Resourceschevron right
Netmaker
chevron right
Bridge Entire Networks with Netmaker - Connect pfSense, OPNsense, MikroTik & OpenWrt in One Click

Bridge Entire Networks with Netmaker - Connect pfSense, OPNsense, MikroTik & OpenWrt in One Click

Posted by
Richard Gargan
published
May 8, 2025
TABLE OF CONTENTS
Experience Seamless Network Management
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
Get Started FreeBrowse Solutions

You've got Netmaker managing your core servers and maybe some workstations with the Netclient, creating that slick, secure mesh. But what about those devices that can't run the Netclient? Specifically, what about integrating entire sites behind common routers like pfSense, OPNsense, MikroTik, or OpenWrt?

You want those networks talking to your Netmaker VPN without deploying agents on every single machine behind the router. Netmaker makes this surprisingly straightforward by leveraging standard WireGuard configuration files. This approach lets you securely extend your Netmaker network to almost any site using the router you already have.

Skip ahead to the dedicated Netmaker Docs for the fastest way to hook up pfSense, OPNsense, MikroTik, OpenWrt, and more.

Static Configs vs. Netclient: Understanding the Trade-offs

While the Netclient provides dynamic, peer-to-peer connections for supported systems (Linux, Windows, Mac, Docker), it's often not feasible or desirable to install it directly onto router firmware. That's where static WireGuard configurations come in. They provide a robust way to connect these non-native devices to your network.

The trade-off is that these connections operate in a hub-and-spoke model, meaning traffic routes through a designated Netmaker node acting as a Remote Access Gateway (RAG). This adds a hop but simplifies setup and ensures connectivity for devices that can't participate in the dynamic mesh. Keep in mind, as outlined in the static deployment guide, these configurations don't automatically update if you change gateway settings or add complex new routes like Egress Gateways later on, so plan accordingly.

How to connect your routers to your Netmaker VPN

Your Hub: The Remote Access Gateway

The core process is simple. First, you need a node within your Netmaker network designated as a Remote Access Gateway. This node, typically a Linux server running the Netclient in a stable, publicly accessible location (like your Netmaker server itself or another cloud VM), acts as the central connection point for your static clients, including routers. You configure this gateway within your network's Remote Access interface in the Netmaker dashboard. Consider setting a useful default DNS server on the gateway if needed for devices connecting through it.

Generating Your Router's Ticket In: The WireGuard Config

Once your RAG is set up, you generate a WireGuard configuration file specifically for your router. Navigate to the Remote Access tab in your network, select your gateway, and click "Create Config". Give it a descriptive Client ID (like office-router-pfsense). Crucially, under the advanced settings, you'll want to specify the local network range(s) behind your router in the "Additional Addresses" field (e.g., 192.168.1.0/24). This tells Netmaker to route traffic for that subnet to this router client, effectively enabling the Egressing External Clients functionality for your site. After creating the config, you can view or download it.

Making the Connection: Applying the Config to Your Router

Now comes the router-specific part: applying this configuration. You'll need to install the WireGuard package or plugin on your router if it's not built-in. Then, using the router's web UI or CLI, you'll typically create a new WireGuard tunnel interface, add a peer, and manually input the details (Interface PrivateKey, Address, DNS; Peer PublicKey, AllowedIPs, Endpoint address and port, PersistentKeepalive) from the downloaded .conf file.

Remember to also configure firewall rules on the router to permit traffic between the new WireGuard interface and your LAN interface, and potentially add static routes if the router doesn't handle it automatically based on the AllowedIPs.

Router Recipes: Specific Platform Guides

Netmaker's documentation provides specific walkthroughs for several popular platforms. For pfSense, you'll install the wireguard package, configure the tunnel and peer under VPN -> WireGuard, assign it an interface, and set up firewall rules. With OPNsense, WireGuard is often pre-installed or available as a plugin; you'll add an instance and peer, assign an interface, create a gateway and static route, and then configure firewall rules.

MikroTik (RouterOS v7+) has WireGuard built-in, and you can configure it efficiently via the CLI using commands derived directly from the .conf file values, adding the interface, peer, IP address, and route. For OpenWrt, you install wireguard-tools and luci-proto-wireguard, add the interface, import the configuration, ensure the peer routes allowed IPs, and create a firewall zone to link the WireGuard interface with your LAN.

Beyond the Common Suspects: Other Routers and Devices

Beyond these, guides or examples often exist for other common platforms like TP-Link, Asus, GL.iNet, Teltonika, pcWRT, and even custom firmware like DD-WRT. The principles remain the same: get the config from Netmaker RAG, apply it to the router's WireGuard implementation, and ensure routing and firewall rules allow traffic flow.

This same static configuration method also applies to various IoT devices or systems running Embedded Linux or specialized stacks like lwIP where the full Netclient isn't an option. For any other devices, consult their specific documentation on configuring a WireGuard client interface.

Alternative Path: Direct Site-to-Site with Netclient

It's worth noting there is an alternative method for achieving direct site-to-site connectivity using Netclient installed on a machine within each site (acting as an Egress Gateway) combined with manual route configuration on the local networks. This creates a true peer-to-peer site mesh but involves more complex routing setup compared to the router-based static client approach.

Connecting the Dots

Integrating routers and the sites behind them is a core capability that makes Netmaker a flexible solution for various network topologies. By generating tailored WireGuard configurations from a Remote Access Gateway, you can securely bridge almost any site into your Netmaker VPN, leveraging the hardware you likely already have in place.

Further reading — Bridge Routers Using Netmaker:  

Official Netmaker docs covering why you’d choose the router-based approach, static vs Netclient trade-offs, Remote-Access Gateway concept, and how the “Additional Addresses” field turns your router into an egress point. Read our full docs article.

Experience Seamless Network Management
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
Get Started FreeBrowse Solutions
More posts
May 9, 2025
Spotting Spear Phishing: A Business Cybersecurity Guide
Security
May 8, 2025
Bridge Entire Networks with Netmaker - Connect pfSense, OPNsense, MikroTik & OpenWrt in One Click
Netmaker
VPN
Security
May 1, 2025
Data Exfiltration: Risks, Detection, and Prevention
Security

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Get Started
Request Demo

WireGuard is a registered trademark of Jason A. Donenfeld.

Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).
PreferencesReject
Accept