure the following parameters (leave blank for auto-generation): * Name: Assign a unique name to the client. * Public Key: Enhance security with a client-specific public key. * DNS: Specify a custom DNS server for the client. * Additional Addresses: Assign multiple IP addresses to the client. * Post Up: Add a custom script to execute after the client connects. * Post Down: Add a custom script to execute after the client disconnects.

* Download the WireGuard configuration file (conf file) or scan the QR code for unmanaged devices (routers, IoT devices, desktops) that support WireGuard. Once configured, the external client can securely connect to the network through the gateway. You can disable or delete the client at any time from the Nodes interface. {% endstep %} {% endstepper %} Example WireGuard configuration: {% code title="example.conf" %} ```plaintext [Interface] Address = 100.70.101.254/32,fd3c:2f98:6bb1:2e37:ffff:ffff:ffff:fffe/128 PrivateKey = UJBMEgy5KlWq/lpDy/3k2FewP1nlSjchOkIhYazA+Fo= MTU = 1420 DNS = 1.1.1.1 [Peer] PublicKey = KsHJHPJO4b6sviElK1XdGkw3M+oQFYJbVKnXBlLGGFA= AllowedIPs = 100.70.101.0/24,fd3c:2f98:6bb1:2e37::/64,192.168.1.0/24 Endpoint = 134.122.28.173:443 PersistentKeepalive = 20 ``` {% endcode %} ## Connected Users You can view and manage connected desktop clients from the Nodes screen.

The Connected Users tab under your gateway provides another way to monitor and manage connections established via the Netmaker Desktop App.

For each connected user, you can: * View their WireGuard configuration file. * Delete the node if required. ## High Availability (HA) Gateways ### Overview High Availability (HA) Gateways, introduced in version 1.2.0, add automatic gateway selection and failover switching. Nodes can automatically connect to the best available gateway and seamlessly switch when their current gateway becomes unavailable, improving reliability, uptime, and ease of management. ### How HA Gateway Works * Nodes can have their gateway mode set to Auto. * Netmaker periodically checks gateway availability and latency (approximately every 30 seconds). * The node connects through the nearest and healthiest gateway. * If that gateway goes down, the node reconnects through another available gateway seamlessly. ### UI Configuration Example * When viewing network devices, click Assign Gateway next to any node to open the gateway selection menu.

* In the Assign Gateway window, toggle Auto-select Gateway to let Netmaker automatically pick the best available gateway for that node.

* Toggle **Auto-select Gateway** to enable automatic gateway selection for this node. * When enabled, Netmaker will automatically choose the **best available gateway**. * The peer will automatically **switch gateways** when its current one is offline.

### Notes * Introduced in Netmaker v1.2.0 * Gateway status checks occur approximately every 30 seconds. * Currently labeled as BETA. * Switching happens seamlessly — users won’t notice the transition. * Works best in multi-gateway or distributed environments. ### Use Case Examples * Server Clusters: Redundant gateways ensure zero downtime during maintenance or outages. * Multi-site VPN Networks: Automatically route client traffic through the nearest or most responsive gateway. * Remote Workers: As clients move between locations, Netmaker automatically connects them to the gateway with the lowest latency. * IoT Devices: Field units maintain connectivity even when one gateway goes offline. ## Auto-Relay (Pro) Automatically routes traffic through the closest, lowest-latency gateway. {% hint style="info" %} #### Overview The **Auto-Relay** feature (formerly called Failover) allows multiple gateways to act as relays for peers, making the network more flexible and resilient. Key points: * Multiple auto-relays can be configured simultaneously. * Peers automatically select the relay with the **lowest latency**. * All gateways are **auto-relay enabled by default**, meaning any new gateway can act as a relay immediately. * **Useful in NAT scenarios:** Auto-Relay is especially beneficial when nodes are behind CGNAT, Double NAT, or restrictive firewalls, where direct peer-to-peer connections may fail. {% endhint %} ## How Auto-Relay Works {% stepper %} {% step %} ### Gateway advertisement Each gateway advertises its Auto-Relay status across the network. {% endstep %} {% step %} ### Reachability & latency measurement Peers evaluate which gateways are reachable and measure latency. {% endstep %} {% step %} ### Relay selection Peers connect through the active Auto-Relay gateway with the lowest latency. {% endstep %} {% step %} ### Automatic failover If that gateway becomes unavailable, the peer automatically switches to another reachable Auto-Relay gateway. {% endstep %} {% endstepper %} This creates **dynamic redundancy** and ensures smooth network performance **without manual failover setup**. ## Default Behavior * Every new gateway is automatically set as **Auto-Relay = ON**. * You can view or edit this setting in the **Edit Gateway** modal. * Manual configuration is optional — Auto-Relay works automatically across gateways. {% hint style="info" %} ### Notes * Auto-Relay replaces the older Failover logic but **retains backward compatibility**. * Any gateway can act as a relay without explicit assignment. * Latency-based routing **balances network load** and maintains optimal data flow. * Particularly **helpful when NAT or firewall restrictions prevent direct peer-to-peer connections**. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.netmaker.io/features/gateways.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.