Mesh VPN

A revolution in virtual networking.


A Mesh VPN is the main feature of Netmaker, and is created by default.

Also called an “overlay network” or “SD-WAN”, a mesh network means direct, peer-to-peer connections between every device.

Virtual Subnet

The mesh network acts as a sort of virtual, distributed LAN. All the connections are direct and secure, over a private subnet, similar to a VPC, office, or home network. And yet, the devices can be anywhere. This makes managing scattered devices and servers easier than ever.

Super Speed

By creating direct, peer-to-peer connections, the speed is greatly enhanced, compared to traditional VPN’s. WireGuard makes it even faster, and our connections are often nearly as fast as a direct, over-the-line connection. This makes a Netmaker mesh network ideal for data-intensive and infrastructure-based workloads.

Base Camp

Text: The mesh network serves as a base to build up (or down) the rest of your network. You can optionally switch off mesh networking, so no devices are connected by default. You can use ACLs to customize connections, and create gateways into and out of your network.

How the Mesh VPN works


Hosts register with public keys, ports, and endpoints. This gives Netmaker all the information it needs to send to the full network, to make the machine a part of the mesh.


Netmaker sends out this information about the host to all the other hosts in the network with secure messaging.


The netclient running on the hosts receives the message, and reconfigures WireGuard and networking rules to add a direct connection to the new peer.

Setting up your mesh VPN starts when hosts, or devices in your network, register using enrollment keys. Think of this as giving Netmaker a digital ID card for each device. It's like saying, "Hey, this is me, and here's how you can securely connect to me." These are then automatically encrypted and shared among the hosts.

Once each host shares its "digital ID card," Netmaker takes this info and acts like a postman, delivering these details to every other host in the network through secure messaging channels. This step ensures every device knows about each other and how to connect directly, peer-to-peer style.

For the hosts to understand and apply this flood of new connection info, there's a bit of behind-the-scenes magic in the form of a `netclient` running on each host.

Think of `netclient` as a smart assistant that, upon receiving new info, jumps into action, tweaking WireGuard settings and networking rules to establish a direct, secure connection to the new peer. It's the equivalent of updating your contacts list and then directly dialing someone without going through an operator.

Differences between traditional VPNs and Mesh VPNs

In traditional VPN setups, the architecture is typically either client-server or point-to-point. Imagine you're configuring a traditional VPN: you'd set up a VPN server, and each client connects to that server in order to communicate with other devices. For example, setting up a traditional VPN might involve installing OpenVPN on a server and configuring each client to connect to it.

And then, adjusting firewall settings, and routing configurations on both the server and client sides. It works, but it introduces a single point of failure and can become a bottleneck, especially as the scale increases. Netmaker can make these traditional VPN setups easier with our Internet Gateway feature and can create traffic forwarders using relays.


Netmaker can instead implement a mesh VPN. With a mesh setup, instead of all devices connecting through a central server, each device connects directly to every other device in the network. It's akin to a spiderweb, where each thread connects directly to multiple other points.

For those of us dealing with transferring large amounts of data or managing distributed services, this is a game-changer.

  • Reliability. Another key advantage is reliability; if one node goes down, the network remains intact because of its decentralized nature. You won't find these benefits in a traditional VPN setup.
  • Simplicity. This simplicity in setting up a secure, peer-to-peer network contrasts sharply with the more involved configuration required for traditional VPNs. In a Mesh VPN scenario, there's no need to manually manage routing tables or deal with the complexities of NAT traversal for each client because the mesh network handles these dynamically.
  • Performance. Because Mesh VPNs like Netmaker use WireGuard, they offer a significant performance boost. WireGuard's lightweight nature combined with the direct connections facilitated by the mesh architecture often results in a VPN experience that feels as fast as a direct connection. You'd be hard-pressed to achieve this level of performance with traditional VPN technologies, especially in scenarios involving real-time data exchange or high-throughput applications.

WireGuard is the secret sauce making our mesh VPN ludicrously fast and secure. We leverage a virtual subnet to facilitate direct connections, akin to having a virtual, distributed LAN. The magic? It's all in how we handle network configurations and routing. By using Netmaker, you automate the cumbersome part of networking, dynamically configuring routes and rules to maintain a high-performance, secure mesh network.

Whether you're managing a sprawling IoT infrastructure, a distributed microservices architecture, or simply ensuring that remote workforces remain interconnected, the difference is palpable. With a mesh VPN, also called an overlay network, you're not just building a network; you're weaving a resilient digital fabric that's prepared to support the next generation of IT infrastructure demands.

