Glossary

Introduction

Netmaker uses a lot of terminology which may sound unfamiliar. The purpose of this page is to provide an overview of the various terms for components and features within Netmaker, which will be helpful to understand in the context of building your network.

Netmaker Components

Regardless of your scenario, you will be plugging together different components of Netmaker, much like lego bricks. While there are many different scenarios, the same components of Netmaker are used to bring them all together. So, it is helpful to gain a general understanding of these components and how they work together.

Netmaker Server

All scenarios start with having a Netmaker server. This can be deployed either On-Prem or in our Cloud environment (SaaS). For standard scenarios we recommend SaaS, since it is the easiest way to get started. If you have specific data privacy requirements or need custom OAuth, then you will want to deploy On-Prem. We will cover this in more detail in the next section on server deployment.

Netclient

The netclient is the headless agent that runs on servers and manages VPN settings, receiving instructions from the coordination server (Netmaker). This is the “local VPN configurator” agent of Netmaker, and can be configured to forward traffic, acting as an Egress or Gateway, which is why we need it. All scenarios require at least one Netclient, but many basic scenarios require only one or two.

Node

Netclients added to the network appear as “nodes” (or Nodes) in the system. A node can live in multiple networks, meaning, for example, a netclient running on a server in your cloud could function as a Gateway, for multiple networks, while keeping traffic segmented and secure between the two. Because of this, a node has two scopes, at the global level and network level. Global Node settings include things like the hostname and MTU, and take effect across networks. Network-Scoped settings include things like the virtual address on the network, and gateway settings (like setting it as a Gateway). This allows a single device to act as a gateway in multiple networks, while maintaining segmentation.

Network

In all scenarios, you will need at least one network. A Network in Netmaker is a VPN. It’s a logical, virtual subnet, that represents a system of connections between devices, acting as a group. Each member of that group gets an IP within the virtual network. In Netmaker, you can have many networks, to manage different scenarios and keep them segmented.

A Network can be IPv6, IPv4, or both (dual-stack). You will want multiple networks if you are setting up different network scenarios, providing access to different sites, or segmenting access between different groups of users or devices.

Egress

Many scenarios require accessing a subnet at a site, which can be done using an Egress Gateway. This is done by setting a Node as an Egress Gateway, and specifying which IPs and CIDRs will be accessed via the node. The node will then begin to automatically forward traffic into the local network. Alternatively a static config file can be used, for situations like routers. There are pros and cons to be considered with both approaches, collectively referred to as “local gateways,” however, for most standard use cases, we recommend using an Egress Gateway to access local sites.

Gateway

The Gateway is a powerful feature which can be applied to nodes in a network. All remote access scenarios, and many site-to-site scenarios, require a Gateway. The Gateway enables us to do several things:

Allows users to authenticate and access the network from their devices.
Allows access to and from any device that supports WireGuard using a static VPN config file.
Allows access to and from sites via routers configured with a WireGuard VPN config file.

At its core, the Gateway manages “VPN Config Files”, which are WireGuard-compatible config files that can be run on most devices. For users, these files are generated dynamically via the Remote Access Client, and for devices and routers, static files can be generated, customized, and applied to the devices.

The Gateway has several other powerful features, listed below.

Internet Gateway

The Internet Gateway is a configuration very similar to the Egress Gateway, with one key difference: it creates a full tunnel VPN. If you want your users to access the internet via a node on the network (for instance, routing internet traffic through the office), use the Internet Gateway feature.

Relay Server

In some scenarios, you will want an intermediary server to route traffic between particular devices. For example, if there is a restrictive CGNAT on the office network, routing traffic through a Gatway will make the network more reliable. By assigning a node to a Gateway, the Gateway acts as a dedicated relay for routing traffic to and from that node.

Auto Relay

The Auto Relay feature of a Gateway acts similarly to Relay, but works automatically. When Auto Relay is enabled, devices will detect if traffic is not being sent, and if there is a disruption, route via the Gateway instead.

Additional Terminology

Outside of Netmaker, there are some standard components that come into play when configuring your network. It is important to have an understanding of these key components.

Public Linux Server

Most scenarios will require at least one linux server which is public-facing. This means it is deployed in a cloud environment, or you have configured routing/firewall rules in a data center or office network so that the server has a reliable endpoint for the VPN at :. This server typically acts as Gateway, Egress, or Netmaker Server (for on-prem setups), or some combination of the four!

Router Configuration

If you want traffic to go through a router, you will have to configure the router. The specifics will depend on your scenario, but most likely, the router will need to be configured with WireGuard and a VPN Config File, which is attached to a Gateway. Alternatively, you may need to set up rules on the Router to route traffic through a local device that is running the netclient.

Routing Configuration

If you are configuring a network so that devices can route traffic through the VPN, without needing the VPN client, then they will need to have routing rules that tell them where to send traffic. This must either be done on the router (as explained above), or, if that is not an option, by configuring all devices on the network with additional routing rules. For instance, adding a routing rule to your VPC to send VPN-bound traffic via the device in the environment running the VPN client.

WireGuard

When integrating any device into the network, it must run WireGuard. Our installers install WireGuard automatically, but for non-native and router device integration, they must run WireGuard. Most devices support WireGuard, and you may need to learn how to configure WireGuard on specific target devices.

Previous4. Grant User Access NextQuick Start

Last updated 14 minutes ago

Was this helpful?

Good evening

hashtagIntroduction

hashtagNetmaker Components

hashtagNetmaker Server

hashtagNetclient

hashtagNode

hashtagNetwork

hashtagEgress

hashtagGateway

hashtagInternet Gateway

hashtagRelay Server

hashtagAuto Relay

hashtagAdditional Terminology

hashtagPublic Linux Server

hashtagRouter Configuration

hashtagRouting Configuration

hashtagWireGuard