Skip to content
NetDefense Docs

network

VPN network management commands for NDCLI. These commands allow you to create and manage WireGuard-based overlay networks, add devices as members, configure links between members, and publish IP prefixes.

Command alias: net

Commands

CommandDescription
network listList VPN networks
network describeShow VPN network details
network createCreate a VPN network
network updateUpdate a VPN network
network deleteDelete a VPN network
network member listList VPN network members
network member describeShow VPN member details
network member addAdd a device as VPN member
network member updateUpdate a VPN member
network member removeRemove a VPN member
network link listList VPN connections
network link describeShow VPN connection details
network link createCreate a VPN link between two members
network link updateUpdate a VPN link
network link deleteDelete a VPN link
network prefix listList published prefixes for a VPN member
network prefix addPublish a prefix on a VPN member
network prefix updateUpdate a VPN member prefix
network prefix removeRemove a prefix from a VPN member

network list

List all VPN networks in the organization.

Terminal window
ndcli network list [flags]

Flags

FlagTypeDefaultDescription
--pageint1Page number
--per-pageint30Items per page

Examples

Terminal window
ndcli network list


ndcli network list -f json

network describe

Show detailed information about a VPN network.

Terminal window
ndcli network describe [network]

Arguments

ArgumentRequiredDescription
networkYesNetwork name

Examples

Terminal window
ndcli network describe my-network


ndcli network describe my-network -f json

network create

Create a new VPN overlay network.

Terminal window
ndcli network create [name] [flags]

Arguments

ArgumentRequiredDescription
nameYesNetwork name

Flags

FlagTypeDefaultDescription
--cidrstringOverlay CIDR (required, e.g. 10.100.0.0/24)
--listen-portint51820Default WireGuard listen port
--mtuintDefault MTU (1280–9000)
--keepaliveintDefault keepalive interval (1–65535 seconds)
--auto-connect-hubsboolfalseAuto-create links between HUB members

Examples

Terminal window
ndcli network create my-network --cidr 10.100.0.0/24


ndcli network create branch-vpn --cidr 10.200.0.0/24 --listen-port 51821 --keepalive 25


ndcli network create hub-network --cidr 10.0.0.0/24 --auto-connect-hubs

network update

Update an existing VPN network’s settings.

Terminal window
ndcli network update [network] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name

Flags

FlagTypeDefaultDescription
--namestringNew network name
--listen-portintDefault WireGuard listen port
--mtuintDefault MTU (use 0 to clear)
--keepaliveintDefault keepalive interval (use 0 to clear)
--auto-connect-hubsboolAuto-create links between HUB members
-y, --yesboolfalseSkip confirmation prompt

Examples

Terminal window
ndcli network update my-network --name new-name


ndcli network update my-network --keepalive 25


ndcli network update my-network --mtu 0

network delete

Delete a VPN network.

Terminal window
ndcli network delete [network] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name

Flags

FlagTypeDefaultDescription
-y, --yesboolfalseSkip confirmation prompt

Examples

Terminal window
ndcli network delete my-network


ndcli network delete my-network --yes

network member list

List all members in a VPN network.

Terminal window
ndcli network member list [network] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name

Flags

FlagTypeDefaultDescription
--pageint1Page number
--per-pageint30Items per page

Examples

Terminal window
ndcli network member list my-network


ndcli network member list my-network -f json

network member describe

Show detailed information about a VPN network member.

Terminal window
ndcli network member describe [network] [device]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name

Examples

Terminal window
ndcli network member describe my-network my-firewall

network member add

Add a device to a VPN network as a member.

Terminal window
ndcli network member add [network] [device] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name

Flags

FlagTypeDefaultDescription
--rolestringSPOKEMember role: HUB or SPOKE
--overlay-ipstringOverlay IPv4 address (auto-allocated if empty)
--endpoint-hoststringPublic hostname or IP for incoming connections
--endpoint-portintPublic endpoint port
--listen-portintWireGuard listen port override
--mtuintMTU override
--keepaliveintKeepalive interval override (seconds)
--transit-via-hubstringRoute through this HUB device name
--enabledbooltrueEnable the member

Member Roles

RoleDescription
HUBActs as a relay; auto-connects to all SPOKE members and (if auto-connect-hubs is on) other HUBs
SPOKEConnects to HUBs automatically; spoke-to-spoke requires a manual link

Examples

Terminal window
# Add a spoke member (auto-allocated overlay IP)
ndcli network member add my-network branch-firewall


# Add a hub member with a public endpoint
ndcli network member add my-network datacenter-fw \
  --role HUB \
  --endpoint-host vpn.example.com \
  --endpoint-port 51820


# Add a spoke with a specific overlay IP
ndcli network member add my-network remote-fw --overlay-ip 10.100.0.5

network member update

Update a VPN network member’s settings.

