Peer Management
NetGuard’s Remote Access feature creates a WireGuard overlay network between your devices and your LAN. Peers are managed through the VeloGuardian app — the appliance syncs peer configurations automatically from the cloud.
How it works
Section titled “How it works”- You enable Remote Access on the NetGuard dashboard, specifying which LAN subnets to expose
- Your devices register through the VeloGuardian app — each device generates a unique keypair and receives an overlay IP
- NetGuard syncs peers every 30 seconds from the VeloGuardian cloud API, adding or removing WireGuard peers as needed
- Traffic flows directly from your device to the appliance over an encrypted WireGuard tunnel, then the appliance routes it to your LAN
Enabling Remote Access
Section titled “Enabling Remote Access”-
Open the dashboard
Navigate to
https://<appliance-ip>and sign in. -
Go to Remote Access
Click Remote Access in the sidebar.
-
Configure your LAN
Enter the subnets you want to make accessible, as comma-separated CIDR blocks:
192.168.1.0/24, 10.0.0.0/24Set the listen port (default
51820is fine for most setups). -
Click Enable
The appliance creates a WireGuard interface (
wg11) and begins accepting peer connections.
Registering a device
Section titled “Registering a device”Device registration happens in the VeloGuardian app, not on the appliance dashboard.
-
Open the VeloGuardian app on your phone or laptop
-
Go to Settings > Remote Access
Your NetGuard site appears in the list of available sites.
-
Tap your site to connect
The app generates an X25519 keypair, registers with the cloud API, and receives a WireGuard configuration. The connection is established automatically.
Each device gets a unique overlay IP in the 100.64.0.0/10 range. The appliance picks up the new peer within 30 seconds and begins routing traffic.
Monitoring peers
Section titled “Monitoring peers”Once Remote Access is enabled, the dashboard’s Remote Access page shows a live peer table:
| Column | Description |
|---|---|
| Name | Device name |
| Device | Device type (iPhone, Mac, Windows, etc.) |
| Account email of the peer owner | |
| Overlay IP | The device’s assigned IP on the overlay network |
| Last Handshake | How recently the device communicated (relative time) |
| RX / TX | Data received and transmitted |
The table refreshes every 5 seconds. A peer with a recent handshake (under 2 minutes) is considered active.
Removing a device
Section titled “Removing a device”To remove a device’s access:
- Open the VeloGuardian app on the device
- Go to Settings > Remote Access
- Tap the site, then tap Deregister
The cloud API removes the peer, and the appliance drops the WireGuard configuration on its next sync cycle (within 30 seconds).
Network architecture
Section titled “Network architecture”┌──────────────┐ ┌──────────────────┐ ┌──────────────┐│ Your Device │ WG │ NetGuard │ LAN │ LAN Devices ││ (anywhere) │◄───────►│ Appliance │◄───────►│ (NAS, etc.) ││ 100.64.x.y │ :51820 │ 192.168.1.x │ │ 192.168.1.* │└──────────────┘ └──────────────────┘ └──────────────┘- Overlay network:
100.64.0.0/10(CGNAT range, no conflict with typical LANs) - Encryption: WireGuard (X25519 key exchange, ChaCha20-Poly1305)
- NAT: The appliance masquerades overlay traffic to your LAN, so devices on the LAN see requests coming from the appliance’s IP
Troubleshooting
Section titled “Troubleshooting”Peer shows “never” for last handshake
- The device may be behind a restrictive NAT. Try switching to mobile data or a different network.
- Verify the appliance’s port (default 51820) is reachable from the internet. You may need a port forward on your router.
Peer registered but can’t reach LAN resources
- Check that the correct LAN subnets are entered in the Remote Access configuration.
- Verify the appliance has IP connectivity to the LAN resources (try pinging from the console).
“Remote Access not available” in the app
- Confirm your subscription is Citadel tier.
- Ensure Remote Access is enabled on the appliance dashboard.