This page contains annotated screenshots of most UI components, detailing the configuration options of each field across Nodes, Networks, DNS, Ext Clients, Users, and more.
When you start Netmaker for the first time, you will be prompted to create an admin account from the UI like below
Username: Enter a unique username for the admin user.
Password: Enter a secure password for your new user.
Password Confirmation: Repeat the password for verification.
Signup with OAuth: Button to signup with OAuth.
Username: Enter your username.
Password: Enter your password.
Login: Button to login.
Login with OAuth: Button to login with OAuth.
Autofill: Provides sensible defaults for network details and makes up a name.
Network Name: The name of the network. Character limited, as this translates to the interface name on hosts (nm-<network name>)
Address Range: The CIDR of the network. Must be a valid IPv4 Subnet and should be a private address range.
Default Access Control: Indicates the default ACL value for a node when it joins in respect to it’s peers (enabled or disabled).
In simple terms, a host is a computer or machine running the netclient software. Netmaker UI allows an admin to conviniently view and configure some host settings remotely.
Host Name: Friendly name of the host. Clicking it opens a view to allow admins manage hosts.
Endpoint: The public IP address of the host.
Public Port: Public port of the host.
Version: Indicates the version of netclient the host is running.
Health Status: Indicates the connectivity of the host.
Sync: Synchronise the host with the server; this triggers the host to pull latest network/server state.
Actions: Quick actions that can be performed on the host.
A host is automatically created on a server once a netclient (a machine running netclient) joins any network on the server.
The following information is present under the host details tab:
ID: Unique identifier for the host
Name: Name of the host. Defaults to the machine’s name.
Version: Version of netclient the host is running.
Operating System: Operating system (OS) the machine is running.
Public Key: Public key of the host. distributed to other hosts.
MTU: Maximum Transmission Unit (MTU) of the host
Listen Port: The wiregaurd listen port.
Proxy Listen Port: The netclient proxy listen port. this is used if Proxy Enabled is set to true. (No longer available from v0.20.5)
Verbosity: Log verbosity (ranges from 1-4). Indicates level of detail the host (netclient) will output to logs.
Default Interface: Default network interface used by the host.
MAC Address: Media Access Control (MAC) address of the host machine.
Is Default: Indicates whether the host is a default node. Hosts that are default nodes will automatically join any created network.
Debug: Flag to enable additional logging on client.
Proxy Enabled: Indicates whether a host is running netclient proxy. (No longer available from v0.20.5)
Is Static: Indicaates whether the host’s endpoint is static or not.
Interfaces: Lists the available network interface for the host.
A host can be deleted from the UI. All associated nodes must be manually removed however, before deleting a host.
Search Nodes: Look up a node by name.
Node Name: Name of node. By default set to hostname of machine.
IP Addresses: Private IPs of node within network.
Network: Network the node is in.
Egress: Indicates if node is an egress gateway. Click to convert into egress gateway. Egress gateways route traffic from the network into a specific subnet or subnets. Egress gateways should be servers in a static location with a reliable IP.
Ingress: Indicates if the node is an ingress. Click to convert into ingress gateway. Ingress gateways route traffic into the network over the WireGuard interface using “ext clients,” which are static WireGuard config files. Ingress gateways should be servers in a static location with a reliable IP.
Status: Indicates how recently the node checked into the server. Displays “Warning” after 5 minutes and “Error” after 30 minutes without a check in. Does not indicate the health of the node’s virtual network connections.
Delete: Delete the node.
A node pending deletion will be grayed out.
Egress Gateway Ranges: A comma-separated list of the subnets for which the gateway will route traffic. For instance, with Kubernetes this could be both the Service Network and Pod Network. For a standard VPN, Netmaker can use a list of the public CIDR’s (see the docs). Typically, this will be something like a data center network, VPC, or home network.
Interface: The interface on the machine used to access the provided egress gateway ranges. For instance, on a typical linux machine, the interface for public traffic would be “eth0”. Usually you will need to check on the machine first to find the right interface. For instance, on Linux, you can find the interface by running this: ip route get <address in subnet>.
Check host section on hosts. A relay can be created under host settings.
Edit Node / Node Details¶
Edit Edit the node’s details
ACLs View the node’s Access Control List (ACL)
Metrics View the node’s metrics
Host View the node’s associated host
Delete Delete the node
Endpoint: The (typically public) IP of the machine, which peers will use to reach it, in combination with the port. If changing this value, make sure Roaming is turned off, since otherwise, the node will check to see if there is a change in the public IP regularly and update it.
