VPN Networks

NetDefense manages WireGuard-based networks that interconnect devices across sites. Each network defines an overlay IP range and a set of member devices that form encrypted tunnels between each other.

Network Concepts

Concept	Explanation
CIDR	The overlay IP range for the network (e.g., 10.100.0.0/24). Each member device gets a unique IP from this range.
Listen Port	The UDP port used for WireGuard connections. Each network uses its own port.
HUB	A central device with a public endpoint (a reachable IP/hostname). Hubs accept connections from spokes and route traffic between them. Typically deployed at headquarters or data centers.
SPOKE	A device that connects to hubs but doesn’t need a public endpoint. Spokes can be behind NAT or dynamic IPs. Typically branch office or remote site firewalls.
Auto-Connect-Hubs	When enabled, NetDefense automatically creates connections between all hubs (hub-to-hub) and between each hub and every spoke (hub-to-spoke).
Overlay IP	The IP address assigned to a member device within the network’s CIDR range.
Endpoint	The public IP/hostname and port where a HUB device listens for WireGuard connections. Spokes don’t need endpoints because they initiate outbound connections.
PSK (Pre-Shared Key)	An optional additional layer of encryption on a specific link. When enabled, both sides must have the same key for the tunnel to establish.
Transit	Allows a spoke to route traffic through a specific hub to reach other networks. The hub publishes network prefixes so the spoke knows which traffic to send through the tunnel.
Overrides	The count of explicit link overrides — manually created or modified links that change the default connectivity behavior (e.g., adding a spoke-to-spoke link, disabling an automatic connection, or adding PSK to a specific link).

Full Mesh Networks

Mesh networks are topologies in which every member is directly interconnected with all other members. In this model, each device establishes a link with every other device in the network.

NetDefense can implement a full mesh by creating a network with the Auto-Connect-Hubs option enabled and assigning all devices the HUB role.

Note

While full mesh is technically straightforward to configure, it is rarely the best design choice in practice. Local inbound traffic restrictions, segmentation requirements, and monitoring needs often make hub-and-spoke or hybrid topologies more appropriate.

Automatic vs Manual Links

Network links (connections between devices) can be:

• Automatic — created implicitly based on member roles. Hub-to-spoke links are always automatic. Hub-to-hub links are automatic when Auto-Connect-Hubs is enabled. These links don’t require manual configuration.
• Manual — explicitly created to enable connections that aren’t automatic, like spoke-to-spoke links (which allow two branch offices to communicate directly without routing through a hub). You can also manually override an automatic link to add PSK or disable it entirely.

List Networks

View in NDWeb

ndcli network list

╭─────────────────┬───────────────┬───────────┬───────┬─────────┬───────────╮
│ NAME            │ CIDR          │ AUTO-HUBS │ PORT  │ MEMBERS │ OVERRIDES │
├─────────────────┼───────────────┼───────────┼───────┼─────────┼───────────┤
│ corporate-vpn   │ 10.100.0.0/24 │ Yes       │ 51820 │ 5       │ 1         │
│ management-mesh │ 10.102.0.0/24 │ Yes       │ 51822 │ 0       │ 0         │
│ site-to-site    │ 10.101.0.0/24 │ No        │ 51821 │ 0       │ 0         │
╰─────────────────┴───────────────┴───────────┴───────┴─────────┴───────────╯

Describe a Network

View in NDWeb

ndcli network describe corporate-vpn -f detailed

╭─ VPN Network ───────────────────────────────────────╮
│  corporate-vpn                                      │
│  CIDR: 10.100.0.0/24                                │
╰─────────────────────────────────────────────────────╯

  Auto-Hubs      Yes       Listen Port    51820
  MTU            -         Keepalive      -
  Organization   example-org

┌─ Statistics ────────────────────────────────────────┐
│    Members: 5                                       │
│    Overrides: 1                                     │
└─────────────────────────────────────────────────────┘

  Created        2026-02-20 19:19:21
  Updated        2026-02-20 19:19:21

List Members

View in NDWeb

ndcli network member list corporate-vpn

╭───────────────────┬───────┬─────────┬────────────┬────────────────────────────┬─────────╮
│ DEVICE            │ ROLE  │ ENABLED │ OVERLAY IP │ ENDPOINT                   │ TRANSIT │
├───────────────────┼───────┼─────────┼────────────┼────────────────────────────┼─────────┤
│ fw-hq-primary     │ HUB   │ Yes     │ 10.100.0.1 │ vpn.example-org.com:51820  │ -       │
│ fw-hq-secondary   │ HUB   │ Yes     │ 10.100.0.2 │ vpn2.example-org.com:51820 │ -       │
│ fw-branch-chicago │ SPOKE │ Yes     │ 10.100.0.3 │ -                          │ -       │
│ fw-branch-denver  │ SPOKE │ Yes     │ 10.100.0.4 │ -                          │ -       │
│ fw-branch-austin  │ SPOKE │ Yes     │ 10.100.0.5 │ -                          │ -       │
╰───────────────────┴───────┴─────────┴────────────┴────────────────────────────┴─────────╯

Notice that HUBs have public endpoints (vpn.example-org.com, vpn2.example-org.com) while SPOKEs show - because they initiate outbound connections to the hubs.

List Links

View in NDWeb

ndcli network link list corporate-vpn

╭───────────────────┬───────────────────┬─────────────┬────────┬─────┬─────────────╮
│ DEVICE A          │ DEVICE B          │ PAIR        │ ACTIVE │ PSK │ NOTES       │
├───────────────────┼───────────────────┼─────────────┼────────┼─────┼─────────────┤
│ fw-hq-primary     │ fw-hq-secondary   │ hub↔hub     │ Yes    │ No  │ automatic   │
│ fw-hq-primary     │ fw-branch-austin  │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-hq-primary     │ fw-branch-chicago │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-hq-primary     │ fw-branch-denver  │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-hq-secondary   │ fw-branch-austin  │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-hq-secondary   │ fw-branch-chicago │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-hq-secondary   │ fw-branch-denver  │ hub↔spoke   │ Yes    │ No  │ automatic   │
│ fw-branch-chicago │ fw-branch-denver  │ spoke↔spoke │ Yes    │ Yes │ manual link │
╰───────────────────┴───────────────────┴─────────────┴────────┴─────┴─────────────╯

8 connections (7 automatic, 1 manual link)

The corporate-vpn network uses a hub-and-spoke topology:

• 2 HUBs (fw-hq-primary, fw-hq-secondary) with public endpoints — providing redundancy at headquarters.
• 3 SPOKEs (fw-branch-chicago, fw-branch-denver, fw-branch-austin) — each spoke automatically connects to both hubs, so if one hub goes down, the other maintains connectivity.
• 7 automatic links — all hub-to-hub and hub-to-spoke connections were created automatically because Auto-Connect-Hubs is enabled.
• 1 manual spoke-to-spoke link — an explicit override between Chicago and Denver with PSK enabled, allowing those two branch offices to communicate directly without routing through a hub.