Netmaker: Automated Wireguard VPN You Can Self-host

With the hybrid workforce and hybrid networks spread across on-premises and cloud environments, network connectivity between devices and server resources is important no matter where these are located. A traditional VPN server and VPN connection between clients and resources is challenging to manage and maintain. Enter Netmaker, a tool designed for creating and managing virtual overlay networks using Wireguard for unified communications.

What is Netmaker?

Netmaker is a tool designed for creating and managing virtual overlay networks. If you need to connect at least two client device machines with Internet access through a secure tunnel or manage thousands of servers distributed across multiple locations, data centers, Internet Service Providers (ISPs) or cloud environments, Netmaker is designed to meet that requirement. Its core function is to connect machines securely, regardless of their geographical locations.

Netmaker wireguard vpn connects devices from anywhere
Netmaker wireguard vpn connects devices from anywhere

Netmaker communications using WireGuard Protocol

At the heart of Netmaker is the WireGuard VPN protocol. Wireguard is a recent addition to the Linux kernel and has gained traction as a secure protocol, outpacing other VPN protocols like OpenVPN and IPSec.

Wireguard is known for being simple and having high performance, making it the preferred choice for many businesses and individuals to run the Wireguard client for VPN connectivity instead of other solutions. With near-over-the-line network speeds, WireGuard ensures that users running Wireguard clients experience minimal latency.

Most modern security and connectivity appliances support Wireguard and can spin up a Wireguard interface for VPN connectivity. It also boasts fewer lines of code than other VPN protocols, helping to minimize the attack surface.

Netmaker and Mesh networks

Netmaker uses a mesh network, specifically a “full mesh.” In a mesh setup, each node can connect and communicate with all the other connected nodes. You can compare this with a hub-and-spoke model, where traffic must pass through a central server. With Netmaker, you can create full and partial mesh networks, allowing you to have interesting ways to connect devices.

Netmaker utilizes these machines to establish a flat network, ensuring they can communicate with each other easily and securely. For those familiar with AWS, it’s akin to a VPC but composed of arbitrary computers. This setup ensures that from a machine’s perspective, all other machines appear to be nearby, no matter where they are located.

Beyond just creating a flat network, Netmaker introduces elements like Ingress and Egress. These gateways manage the flow of traffic entering and leaving the network. Additionally, Netmaker incorporates Access Control Lists (ACLs), providing precise control over machine interactions within the network. This design allows for creating networks beyond a basic mesh’s simplicity.

Netmaker’s Unique Architecture

While there are other solutions like Tailscale, ZeroTier, Nebula, and other VPN providers, Netmaker certainly has a place among them for its flexibility, interface, and features. As mentioned, Netmaker uses Wireguard as a VPN provider for fast performance.

Its server and agents are also fully configurable, allowing for a wide range of use cases. For those concerned about data privacy, the option to self-host Netmaker ensures complete control over network traffic.

Netmaker ingress egress and relay components
Netmaker ingress egress and relay components

Practical Use Cases

You can automate the creation of large WireGuard-based networks to manage a secure mesh of IoT devices. Businesses can benefit from its ability to create secure networks between multiple environments, be it VPCs, clouds, or data centers. Even for individual users, Netmaker offers secure access to home or office networks.

Diving Deeper: Netmaker components

At its core, Netmaker operates by managing WireGuard across machines to establish sensible networks. The system comprises two main components:

  • Database: Netmaker uses SQLite by default but is also compatible with PostgreSQL and rqlite. This database holds crucial information about nodes, networks, and users.

  • Netmaker UI: A user-friendly interface built on ReactJS, the Netmaker UI simplifies network management tasks.

  • Message Broker (Mosquitto): This facilitates the pub-sub messaging system, ensuring seamless communication between the server and nodes.

  • Netclient: A crucial component, the netclient ensures each node’s smooth integration into the network.

The brilliance of Netmaker lies in its dynamic nature. Even if the main server faces issues, the network remains functional as long as the existing machines remain stable.

Netmaker server configuration

There are a couple of ways to sign up with Netmaker. You can either choose the route of the SaaS configuration, which they have a free version of, or you can self-host it. Let’s first look at the hosted SaaS version. You sign up with your email address and choose a password.

Sign into netmaker saas dashboard
Sign into netmaker saas dashboard

You will receive a verification email. Once you do, just click the link in the email to verify your account. Then you will be taken to your Netmaker dashboard.

Netmaker saas dashboard
Netmaker saas dashboard

Adding hosts to your Netmaker network

Adding hosts is fairly simple and the dashboard walks you through the process.

