Netmaker
Automate secure WireGuard mesh networks from homelab to enterprise scale without manual configuration.
Netmaker automates the creation and management of secure, high-performance virtual networks using WireGuard, enabling zero-trust remote access, site-to-site connectivity, and Kubernetes networking without legacy VPN complexity. It replaces manual wg-quick configuration with a centralized API, web UI, and intelligent peer management that adapts dynamically as your network topology changes.
Built entirely in Go and leveraging kernel-level WireGuard, Netmaker supports Linux, macOS, Windows, Docker, and Kubernetes environments. It integrates with OAuth providers (Google, Okta, Azure AD), manages private DNS across networks, provides Access Control Lists for granular policy enforcement, and ships with a Terraform provider for infrastructure-as-code workflows.
Netmaker operates in two modes: a fully self-hosted open-source deployment under Apache 2.0, and a Pro tier with ClickHouse-powered network traffic logging, Just-In-Time access workflows, device posture checks, and gateway high-availability. Both modes share the same core architecture — a Go REST API backed by SQLite or PostgreSQL, MQTT message broker for peer state synchronization, and lightweight netclient agents that run on every device in the mesh.
Originally backed by Y Combinator, Netmaker has grown to over 11,600 GitHub stars and is used by DevOps teams, IT administrators, and cloud engineers who need fast, scalable, self-hosted networking without proprietary VPN lock-in.
What You Get
- WireGuard Network Automation - Automatically provisions and configures WireGuard peers across cloud, on-prem, and edge devices using a single API or UI, eliminating manual wg-quick configuration and peer key exchange.
- Admin UI with OAuth Integration - Web-based dashboard with SSO support (Google, Okta, Azure AD) for centralized user authentication, role-based access, and MFA enforcement across all network resources.
- Site-to-Site Networking - Securely connect multiple physical locations (offices, data centers, cloud VPCs) with encrypted mesh tunnels that auto-reconfigure on IP changes and support overlapping IP ranges via virtual NAT.
- Kubernetes Operator - Deploy Netmaker as a Kubernetes operator to create secure overlay networks between pods, nodes, and external clusters, with cluster ingress, egress, and API proxy functionality without VPC peering.
- Private DNS and ACLs - Assign custom DNS names to devices and enforce granular firewall rules via Access Control Lists to control exactly which endpoints can communicate with each other across your mesh.
- Multi-Platform Netclients - Lightweight agents for Linux, Windows, macOS, and OpenWRT that auto-join networks via enrollment keys and maintain persistent WireGuard connections with heartbeat monitoring and auto-relay failover.
- Gateway High Availability - Deploy redundant gateway hubs with automatic failover monitoring; desktop clients seamlessly reconnect to healthy gateways when the primary becomes unavailable.
- Terraform Provider - Infrastructure-as-Code support to define and provision Netmaker networks, peers, and policies programmatically, enabling repeatable network deployments alongside your existing IaC tooling.
Common Use Cases
- Remote workforce secure access - A distributed company connects remote employees to internal tools (Jira, CI/CD pipelines, databases) via fast WireGuard tunnels without complex firewall rules or proprietary VPN client installations.
- Multi-office network consolidation - An enterprise with branch offices uses Netmaker to create a low-latency mesh network between locations, replacing expensive MPLS and complex site-to-site IPsec configurations.
- Edge IoT device management - A public transit operator securely connects hundreds of routers on buses and stations to a central monitoring system using Netmaker enrollment keys for zero-touch provisioning.
- Distributed AI/ML infrastructure - An ML team runs training jobs across AWS, GCP, and on-prem GPUs using Netmaker zero-trust overlays to isolate and encrypt model data transfers between nodes.
- Kubernetes multi-cluster networking - A platform engineering team links Kubernetes clusters across regions using the Netmaker operator’s cluster egress and ingress features without exposing API servers to the public internet.
- Just-in-time developer access - A security team uses Netmaker’s JIT access workflow to grant time-limited, admin-approved network access to contractors, automatically revoking it after the grant duration expires.
Under The Hood
Architecture Netmaker follows a clean layered architecture where HTTP controllers, business logic, data storage, and message brokering live in distinct packages with explicit interfaces between them. The entry point wires together a gorilla/mux REST API, an MQTT broker client for real-time peer state synchronization, and a hook manager that schedules background tasks — each running as independent goroutines coordinated through context cancellation. An orchestrator layer abstracts node lifecycle operations behind an extension interface, allowing the Community Edition and Pro builds to swap in different factory implementations at startup using Go build tags rather than runtime feature flag branching. High-availability deployments use a master/worker pod distinction so that only one instance runs migrations and singleton operations, preventing race conditions in multi-pod Kubernetes setups.