Dynamic Endpoint: The endpoint may be changed automatically. Switching this off (indicating static endpoint) means the endpoint will stay the same until you change it. This can be good to set if the machine is a server sitting in a location that is not expected to change. It is also good to have this switched off for Ingress, Egress, and Relay Servers, since they should be in a reliable location.
Listen Port: The port used by the node locally. This value is ignored if UDP Hole Punching is on, because port is set dynamically every time interface is created. If UDP Hole Punching is off, the port can be set to any reasonable (and available) value you’d like for the local machine.
IP Address: The primary private IP address of the node. Assigned automatically by Netmaker but can be changed to whatever you want within the Network CIDR.
IPv6 Address: (Only if running dual stack) the primary private IPv6 address of the node. Assigned automatically by Netmaker but can be changed to whatever you want within the Network CIDR.
Local Address: The “locally reachable” address of the node. Other nodes will take note of this to see if this node is on the same network. If so, they will use this address instead of the public “Endpoint.” If running a few nodes inside of a VPC, home network, or similar, make sure the local address is populated correctly for faster and more secure inter-node communication.
Node Name: The name of the node within the network. Hostname by default but can be anything (within the character limits).
Public Key: (Uneditable) The public key of the node, distributed to other peers in the network.
PostUp: Uneditable by default to disable RCE. Commands to run after the interface is created. If an ingress or egress gateway are created, this field will populate automatically with appropriate iptables commands.
PostDown: Uneditable by default to disable RCE. Commands to run after the interface is brought down. If an ingress or egress gateway are created, this field will populate automatically with appropriate iptables commands.
Persistent Keepalive: How often packets are sent to keep connections open with other peers.
Last Modified: Timestamp of the last time the node config was changed.
Node Expiration Datetime: If a node should become invalid after a length of time, you can set it in this field, after which time, it will lose access to the network and will not populate to other nodes. Useful for scenarios where temporary access is granted to 3rd parties.
Last Checkin: Unix timestamp of the last time the node checked in with the server. Used to determine generic health of node.
MAC Address: The hardware Media Access Control (MAC) address of the machine. Used to be used as the unique ID, but is being depreciated.
Egress Gateway Ranges: If Egress is enabled, the gateway ranges that this machine routes to.
Local Range: If IsLocal has been enabled on the network, this is the local range in which the node will look for a private address from it’s local interfaces, to use as an endpoint.
Node Operating System: The OS of the machine.
MTU: The MTU that the node will use on the interface. If “wg show” displays a valid handshake but pings are not working, many times the issue is MTU. Making this value lower can solve this issue. Some typical values are 1024, 1280, and 1420.
Network: The network this node belongs to.
Node ACL Rule The current ACL rule for this node in the network
Is DNS On: DNS is solely handled by resolvectl at the moment, which is on many Linux distributions. For anything else, this value should remain off. If you wish to configure DNS for non-compatible systems, you must do so manually.
Is Local: If on, will only communicate over the local address (Assumes IsLocal tuned to ‘yes’ on the network level.)
Connected Indicates whether the node has is connected to the network
Gateway Name / IP Address: Information about which Node is the Ingress Gateway.
Add External Client: Button to generate a new ext client.
Client ID: The randomly-generated name of the client. Click on the ID to change the name to something sensible.
IP Address: The private ip address of the ext client.
QR Code: If joining form iOS or Android, open the WireGuard app and scan the QR code to join the network.
Download Client Configuration: If joining from a laptop/desktop, download the config file and run “wg-quick up /path/to/config”
Delete: Delete the ext client and remove its network access.
DNS Name: The private DNS entry. Must end in “.<network name>” (added automatically). This avoids conflicts between networks.
IP Address: The IP address of the entry. Can be anything (public addresses too!) but typically a node IP.
Select Node Address: Select a node name to populate its IP address automatically.
Create / Edit Users¶
Username: Specify Username.
Password: Specify password.
Confirm Password: Confirm password.
Make Admin: Make into a server admin or “super admin”, which has access to all networks and server-level settings.
Networks: If not made into an “admin”, select the networks which this user has access to. The user will be a “network admin” of these networks, but other networks will be invisible/unaccessible.
View all nodes in your network, zoom in, zoom out, and search for node names. hover: Hover over a node to see its direct connections.
Access Control Lists¶
Reset: Reset your changes without submitting.
Allow All: Enable all p2p connections
Block All: Disable all p2p connections. Makes building up a Zero Trust network easier.
(allowed): Click to switch a connection to “deny.” Note that node names are higlighted on the side and top to track location.
(blocked): Click to switch a connection to “allow.”
Submit Changes: Click once you are ready to submit. Will send message to update relevant nodes in network.