Netmaker is an open-source platform that automates the deployment and management of WireGuard-based virtual networks, eliminating manual configuration for secure remote access, site-to-site connections, and edge device networking. It’s designed for DevOps teams, IT administrators, and cloud engineers who need fast, scalable, and self-hosted networking without proprietary VPN solutions.
Built in Go and leveraging kernel-level WireGuard, Netmaker supports Docker, Kubernetes, Linux, macOS, and Windows. It integrates with OAuth, Private DNS, and Terraform, and offers both SaaS and self-hosted deployment options with HA, on-prem data residency, and multi-cloud support.
What You Get
- WireGuard Network Automation - Automatically provisions and configures WireGuard peers across cloud, on-prem, and edge devices using a single API or UI, eliminating manual wg-quick configuration.
- Admin UI with OAuth Integration - Web-based dashboard with SSO support (Google, Okta, etc.) for centralized user authentication and access control to network resources.
- Site-to-Site Networking - Securely connect multiple physical locations (offices, data centers) with encrypted mesh tunnels that auto-reconfigure on IP changes.
- Kubernetes Network Integration - Deploy Netmaker as a Kubernetes operator to create secure overlay networks between pods, nodes, and external clusters without VPC peering.
- Private DNS & Access Control Lists (ACLs) - Assign custom DNS names to devices and enforce granular firewall rules to control which endpoints can communicate with each other.
- Multi-Platform Netclients - Lightweight agents for Linux, Windows, macOS, and OpenWRT that auto-join networks and maintain persistent WireGuard connections with heartbeat monitoring.
- Terraform Provider - Infrastructure-as-Code support to define and provision Netmaker networks, peers, and policies programmatically via Terraform.
- HA Networks & Dedicated Relays - Deploy redundant network servers and co-located relays to ensure uptime and reduce latency, with options for on-prem data residency.
Common Use Cases
- Remote workforce access - A distributed company connects employees to internal tools (Jira, CI/CD, databases) via secure, fast WireGuard tunnels without complex firewall rules or traditional VPN clients.
- Multi-office network consolidation - An enterprise with 5 branch offices uses Netmaker to create a secure, low-latency mesh network between locations, replacing MPLS and site-to-site IPsec.
- Edge device management at scale - A public transit operator securely connects hundreds of IoT routers on buses and stations to a central monitoring system using Netmaker’s auto-joining netclients.
- Secure AI infrastructure networking - An ML team runs distributed training jobs across AWS, GCP, and on-prem GPUs, using Netmaker to create zero-trust networks that isolate and encrypt model data transfers.
Under The Hood
Architecture
- Clear separation of concerns through modular packages handling HTTP endpoints, business logic, data storage, and message brokering with explicit interfaces
- Dependency injection achieved via package-level initialization functions that load models and schemas at startup
- Service layer pattern organizes data flow between models, databases, and external systems like DNS and ClickHouse
- Event-driven design using message queues decouples node state changes from API operations, enabling responsive and scalable state management
- Modular build system with build tags supports feature toggles and separates server and CLI binaries with distinct entry points
- Domain-driven design enforces data invariants through strongly typed models like NetworkID and ACLContainer
Tech Stack
- Go 1.25.3 serves as the core language, leveraging CGO for low-level networking and SQLite integration
- SQLite functions as the default embedded database with migration support implied by configuration and build flags
- Concurrent gRPC and REST APIs coexist, with Swagger/OpenAPI defining complex network and ACL models
- Goreleaser enables cross-platform binary builds with optimized, stripped executables for deployment efficiency
- Dockerized deployment uses Alpine Linux with a single static binary to minimize container footprint
- nmctl CLI is built separately with CGO disabled to ensure portability and lightweight client operation
Code Quality
- Extensive test coverage spans unit, integration, and edge cases with clear assertions and structured test setups
- Strong separation between models, logic, and controllers ensures maintainable and testable code boundaries
- Robust error handling prioritizes explicit return values and validation over panics or unhandled exceptions
- Consistent Go idioms are followed throughout, with clear naming conventions for functions and tests
- Type safety is rigorously maintained using structured structs and field validation, avoiding untyped interfaces
- Linting and automation are implied through clean, CI-ready test structures, though explicit tooling configuration is not visible
What Makes It Unique
- Native ClickHouse integration enables real-time, high-throughput network flow logging with entity-aware tracing
- Unified ACL system provides granular, dynamic access control across nodes, clients, and gateways in a single declarative model
- Intelligent gateway/relay design allows a single node to act as internet gateway, relay, and DNS server with automatic failover
- Pro-tier flow logging captures source/destination node, user, and traffic type without packet capture or external tools
- Built-in network ACL v2 with role-based filtering and backward compatibility delivers enterprise-grade access control natively
- Automatic DNS configuration and host-level service discovery eliminate external DNS infrastructure dependencies