Site-to-Site and Routers
Overview
In this section we will give an overview of how to integrate routers into your Netmaker network, in order to create site-to-site connectivity. We will discuss two methods using Netmaker:
Using Static Clients and applying them to Routers
Using the Netclient, Egress, and additional routes in the local network
The first approach creates a hub-and-spoke site-to-site network, where traffic passes through a “hub” before reaching other sites. The second approach gives direct site-to-site connectivity, creating a peer-to-peer network of routers.
Using Static Clients On the Router
Following the previous sections, you should have a Remote Access Gateway and be familiar with how to set DNS, as well as how to add Additional Addresses to a client config.
For our example we will assume you have two sites, Site A and Site B, which need to be connected.
Create Static Client Configs
Press the “Create Config” button and use the value “SiteA” in the “Client ID” field to uniquely identify the static client configuration for SiteA.
Add the network address with subnet for the SiteA local network in the “Additional Addresses” field so that other peers (SiteB) will be able to reach those network addresses and access relevant resources.
Set a DNS server address which is hosted inside the SiteA network for internal hostname resolution.
Apply Configs to Routers
Apply the generated configuration files to the routers at each site.
Below are example steps for MikroTik RouterOS. Steps differ by router vendor, but generally you will need to:
Install the WireGuard plugin.
Create a WireGuard interface using the config file.
Add routes so the local site can access the other site.
Note: In many router WireGuard plugins you will need to manually enter the information from your configuration file rather than uploading it directly.
Adding the WireGuard Interface (MikroTik example)
Add Routes on the Router
You need to add routes to advertise the newly available networks to devices on the local network.
Go to IP -> Routes.
Click “Add New”.
Type the name of the new WireGuard interface (include a % prefix).
Enter the allowed IP address range in the “Dst. Address” field.
Press “Apply” and then “OK” to save the route.
For multiple allowed IP address ranges, create multiple routes following the same procedure.
Follow these same steps on the Site B router, and the two sites should be able to begin communicating over the VPN.
Direct Site-to-Site with Netclient
The static-client router procedure above is straightforward and works directly with routers. However, it creates a hub-and-spoke network and managing static WireGuard files can be problematic when updating or adding sites.
An alternative is using Netclient (peer-to-peer mesh). Below are the main considerations and steps.
Ensure Non-Overlapping Networks
Local networks at different sites must not overlap. For example:
Two sites both using 192.168.1.0/24 will not work.
One site using 192.168.1.0/24 and another using 192.168.0.0/16 will cause issues.
Use distinct ranges like 192.168.1.0/24 for SiteA and 192.168.2.0/24 for SiteB.
Install Netclient at Sites
Install Netclient on one Linux machine at each site. Recommended options: dedicated Linux server, VM, or Docker container. These machines should typically be behind a router on the LAN or in the DMZ. In a VPC without gateways/routers, choose a machine with direct internet access.
Follow the Netclient installation docs: https://docs.netmaker.io/docs/netclient#installation
Set Up Egress Gateways
Designate the machines with Netclient as Egress Gateways using the Netmaker web UI.
Click “Add external route” to expose the whole or part of the site’s private network by specifying the network ranges in the “external ranges” field.
Then press “Update Egress” to save the external routes.
At this point you have dedicated egress gateways capable of forwarding traffic to/from the network over the VPN. However, local devices still need to know how to reach the Egress Gateway — choose one of the three methods below:
For No Router or No Gateway Environments (like VPCs)
For NAT Router Environments using the Virtual Router Method
For NAT Router Environments using the Static Routing Method
For No Router or No Gateway Environments (Like VPCs)
Some VPCs do not expose a centralized gateway/router for managing routes. Capabilities vary by cloud provider.
How to implement
Enable "NAT for egress traffic" on the Egress Gateway to allow incoming traffic from other sites.
If your VPC allows it, add static routes for:
every remote site,
the Netmaker network,
all other egress ranges and external client address ranges.
Route all this traffic through the local network address of the Egress Gateway. Maintain these routes—changes to VPN settings require manual updates to these routes.
If the VPC does not allow VPC-level routes, add identical static routes to each machine in your VPC that needs connectivity to the other sites.
For NAT Router Environments Using the Virtual Router Method
In this method, machines that need to access other sites use the Egress Gateway as their default gateway. The Egress Gateway forwards Internet traffic to the router and VPN traffic to the Netmaker tunnel.
Key traffic flows:
Site-to-site: Site1EgressRange1 → Site1EgressGateway → tunnel → Site2EgressGateway → Site2EgressRange2
Internet from egress range: EgressRange → EgressGateway → Router → Internet
Devices not in VPN use Router → Internet
How to implement:
Ensure the default gateway on each client machine is set to the Egress Gateway.
Disable "NAT for egress traffic" on the Egress Gateway.
Advantages:
Easy to implement.
No need to add/maintain static routes.
Fewer hops; source IPs preserved.
Tunnel traffic is faster than the Static Route method.
Disadvantages and workarounds:
DHCP setup may be tricky since resources can point to two potential gateways; use VLANs to separate resources.
Egress Gateway may get overloaded—use link aggregation to increase bandwidth.
Manually set network settings if router/switch doesn’t support VLAN or external DHCP.
For NAT Router Environments Using the Static Routing Method
This method adds and maintains static routes on the site router. Client devices keep the router as their default gateway; the router forwards VPN-bound traffic to the Egress Gateway.
Key traffic flows:
Incoming VPN traffic: Site1-EgressGateway → Client
Outgoing VPN traffic: Client → Router → Site1-EgressGateway → tunnel → remote site
In physical terms: Site2Client → Site2Router → Site2-EgressGateway → tunnel → Site1Router → Site1-EgressGateway → Site1Client
How to implement:
Enable "NAT for egress traffic" on the Egress Gateway to allow incoming traffic from other sites.
On each site’s router, add static routes for:
every remote site,
the Netmaker network,
all other egress ranges and external client address ranges.
Route this traffic through the local network address of the Egress Gateway. Maintain these routes as VPN settings change.
Note: If you use management software for local devices, you can push these routes to each machine via the Egress Gateway.
Advantages:
Seamless integration.
All internet traffic goes through the router.
No extra DHCP configuration needed.
Disadvantages and workarounds:
Need to constantly add/maintain static routes—use management software to push routes via the Egress Gateway.
Additional network hop per site.
Source IPs aren’t preserved.
Slower than the Virtual Router method.
ISP Failover
For multiple ISP links, let the router, firewall appliance, or manageable switch handle internet load balancing and failover. Refer to your device manual for configuration. Expect momentary connection breakage during failover; Netmaker should handle public IP changes similar to dynamic public IPs.
Next Steps
By this point, your networking infrastructure should be configured. You can now set up access for your users.
Last updated
Was this helpful?