Beginning the process to add a host to netmaker
Beginning the process to add a host to netmaker

When you click Add a host, you will be prompted to download the client for the platform you choose.

Download the netclient from netmaker
Download the netclient from netmaker

The enrollment key is displayed for adding the host. Copy this key and click Finish.

Copy the enrollment key
Copy the enrollment key

Now, with the host staging process complete, we can complete the steps to install the Netclient software on the client hosts.

Installing and configuring the NetClient application

In Windows the Netclient application when ran just pops up several UAC prompts for various component installs after registering the service. After you install it, you can search for the Netclient application in the start menu.

Launching the netclient software
Launching the netclient software

Enter the token you copied and click Connect.

Connect with the enrollment token
Connect with the enrollment token

Your network should be displayed for you to choose or you can Add New and add a new network to Netmaker.

Connecting to a network or adding a new network in netmaker
Connecting to a network or adding a new network in netmaker

The host should connect to the network.

Connected to the network in netmaker
Connected to the network in netmaker

Below, we are adding a Linux host client. With Linux, it will display a wget command to pull down the installer and install the Netclient software. Copy this command and run it on your Linux host.

Onboarding a linux host
Onboarding a linux host

Clients connected

After installing the netclient software, I was able to get a couple of machines connected and working.

Hosts are connected in the netmaker dashboard
Hosts are connected in the netmaker dashboard

Self-hosted installation

In addition to the SaaS-hosted solution, as mentioned, you can choose the self-hosted installation as well. In my lab, I built up an Ubuntu 22.04 LTS Server for the base of the installation.

Run the following to run the installer:

sudo wget -qO /root/ && sudo chmod +x /root/ && sudo /root/

The installer runs and will begin prompting you for configuration.

Running the netmaker self hosted install script in ubuntu server
Running the netmaker self hosted install script in ubuntu server

You will be prompted whether you are installing the Community or Enterprise editions.

Choosing to install the community version of netmaker
Choosing to install the community version of netmaker

The netmaker self-hosted installation depends on you creating DNS records for:

  • api.netmaker.<your domain>.com

  • dashboard.netmaker.<your domain>.com

  • broker.netmaker.<your domain>.com

  • turnapi.netmaker.<your domain>.com

Choosing your domain and dns configuration
Choosing your domain and dns configuration

Frequently Asked Questions

How does it compare to other VPN protocols?

Netmaker primarily leverages the WireGuard VPN protocol, which is known for its simplicity and speed. Unlike other VPN protocols such as OpenVPN and IPSec, WireGuard offers near-over-the-line network speeds, ensuring minimal latency. This makes it a preferred choice for many who prioritize performance without compromising security.

Can I self-host?

Yes, this is one of the great capabilities of the Netmaker solution. As we have shown above, you can use their cloud dashboard, but you can also self-host this using your own Linux server. You will need access to control your own domain names and DNS records for full control over your hostnames and data.

What are Netmaker Ingress and Egress?

The Netmaker ingress and egress concepts are essentially gateways that manage data flow in and out of the network. They enable you to direct traffic so you can route traffic as you need in your environment.

How does it ensure online privacy?

Netmaker is built on top of the WireGuard protocol, which ensures encrypted tunnels between devices, and safeguarding data from potential eavesdroppers. Also, the option to self-host Netmaker allows users full control over their network traffic, further enhancing online privacy.

Is it suitable for multiple server configurations?

Absolutely. Netmaker is designed to cater to diverse server configurations, whether you’re connecting two machines or managing thousands of servers across various locations. Its flexibility and adaptability make it a viable network solution for businesses of all sizes.

Wrapping up

Netmaker is a great solution for a very easy-to-manage and configure Wireguard-based VPN solution. While there are many VPN network solutions, Wireguard has become the defacto standard for security and performance in VPN solutions. Netmaker gives you the option to use their cloud-hosted dashboard or you can also self-host the solution. This enables you to have full control over your data and network connectivity details.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles


  1. “Netmaker: Automated Wireguard VPN You Can Self-host”

    This is nit-picking.. But please explain how any of this is “automated”? You have to configure the server, and you have to install each individual host.

    1. Kel,

      Thanks so much for your comment! There is definitely some manual steps involved. I think one of the great things that I see about netmaker is once you have your connections established, many of the operations are just point and click operations such as deciding which hosts each client can connect to. Also, there are other advanced topics with Netmaker such as automating ACLs with JSON inputs:


  2. Brandon, kinda of a newbie homelabber here. Can you quickly explain how the self-hosted Netmaker scenario would integrate with an OPNsense firewall currently running unBound?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.