Introduction
Netmaker simplifies building WireGuard mesh networks by automating peer configuration, key exchange, and network topology management. It provides a web dashboard and API so you can manage your private network without editing WireGuard config files by hand.
What Netmaker Does
- Creates full-mesh or hub-and-spoke WireGuard networks across any infrastructure
- Manages peer configuration, key rotation, and endpoint discovery automatically
- Provides a web dashboard for visualizing network topology and managing nodes
- Supports access control lists to restrict which nodes can communicate
- Handles NAT traversal so nodes behind firewalls can still connect
Architecture Overview
Netmaker consists of a server component and lightweight client agents (netclient) installed on each node. The server stores network state in a database and publishes configuration updates via an MQTT broker. Clients receive updates, apply WireGuard configurations, and report status back to the server.
Self-Hosting & Configuration
- Install with the quick-start script or deploy via Docker Compose
- Configure the server domain, ports, and MQTT broker in the environment file
- Install the netclient agent on each machine you want to join the network
- Set up DNS entries for the server dashboard and API endpoints
- Define network address ranges and access control rules through the web UI
Key Features
- Automated WireGuard peer management with zero manual config editing
- Web dashboard with real-time network topology visualization
- Egress and ingress gateway support for routing external traffic
- DNS management for resolving node names within the mesh network
- Multi-network support for segmenting different environments
Comparison with Similar Tools
- Tailscale — managed service using WireGuard; Netmaker is fully self-hosted with no vendor dependency
- Headscale — self-hosted Tailscale control server; Netmaker has its own architecture and web UI
- WireGuard (raw) — requires manual config management; Netmaker automates everything
- ZeroTier — peer-to-peer VPN with a hosted controller; Netmaker gives you full control of the control plane
- Nebula (Slack) — overlay network with a certificate model; Netmaker uses WireGuard for transport
FAQ
Q: Does Netmaker replace WireGuard? A: No, Netmaker uses WireGuard as its transport layer. It automates the configuration and management that WireGuard leaves to the user.
Q: Can I connect nodes behind NAT? A: Yes, Netmaker handles NAT traversal and supports relay nodes for situations where direct connections are not possible.
Q: What operating systems does the client support? A: The netclient agent runs on Linux, macOS, Windows, and FreeBSD.
Q: Is there a limit on the number of nodes? A: The community edition has no hard limit. Performance depends on your server resources and network size.