Overview: Netmaker is an open-source platform that automates the creation and management of secure, high-performance virtual networks using WireGuard. It eliminates the complexity of manually configuring peer-to-peer VPNs, site-to-site tunnels, and remote access gateways by providing a centralized control plane with an admin UI, DNS integration, and access controls. Designed for developers, DevOps teams, and security engineers, Netmaker scales from a single homelab device to multi-cloud enterprise deployments. Built in Go and leveraging WireGuard’s kernel-level performance, it provides a self-hosted alternative to commercial VPN solutions with full control over data and infrastructure.
Netmaker supports Linux, macOS, Windows, Docker, Kubernetes, OpenWRT, and more—enabling consistent network policies across heterogeneous environments. Its integration with OAuth, private DNS, and Terraform makes it suitable for teams requiring auditability, automation, and compliance in secure remote access scenarios.
What You Get
- Automated WireGuard Network Provisioning - Netmaker automatically generates and distributes WireGuard configuration files (wg0.conf) across peers, eliminating manual key exchanges and IP assignment. Supports IPv4/IPv6 dual-stack networks out of the box.
- Admin UI with OAuth Integration - A web-based interface for managing networks, peers, and access policies. Supports SSO via OAuth providers like Google, GitHub, and Keycloak for team-based access control.
- Mesh VPNs & Site-to-Site Connectivity - Creates full-mesh or hub-and-spoke topologies between servers, cloud instances, and remote offices without requiring public IPs on all nodes. Automates NAT traversal using STUN.
- Private DNS for Network Peers - Integrates with CoreDNS to resolve peer hostnames within the virtual network, enabling service discovery without external DNS dependencies.
- Access Control Lists (ACLs) - Define granular rules to restrict which peers can communicate with each other, enforcing zero-trust principles at the network layer.
- Cross-Platform Netclients - Lightweight agents (netclient) for Linux, macOS, Windows, and Docker that auto-join networks via a single command. Supports Kubernetes pods via the netmak8s plugin.
- Docker & Kubernetes Support - Deploy Netmaker server as a Docker container or via Helm chart. Use the netmak8s plugin to automatically create WireGuard tunnels between Kubernetes clusters across cloud providers.
- Terraform Provider - Infrastructure-as-Code support to provision Netmaker networks, peers, and ACLs programmatically using Terraform configurations.
Common Use Cases
- Building a multi-cloud Kubernetes mesh - DevOps teams use Netmaker to securely connect EKS, GKE, and on-prem K3s clusters without exposing API servers to the public internet, enabling cross-cluster service communication with encrypted tunnels.
- Secure remote access for distributed teams - A company with 50+ remote engineers uses Netmaker to grant secure, auditable access to internal services (SSH, RDP, web apps) via a centralized UI with MFA and time-bound access tokens.
- Site-to-site VPN for hybrid cloud infrastructure - An enterprise connects its AWS VPC, Azure VNets, and on-prem data centers using Netmaker’s site-to-site mode, replacing complex IPsec configurations with simple WireGuard peers managed via the UI.
- DevOps teams managing microservices across edge locations - Teams deploying IoT gateways and edge nodes in retail stores use Netmaker to establish secure, encrypted tunnels back to central monitoring systems without opening firewall ports on each device.
- Homelab automation for personal cloud services - Users automate secure access to home NAS, Pi-hole, and home servers from anywhere using Netmaker’s Docker-based server and netclient on Raspberry Pi or macOS, eliminating port forwarding.
Under The Hood
NetMaker is a comprehensive mesh networking solution designed for decentralized network management, offering enterprise-grade features such as access control lists, DNS integration, and multi-protocol support. It provides a unified architecture that combines API handling, message queuing, and CLI tools within a single codebase, enabling flexible deployment across various environments.
Architecture
NetMaker adopts a monolithic yet modular structure that emphasizes component separation and extensibility through configuration-driven setups.
- The system follows a centralized architecture with well-defined modules for API, database, and CLI interactions
- It supports environment-based customization to enable both community and enterprise editions
- Configuration-driven design allows for flexible integration with external systems like EMQX and ClickHouse
Tech Stack
Built entirely in Go, NetMaker leverages the language’s performance and simplicity to deliver robust server-side functionality.
- The project uses Go’s standard library and ecosystem for HTTP routing, configuration parsing, and authentication
- Key dependencies include YAML parsers, SQL and ClickHouse drivers, and message queue integrations for distributed communication
- Docker containers and Go modules are used for deployment and dependency management, with support for multiple build tags
- Testing includes functional tests and CI/CD integration, though unit test coverage remains limited
Code Quality
The codebase reflects a mixed level of quality, with some structured components but inconsistent practices and limited test coverage.
- Testing efforts are primarily focused on integration and functional validation, with minimal unit test depth for core logic
- Error handling varies across modules, lacking standardized approaches for logging and propagation of errors
- Code style and naming conventions show inconsistencies, particularly in CLI command structures and configuration handling
- Technical debt is evident through the use of shell scripts for testing and sparse documentation in key areas
What Makes It Unique
NetMaker distinguishes itself through its modular architecture and extensible CLI design in the mesh networking space.
- It uniquely combines decentralized network management with enterprise-grade features such as ACLs and DNS support
- The modular structure allows for easy customization and integration with third-party systems like EMQX and ClickHouse
- Its CLI-driven extensibility model provides a flexible interface for managing complex network topologies