Terminal window
ndcli network member update [network] [device] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name

Flags

FlagTypeDefaultDescription
--rolestringMember role: HUB or SPOKE
--endpoint-hoststringPublic hostname or IP (use none to clear)
--endpoint-portintPublic endpoint port (use 0 to clear)
--listen-portintWireGuard listen port override (use 0 to clear)
--mtuintMTU override (use 0 to clear)
--keepaliveintKeepalive interval override (use 0 to clear)
--transit-via-hubstringHUB device to route through (use none to clear)
--enabledboolEnable or disable the member
--regenerate-keysboolfalseRegenerate the WireGuard keypair

Examples

Terminal window
ndcli network member update my-network branch-fw --endpoint-host new.ip.example.com


ndcli network member update my-network branch-fw --endpoint-host none


ndcli network member update my-network branch-fw --regenerate-keys

network member remove

Remove a device from a VPN network.

Terminal window
ndcli network member remove [network] [device] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name

Flags

FlagTypeDefaultDescription
-y, --yesboolfalseSkip confirmation prompt

Examples

Terminal window
ndcli network member remove my-network branch-fw


ndcli network member remove my-network branch-fw --yes

List all effective VPN connections in a network. By default, shows effective connections derived from member roles. Use --raw to see only explicit link overrides stored in the database.

Terminal window
ndcli network link list [network] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name

Flags

FlagTypeDefaultDescription
--devicestringFilter connections involving this device
--rawboolfalseShow raw link database rows instead of effective connections
--pageint1Page number (only with --raw)
--per-pageint30Items per page (only with --raw)

Connection Rules

PairConnected?
HUB ↔ SPOKEAlways (automatic)
HUB ↔ HUBAutomatic if auto-connect-hubs is enabled on the network
SPOKE ↔ SPOKEOnly via a manual link (network link create)

Examples

Terminal window
ndcli network link list my-network


ndcli network link list my-network --device branch-fw


ndcli network link list my-network --raw

Show details of a specific VPN connection between two members.

Terminal window
ndcli network link describe [network] [device-a] [device-b]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
device-aYesFirst device name
device-bYesSecond device name

Examples

Terminal window
ndcli network link describe my-network spoke-a spoke-b

Create a manual VPN link between two network members. This is required for SPOKE-to-SPOKE connections.

Terminal window
ndcli network link create [network] [device-a] [device-b] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
device-aYesFirst device name
device-bYesSecond device name

Flags

FlagTypeDefaultDescription
--enabledbooltrueEnable the link
--generate-pskboolfalseGenerate a WireGuard pre-shared key for additional security

Examples

Terminal window
ndcli network link create my-network spoke-a spoke-b


ndcli network link create my-network spoke-a spoke-b --generate-psk

Update a VPN link between two members.

Terminal window
ndcli network link update [network] [device-a] [device-b] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
device-aYesFirst device name
device-bYesSecond device name

Flags

FlagTypeDefaultDescription
--enabledbooltrueEnable or disable the link
--regenerate-pskboolfalseRegenerate the pre-shared key

Examples

Terminal window
ndcli network link update my-network spoke-a spoke-b --enabled=false


ndcli network link update my-network spoke-a spoke-b --regenerate-psk

Delete a VPN link between two members.

Terminal window
ndcli network link delete [network] [device-a] [device-b] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
device-aYesFirst device name
device-bYesSecond device name

Flags

FlagTypeDefaultDescription
-y, --yesboolfalseSkip confirmation prompt

Examples

Terminal window
ndcli network link delete my-network spoke-a spoke-b

network prefix list

List all IP prefixes published by a VPN network member.

Terminal window
ndcli network prefix list [network] [device] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name

Flags

FlagTypeDefaultDescription
--pageint1Page number
--per-pageint30Items per page

Examples

Terminal window
ndcli network prefix list my-network branch-fw

network prefix add

Publish an IP prefix on a VPN network member. The prefix is defined by a variable (typically of type prefix) associated with that device.

Terminal window
ndcli network prefix add [network] [device] [variable] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name
variableYesVariable name that holds the prefix value

Flags

FlagTypeDefaultDescription
--publishbooltrueAdvertise the prefix to other VPN peers

Examples

Terminal window
ndcli network prefix add my-network branch-fw lan_prefix


ndcli network prefix add my-network branch-fw lan_prefix --publish=false

network prefix update

Update the settings of a published prefix on a VPN member.

Terminal window
ndcli network prefix update [network] [device] [variable] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name
variableYesVariable name

Flags

FlagTypeDefaultDescription
--publishbooltrueWhether to advertise the prefix to peers

Examples

Terminal window
ndcli network prefix update my-network branch-fw lan_prefix --publish=false

network prefix remove

Remove a published prefix from a VPN network member.

Terminal window
ndcli network prefix remove [network] [device] [variable] [flags]

Arguments

ArgumentRequiredDescription
networkYesNetwork name
deviceYesDevice name
variableYesVariable name

Flags

FlagTypeDefaultDescription
-y, --yesboolfalseSkip confirmation prompt

Examples

Terminal window
ndcli network prefix remove my-network branch-fw lan_prefix