# How to Secure IT Operations with Netmaker
This document explains how Netmaker enhances IT security through private, encrypted networking, covering traffic control, scalability, and zero-trust practices across cloud, on-prem, and hybrid environments.
It also describes how to securely access resources across remote sites, supporting distributed teams, remote workers, and field operations. It further enables secure connectivity for on-site users accessing infrastructure hosted in other locations, such as production systems in different regions or countries.
The example illustrates how users can securely connect to critical remote resources, ensuring reliable and protected access across all environments.
As illustrated in the diagram, users initiate access through a Gateway within the Netmaker network. The Gateway then routes traffic to Egress Gateways—machines connected to both their respective remote site networks and the Netmaker network. In this scenario, the Egress Gateways operate behind NAT routers.
This tunnel-based connection provides end users with encrypted access to remote site resources, such as intranet or file servers, ensuring secure and seamless communication with the target network.
## Prerequisites
* Access to a running Netmaker server, either self-hosted or hosted in the cloud (SaaS).
* A Linux machine at the remote location.
* Access to the router at the remote location, or at least sufficient access to add a Port Forwarding rule.
* OAuth integrated on the Netmaker server (refer here for more information: [Integrating OAuth](https://learn.netmaker.io/how-to-guides/identity-provider-integration-guide))
## General Steps
{% stepper %}
{% step %}
### Plan your network
Ensure the remote sites, the Netmaker network, and optionally the end-user network do not have overlapping address ranges. Overlaps can cause traffic to prefer directly connected devices rather than the intended remote resources.
Example address spaces used in this guide:
* Netmaker network: 100.100.0.0/16
* Remote Site: 192.168.254.0/24
* User network: 192.168.111.0/24
Network name used in this guide: "my-org-vpn".
For detailed instructions on creating a VPN network in Netmaker, see: [Create Networks](https://learn.netmaker.io/getting-started/walkthrough/how-to-create-networks).
{% endstep %}
{% step %}
### Set up remote access with a Gateway
A Gateway (Ingress Gateway) should be publicly reachable. The Netmaker server or Managed Endpoint (SaaS) can act as the RAGw, or you can add a separate machine.
Only UDP port 51821 needs to be exposed for Netclient communication.
Ubuntu example (UFW):
```plaintext
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 51821/udp
# if ufw is not yet enabled,
sudo ufw enable
# if ufw is already enabled,
sudo ufw reload
```
{% hint style="info" %}
You can use nftables as a replacement if you're using Linux machines that have deprecated iptables.
{% endhint %}
{% endstep %}
{% step %}
### Set up Egress Gateways
Egress Gateways are Linux machines running Netclient on the remote site's network that expose internal routes into the Netmaker VPN.
To join machines to the Netmaker VPN: see [Add Non-User Devices](https://learn.netmaker.io/getting-started/about/how-it-works/0.-overview#add-non-user-devices). Only UDP port 51821 needs to be exposed as with a Gateway.
Steps to create and configure an Egress Gateway in the Netmaker Admin UI:
{% stepper %}
{% step %}
### Create an Egress
* In the Netmaker VPN network, open the Egress tab.
* Click Create Egress.
* Select the machine from the host dropdown.
* Leave “NAT egress traffic” enabled and click Create Egress.
{% endstep %}
{% step %}
### Add external routes
* Under the Egress Gateways table, click the newly created host.
* Click the “Add external route” button.
* In the Update Egress modal, click “Add range”.
* To expose an entire LAN, specify the network (e.g., 192.168.254.0/24). To expose specific hosts, use individual addresses (for example 192.168.254.3/32).
{% endstep %}
{% endstepper %}
If the Egress Gateway is behind NAT, set a static listening port for that host to avoid relays or unexpected UDP port changes:
{% stepper %}
{% step %}
* Login to the Netmaker server.
* Navigate to Hosts, find the Egress Gateway host, hover the kebab icon and click Edit Host.
* Enable the Static Port switch.
* Click Update Device.
{% endstep %}
{% endstepper %}
{% endstep %}
{% step %}
### Add port forwarding rules on the remote site's router
Routers frequently block unsolicited inbound traffic. Add a port forwarding rule for UDP 51821 to the Egress Gateway private IP to allow encrypted VPN traffic into the private network.
Example on a Mikrotik router (web UI):
* IP => Firewall => NAT => Add New
* In Action, set “To Addresses” to the Egress Gateway private IP.
* Apply and OK.
  
Please refer to your router’s documentation for specific instructions.