Tech Stack Go 1.25.3 is the sole language for both the server binary and the nmctl CLI; the server uses CGO for SQLite integration while the CLI builds with CGO disabled for maximum portability. Persistent state lives in either an embedded SQLite database or an external PostgreSQL instance via GORM, with rqlite as a distributed SQLite alternative for multi-node HA. The MQTT broker (EMQX on-prem or EMQX Cloud) decouples peer state changes from the API, enabling responsive network convergence at scale. ClickHouse powers optional high-throughput network flow logging in the Pro tier, capturing per-flow metadata without packet capture. The WireGuard control plane uses the wgctrl library for kernel-level interface management, and Docker packaging with Alpine Linux produces a minimal single-binary container image with Swagger/OpenAPI documentation covering the full API surface.
Code Quality The codebase has an extensive test suite with over eighty test functions across the logic and controller packages, covering unit tests, integration tests, and ACL edge cases using testify and the matryer/is assertion libraries. Error handling is explicit throughout — functions return typed errors rather than panicking, and the logic layer validates inputs before delegating to storage. A test-variable injection pattern (package-level var overrides for key functions like getNodeByID and getEgressByNetwork) makes unit testing of deeply coupled networking logic feasible without complex mocking infrastructure. However, a substantial portion of controller-level tests are commented out with integration-style tests preserved as .bak files, indicating some coverage gaps still being addressed. Naming conventions are consistent with Go idioms across the codebase.
What Makes It Unique Netmaker’s most distinctive contribution is treating WireGuard peer management, DNS, ACLs, egress routing, and relay selection as a unified control plane rather than separate tools. The extension interface pattern lets Community and Pro editions share all core logic while Pro silently activates ClickHouse analytics, posture checks, and JIT access through compile-time factory substitution — eliminating feature flag conditionals in shared code. The overlapping egress ranges feature solves a notoriously difficult problem: routing multiple sites to the same destination CIDRs without address conflicts, using per-egress virtual range allocation from a configurable pool. Domain-based egress routing — steering traffic by DNS name resolved at the gateway rather than static CIDRs — is an operational simplification that few open-source mesh VPN solutions offer natively.
Self-Hosting
The core Netmaker server and all code outside the pro/ directory are licensed under Apache 2.0, a permissive open-source license that allows commercial use, modification, and redistribution without requiring your own application to be open source. The only obligations are attribution and preserving license notices. The pro/ directory — containing ClickHouse flow logging, posture checks, JIT access workflows, and advanced IDP integration — is governed by a separate proprietary Enterprise License that requires an active Netmaker subscription for production use. Development and testing use of the Pro source code is explicitly permitted, but production deployment without a license agreement is not.
Self-hosting the Community Edition requires a Linux VM with a static public IP, wildcard DNS, and open ports 443 and 51821 (TCP/UDP). The server runs as a single Docker container backed by SQLite, making initial deployment straightforward via the official quick-install script. However, you take on full responsibility for uptime, TLS certificate renewal, backups, MQTT broker management (EMQX is a separate service), and version upgrades. For high-availability deployments you must provision multiple server pods with an external PostgreSQL database and coordinate the master/worker pod distinction yourself — the operational surface grows considerably from a single-node homelab setup.
The managed SaaS offering at netmaker.io handles infrastructure, HA, backups, and upgrades automatically, and the Pro tier adds priority support, SLAs, and compliance features like per-flow traffic auditing and device posture enforcement. For organizations with strict data residency requirements, self-hosting retains full control over network topology data, peer keys, and traffic metadata — a meaningful advantage over any cloud VPN service. Teams evaluating the trade-off should weigh the burden of running EMQX, managing certificate rotation, and handling node key distribution against the compliance and cost benefits of keeping all networking infrastructure on-premises.
Related Apps
n8n
Automation · No Code Platforms
Code when you need it, UI when you don't — the workflow automation platform built for technical teams who refuse to choose.
n8n
OtherAutoGPT
Automation · Productivity · AI Assistants
Build, deploy, and run autonomous AI agents that automate complex multi-step workflows using a visual block-based graph editor.
AutoGPT
OtherLobeHub
AI Assistants · Productivity · Automation
Your Chief Agent Operator — build, schedule, and collaborate with an entire AI team in one self-hostable workspace.