Enhanced reliability and redundancy with Mesh VPNs

When a node fails—let's say due to hardware issues or network congestion—the mesh network automatically re-routes traffic through other operational nodes. It's almost like having an always-on "Plan B", ensuring continuous network service without manual intervention.

Screenshot from Netmaker’s Graph tab.

Taking the example further, let's say we wanted to ensure a specific critical service always remains accessible. We could deploy several instances across our mesh network and use DNS-based load balancing to distribute the load. Any performance hiccups or downtime in one instance would trigger automatic rerouting to the healthiest available instance, minimizing service disruption. And the best part? Updates and configurations are propagated network-wide, ensuring consistency and reducing configuration drift.

Mesh VPN Scalability

The foundation of Mesh VPN scalability lies in its peer-to-peer nature. Each device connects directly to every other device, without bottlenecks or single points of failure. This means that as you add more devices to your network, the increase in connections is managed in a way that doesn't degrade performance. Imagine deploying a fleet of servers across different cloud providers and connecting them all without worrying about the usual VPN tunnel congestion. It's a game-changer.

When you start with Netmaker, deploying another node is as simple as running a single command on the new machine or downloading the Netclient. For instance:

Behind the scenes, Netmaker handles the distribution of public keys, ports, and endpoints to all other nodes, ensuring secure, direct connections throughout the entire network. The simplicity and automation of adding new nodes make scaling almost feel like an afterthought.

Another aspect of scalability is managing complex network configurations as your mesh grows. ACLs (Access Control Lists) become your best friend here. With Netmaker, setting up ACLs to refine which devices talk to each other is straightforward:


Consider setting up a gateway to allow external access to your mesh network. The process is streamlined with Netmaker:

The beauty of scalability in a Mesh VPN setup is not just about adding more nodes; it's also about how seamlessly and securely the network adapts to each new addition. This means less time firefighting connectivity issues and more time focusing on the broader IT landscape.

Mesh VPN performance and speed

Consider a scenario where you're transferring a large dataset between servers located in different geographical locations. With a traditional VPN, your transfer speeds might hover around 50 Mbps, if you're lucky and the wind's blowing the right way. Switch to a Mesh VPN setup using WireGuard, and you'll see speeds that can often reach into the gigabits per second range, depending on your base internet speeds, of course. The latency drops significantly as well, making real-time applications and video conferencing smoother and more reliable.

Use Cases for a Mesh VPN

Remote work environments and Mesh VPNs

For remote work environments, the advent of Mesh VPNs like Netmaker is not just an innovation; it's a game-changer. A mesh VPN offers a robust, scalable, and efficient solution. By leveraging direct, peer-to-peer connections, we can significantly enhance the performance and reliability of our networks, making our lives, and the lives of our remote teams, considerably easier. The era of complex, centralized VPNs feels like a relic of the past.

Multi-site businesses and Mesh VPNs

Let’s say your business has operations in New York, London, and Tokyo. In a hub-and-spoke setup, if New York wants to send data to Tokyo, it must first go through the central hub, possibly located in London. This not only increases latency but also puts unnecessary load on the London hub. Now, let's consider a Mesh VPN setup. In this scenario, New York and Tokyo would have a direct, secure line to communicate, bypassing London entirely unless necessary. This architecture significantly reduces latency and distributes the load more evenly across the network.

IoT Networks and Mesh VPNs

Imagine having a myriad of IoT devices—sensors, cameras, and controllers, scattered across different geographical locations. The traditional VPN approach would route all these device connections through a central hub, creating potential bottlenecks and introducing latency issues. But with a Mesh VPN, each of these devices connects directly to each other, forming a high-speed, secure network. This peer-to-peer model not only enhances speed but also distributes the network load evenly.

By leveraging Netmaker's capability to create a virtual subnet, IoT devices behave as if they are on the same local network. This setup provides a seamless environment for managing devices, applying updates, or instituting group policies—all without the complexity of traditional network configurations.

Working in the IoT space, the transition to a Mesh VPN model can significantly simplify the daunting task of network management. Not only does it streamline device connectivity and security, but it also opens up new possibilities for real-time data processing and automation across distributed devices. With Netmaker, setting up and scaling your IoT networks becomes a straightforward task, freeing up time to focus on harnessing the true potential of your IoT solutions.


A WireGuard® VPN that connects machines securely, wherever they are.

Star us on GitHub
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.