Networking Scenarios, VPN Types, and Terminology
Introduction
The purpose of this chapter is to provide you with an overview of some common networking scenarios we see at Netmaker that you may be attempting to implement, and explain some terms as they relate to these scenarios, to provide context throughout the course of the guide.
By the end of this chapter, you should have a general understanding of the various scenarios, how they relate to Netmaker, and the terminology typically employed in these scenarios.
Types of VPNs
When an administrator is tasked with setting up a VPN, they likely have a particular goal, or set of goals. Here are some of the most common we see:
Provide a group of users with remote access to a site, such as an office, or to particular devices, such as a server, e.g. Remote Access.
Route all user or device network traffic through a specific endpoint (Gateway), e.g. a Full Tunnel VPN.
Create secure links between particular devices, such as servers at the edge, and VMs in the cloud, e.g. a Point-to-Point VPN or Overlay Network.
Create secure links between sites, such as an office and a cloud environment, e.g. Site-to-Site.
You may be attempting to accomplish one or more of these goals. For example, your employees may need remote access to the office, and the office may need a site-to-site connection with a data center. All can be accomplished with Netmaker, using multiple VPN networks configured in different ways, to create a mix of VPN topologies.
Devices and Sites
Before discussing these scenarios, let’s break it down into the base components: Devices and Sites.
What is a Device?
By a device, we mean an endpoint. Think of a particular device, server, or IP address. A device is one particular network resource. When we use words like device, host, node, endpoint, peer, or ip (singular), we are typically referring to a “device.” Devices are typically configured with a VPN client on the device itself, so that you have direct access to (or from) the resource over the VPN.
What is a Site?
A Site is typically a local or private network, a subnet or ip cidr range. It could be an office LAN, a data center subnet, or a cloud VPC. Think of it as a collection of network resources contained within a subnet. You may need to provide access to or from these sites. When we mention an environment, subnet, local network, private network, cidr, or vpc, we are typically referring to a “site.”
A site is not meant to refer to the whole internet, but conceptually, you can think of the internet as just a really big site, with special rules.
When setting up access to and from a site, it is usually easier to have one or more devices acting as Egress, which will forward traffic from the VPN to the site. Those devices, usually servers or routers, will be the only devices configured with a VPN client inside of the network, and will rote traffic for the entire site, to simplifies operations.
An alternative approach would be a full overlay network, where every device at each site is configured with the VPN client.
Types of VPNs (Patterns with Devices and Sites)
Now let’s discuss the types of networks you can create with devices and sites.
Peer-to-Peer
In a point-to-point, or peer-to-peer VPN, we are connecting devices directly to one another. This is useful to minimize network hops, minimize the security perimeter, and create lower level access controls between devices on the network. If you have a server in a data center that needs to connect directly to a VM in the cloud, this would be peer-to-peer. Another modern phrase for this is a mesh VPN or overlay network.
In Netmaker, this is the default configuration when you deploy VPN endpoints using the Netclient.
Hub-And-Spoke
In a Hub-And-Spoke VPN, we are connecting endpoints together via a Hub. The Hub is one of the devices in the network, which forwards traffic to and from the other devices. This can simplify setup and increase reliability, though it comes at the cost of increased latency, because connections are not direct.
In Netmaker, if you use Static WireGuard Clients, they will always be connected using a Hub, which inside of Netmaker is called a Gateway. You can also assign particular Nodes (devices) to a Gateway, and traffic will flow through the gateway to and from the device, rather than peer-to-peer. In Netmaker, you can have a mix of peer-to-peer and hub-and-spoke configurations inside of a single network.
Point-to-Site
In a Point-to-Site VPN, we are connecting endpoints to a site by routing traffic through an endpoint (or endpoints) at that site. This is typically called Remote Access, and in Netmaker this uses the Egress function. In this scenario, the site itself is not a part of the VPN. As an example, if you are providing remote access to an office network from remote employee devices, this would be point-to-site. Traffic is routed into the office network via specific endpoints located inside of the office network, but the destination for traffic will be outside of the VPN.
Remote Access is the most common form of VPN we see at Netmaker, so we’ll go into more details on this topic below.
