You've got Netmaker managing your core servers and maybe some workstations with the Netclient, creating that slick, secure mesh. But what about those devices that can't run the Netclient? Specifically, what about integrating entire sites behind common routers like pfSense, OPNsense, MikroTik, or OpenWrt?
You want those networks talking to your Netmaker VPN without deploying agents on every single machine behind the router. Netmaker makes this surprisingly straightforward by leveraging standard WireGuard configuration files. This approach lets you securely extend your Netmaker network to almost any site using the router you already have.
While the Netclient provides dynamic, peer-to-peer connections for supported systems (Linux, Windows, Mac, Docker), it's often not feasible or desirable to install it directly onto router firmware. That's where static WireGuard configurations come in. They provide a robust way to connect these non-native devices to your network.
The trade-off is that these connections operate in a hub-and-spoke model, meaning traffic routes through a designated Netmaker node acting as a Remote Access Gateway (RAG). This adds a hop but simplifies setup and ensures connectivity for devices that can't participate in the dynamic mesh. Keep in mind, as outlined in the static deployment guide, these configurations don't automatically update if you change gateway settings or add complex new routes like Egress Gateways later on, so plan accordingly.
The core process is simple. First, you need a node within your Netmaker network designated as a Remote Access Gateway. This node, typically a Linux server running the Netclient in a stable, publicly accessible location (like your Netmaker server itself or another cloud VM), acts as the central connection point for your static clients, including routers. You configure this gateway within your network's Remote Access interface in the Netmaker dashboard. Consider setting a useful default DNS server on the gateway if needed for devices connecting through it.
Once your RAG is set up, you generate a WireGuard configuration file specifically for your router. Navigate to the Remote Access tab in your network, select your gateway, and click "Create Config". Give it a descriptive Client ID (like office-router-pfsense). Crucially, under the advanced settings, you'll want to specify the local network range(s) behind your router in the "Additional Addresses" field (e.g., 192.168.1.0/24). This tells Netmaker to route traffic for that subnet to this router client, effectively enabling the Egressing External Clients functionality for your site. After creating the config, you can view or download it.
Now comes the router-specific part: applying this configuration. You'll need to install the WireGuard package or plugin on your router if it's not built-in. Then, using the router's web UI or CLI, you'll typically create a new WireGuard tunnel interface, add a peer, and manually input the details (Interface PrivateKey, Address, DNS; Peer PublicKey, AllowedIPs, Endpoint address and port, PersistentKeepalive) from the downloaded .conf file.
Remember to also configure firewall rules on the router to permit traffic between the new WireGuard interface and your LAN interface, and potentially add static routes if the router doesn't handle it automatically based on the AllowedIPs.
Netmaker's documentation provides specific walkthroughs for several popular platforms. For pfSense, you'll install the wireguard package, configure the tunnel and peer under VPN -> WireGuard, assign it an interface, and set up firewall rules. With OPNsense, WireGuard is often pre-installed or available as a plugin; you'll add an instance and peer, assign an interface, create a gateway and static route, and then configure firewall rules.
MikroTik (RouterOS v7+) has WireGuard built-in, and you can configure it efficiently via the CLI using commands derived directly from the .conf file values, adding the interface, peer, IP address, and route. For OpenWrt, you install wireguard-tools and luci-proto-wireguard, add the interface, import the configuration, ensure the peer routes allowed IPs, and create a firewall zone to link the WireGuard interface with your LAN.
Beyond these, guides or examples often exist for other common platforms like TP-Link, Asus, GL.iNet, Teltonika, pcWRT, and even custom firmware like DD-WRT. The principles remain the same: get the config from Netmaker RAG, apply it to the router's WireGuard implementation, and ensure routing and firewall rules allow traffic flow.
This same static configuration method also applies to various IoT devices or systems running Embedded Linux or specialized stacks like lwIP where the full Netclient isn't an option. For any other devices, consult their specific documentation on configuring a WireGuard client interface.
It's worth noting there is an alternative method for achieving direct site-to-site connectivity using Netclient installed on a machine within each site (acting as an Egress Gateway) combined with manual route configuration on the local networks. This creates a true peer-to-peer site mesh but involves more complex routing setup compared to the router-based static client approach.
Integrating routers and the sites behind them is a core capability that makes Netmaker a flexible solution for various network topologies. By generating tailored WireGuard configurations from a Remote Access Gateway, you can securely bridge almost any site into your Netmaker VPN, leveraging the hardware you likely already have in place.
Official Netmaker docs covering why you’d choose the router-based approach, static vs Netclient trade-offs, Remote-Access Gateway concept, and how the “Additional Addresses” field turns your router into an egress point. Read our full docs article.
GETÂ STARTED