{% endstep %}
{% step %}
### Onboard users
Provide users with access via one of these methods:
* Give users credentials (Basic Auth) — Self-hosted only.
* Send invites (email) — requires SMTP on Self-hosted, or available on SaaS.
* Let users sign up themselves using OAuth/SSO.
Refer to [User Management](https://learn.netmaker.io/features/user-management).
We demonstrate assigning the Service User role. Service Users use the Netmaker Desktop app to log in; this is preferred to sharing config files.
{% endstep %}
{% endstepper %}
***
### Setup a Gateway
{% content-ref url="/pages/8023dcd81897c9bc7f43477add0ae990e6caf0ac" %}
[Gateways](/features/gateways.md)
{% endcontent-ref %}
### Setup Egress Gateways
{% content-ref url="/pages/JzR5OuRy0q2ubwhXsqhS" %}
[How to Add Egress](/getting-started/walkthrough/how-to-add-egress.md)
{% endcontent-ref %}
## Onboarding Users — Methods and UI Steps
### Giving users their login credentials (Basic Auth — Self-hosted)
{% stepper %}
{% step %}
### Create a basic account
* Login to the Netmaker Admin UI.
* Navigate to User Management.
* Click on "Create User" button
* Input Username and Password, tick Service User.
* Select a group to assign the user.
* Click Create User.
{% endstep %}
{% endstepper %}
Instruct users to download and run the [Netmaker Desktop](https://learn.netmaker.io/getting-started/server-and-client-management/client-installation/netmaker-desktop-installation) and log in using the provided username and password, or via SSO if OAuth/IdP is configured.
### Inviting Service Users (email invites)
This method uses email addresses as usernames. Users set their own password or use SSO. Invites are sent via email.
Note: SMTP configuration is required for Self-hosted Netmaker. SaaS Netmaker has SMTP configured.
#### Setting up SMTP (Self-hosted)
Configure an SMTP provider (for example, a Gmail app password via ) and set it up in the admin UI Dashboard under **Settings → Email Configuration.**
#### Invite flow
{% stepper %}
{% step %}
* Login to the Netmaker Admin UI.
* Navigate to User Management.
* Click on "Create User" button
* Specify email(s), tick Service User.
* Select a group to assign the user.
* Click Create User Invite(s), then Finish.
{% endstep %}
{% endstepper %}
You can invite multiple emails separated by commas (no spaces needed). Ask users to check their email and use the invitation link.
#### End-user signup via invite link
Users follow the invite link and can sign up using SSO (Google, Microsoft, Okta, GitHub) or provide their own password. The chosen method is what they will use with Netmaker Desktop.\
### Letting users sign up by themselves (SSO/OAuth)
If OAuth is integrated on your Self-hosted Netmaker server, users can self-signup via Netmaker Desktop or web UI:
* Example server domain: my-netmaker.my-org.com
* Web UI:
* Netmaker Desktop Server field: api.my-netmaker.my-org.com
Once users sign up via OAuth/SSO, admins must approve and grant access:
{% stepper %}
{% step %}
* Login as admin or superadmin.
* Navigate to User Management → Pending Users.
* Find the user and click Approve (confirm OK).
* Go to Users tab, find the user and click their email.
* Select Service User in Platform Access Level.
* Under Additional Roles Per Network, for “my-org-vpn” select the Remote Access Gateway host.
* Click Update User.
{% endstep %}
{% endstepper %}
After approval, the user can login using Netmaker Desktop and access the assigned Gateway.
## Using Netmaker Desktop to Access a Server in a Remote Site Network
Service Users use Netmaker Desktop. They must specify the server to connect to:
* Self-hosted: domain prefixed with api. (as given by the admin).
* SaaS: Tenant ID (GUID) from Tenants table.
Example connection (demo server `dentest.clustercat.com`): authenticate with the invited user credentials or log in with OAuth/SSO as applicable. After logging in, the assigned Gateway appears — click Connect.
If the RAGw has multiple endpoints, the endpoint chooser (›) allows selecting IPv4 vs IPv6 endpoint.
A WireGuard tunnel interface is created on the client. Traffic is routed: client → Remote Access Gateway (100.100.0.2) → Egress Gateway (100.100.0.3) → target server (e.g., 192.168.254.4).
Example: SSH to the remote server’s private IP over the tunnel works because application traffic is encapsulated within the WireGuard tunnel. Only UDP 51821 needs to be open on RAGw and Egress Gateway; no other ports need exposure for services in the remote LAN.
Hope you find this guide helpful and informational.
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://learn.netmaker.io/how-to-guides/how-to-secure-it-operations-with-netmaker.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.