Note the similarities between a Point-to-Site and Hub-and-Spoke network, where a single point is relaying connections to and from the site.
Site-to-Site
With a Site-to-Site configuration, we are connecting two or more sites together, without installing the VPN client on all of the devices at either site. Instead, a set of devices (such as routers) will handle all of the traffic flowing between the sites.
A typical scenario would be two or more office branches which need to communicate securely. By installing a Netmaker client on routers at these sites, a secure tunnel is created over the internet, over which the office traffic can flow.
Site-to-Site VPNs can also be created in a Hub-and-Spoke configuration, which can again simplify operations. In Netmaker this is the configuration when you use static wireguard on the routers.
Full Tunnel VPN (Internet Gateway)
A Full Tunnel VPN is basically a Point-to-Site VPN, where the “Site” is the entire internet. All of the traffic from assigned devices, regardless of destination, is routed through a particular endpoint in the VPN, and then forwarded out to the internet. This is how a standard “layperson” VPN functions, for example NordVPN. In a business setting, you might want to set this up in order to monitor or restrict internet access from employee devices, by routing traffic through an endpoint where some firewall functionality is installed.
In Netmaker, this is done via Internet Gateways, a special function of the Gateway (as opposed to Egress).
Combining Patterns
At Netmaker, we find that many users are looking to accomplish more than one of these patterns simultaneously. Consider Customer X, who wanted to:
Provide Remote Access to the Office from Remote Employee Workstations
Route Employee Internet Traffic through an Endpoint in the Office
Create a Site-to-Site Connection between their Office and their Cloud
The result was a mix of point-to-point, site-to-site, full tunnel, and hub-and-spoke patterns. Luckily, all of this can be done with Netmaker!
Remote Access
Lastly, let’s discuss Remote Access in more detail, which is usually a Point-to-Site VPN, where Employee devices are the points, and some environment (offices clouds, edge) is the site.
Remote Access is the process of providing access to a site from users, and typically consists of a few components:
Source
The source is the endpoint, device, or user making the request. These devices could be anywhere, and must run some form of VPN Client in order to access the network securely to make requests.
Examples of source devices may include:
A laptop
A phone
A server
An IoT device
In the context of Netmaker, we recommend Netmaker Desktop for user access, which allows users to authenticate using their credentials before they can make requests. Optionally, an administrator could use manually configured WireGuard VPN clients for devices like IoT and routers. Lastly, they could use the Netclient, though this is typically meant for servers which are destinations or traffic forwarders (Egress, Gateway) in your network.
Gateway
A Gateway is used by the source machines to access the network. It acts as a reliable entry point for traffic, and checks to make sure requests are allowed and valid before forwarding them into the network.
If using the Netclient, no Hub is necessary, since connections are direct.
Destination
This is the site being accessed from the source devices. More specifically, this will be IP addresses at the site, typically a CIDR range or ranges (subnets), or specific endpoints (IP addresses). Example destinations may include:
A cloud VPC
An office network
A kubernetes cluster
A data center
A database
Additionally, there may be some private DNS configured at the site which you may want source devices to use, for example, so they can simply navigate to printer.mycompany.internal in their browser, rather than having to know the actual endpoint, which may be something like 192.168.15.35.
Egress
This is a device located inside the Destination Environment, which routes traffic to the local network.
In Netmaker, this is most commonly configured using Egress, but depending on the scenario, may be done in some different ways:
Egress - Routes are added to a linux-based netclient in the destination environment, which automatically begins to forward VPN traffic to the selected routes, creating a split tunnel VPN for end users and devices.
Internet Gateway - By simply switching on "Internet Gateway" in your Gateway settings, a full tunnel VPN is created, forwarding all device traffic through the specified device
WireGard Config File Egress - If access must be configured on a device which cannot run the netclient, such as a Router, you can generate a Config File and specify Egress ranges directly on the configuration. Run the file on a destination device using any WireGuard-compatible plugin, and confirm traffic forwarding is configured, and this device will work the same as regular Egress.
Next Steps
Before you continue, we recommend reviewing our Glossary, which contains helpful terminology we will use throughout the course of the guide. After that, we'll proceed to Netmaker Server Deployment.
Last updated
Was this helpful?