44Net Connect/Ways to Connect
Ways to deploy 44Net Connect
44Net Connect can be set up in a few different ways, depending on your use case. You will likely end up trying a mix of approaches as you experiment and learn what works best for your needs.
In the simplest case, each device you operate has its own tunnel and is assigned a single 44Net address. One device, one tunnel, one IP.
In another approach, one system terminates a single tunnel, but then distributes a block of addresses to devices on a local network behind it.
Each has tradeoffs: how you manage routing, how many systems you can support, how much configuration lives in one place. They also shape how traffic flows, and what kinds of problems you are likely to run into later.
Model 1: One tunnel for each host
In this model, each host runs its own WireGuard client, establishes its own tunnel to a 44Net Connect endpoint, and is assigned a single IPv4 address (a /32).
From the host’s point of view, this is straightforward. The 44Net address is just another interface address, and services on that host are directly accessible from the Internet.
This works well when you have a small number of systems and each system can run WireGuard directly.
Common use cases include:
- a single server exposed to the Internet
- a laptop or workstation that needs a stable public address
- small, independent services running on just a few separate machines
The main tradeoff is that it can become cumbersome to manage as you add more hosts. Each one needs its own tunnel configuration, and you have to keep track of which address belongs to which host. There is also no central point of control for routing or filtering, so each host is responsible for its own security and traffic management. Eventually, you will reach the limit of how many tunnels you can create and manage.
Model 2: Gateway for a local network, subnet behind a tunnel
In this model, a single system terminates the WireGuard tunnel and acts as a gateway for a group of hosts on a local network. A block of 44Net addresses is assigned to you in the Connect dashboard and routed to your gateway. The gateway then routes traffic between the tunnel and the local network, allowing multiple hosts to share the same tunnel connection.
The advantage here is that the gateway handles all the complexity. Other hosts need not run WireGuard themselves, and they can be assigned addresses from the 44Net block without needing to manage individual tunnels. The gateway can also handle routing and firewalling.
From the perspective of those hosts, the gateway behaves like a router that provides access to the 44Net address space.
This model is useful when:
- you want to serve multiple hosts without configuring each one individually
- some devices cannot run WireGuard directly
- you want a single point of control for routing and filtering
Common use cases include:
- a home lab with several servers
- embedded devices or radios that cannot run a tunnel client
- a small network where services are distributed across multiple hosts
The main tradeoff is some additional complexity in setting up and managing the gateway. Some people find this model somewhat unintuitive. You will need to configure real routing and firewall rules. Troubleshooting can be more complex. The gateway becomes a single point of failure; if the gateway goes down, all hosts lose connectivity. You also need to ensure that the gateway is well secured, to protect the hosts behind it. So the advantages do not come wthout some challenges.
Model comparison
| Model 1: Per-host tunnels | Model 2: Gateway and subnet | |
|---|---|---|
| Configuration | Distributed across hosts | Centralized on gateway |
| Number of tunnels | One per host | One per network |
| Scaling | Limited by per-host setup | Scales to many hosts |
| Failure radius | Affects one host | Affects entire network |
| Security domain | Per-host | Centralized |
Traffic behavior
Traffic patterns differ in subtle but important ways.
In the per-host model:
- each host decides how its traffic is routed
- split-tunnel configurations are common, where only 44Net-sourced traffic uses the tunnel
In the gateway model:
- routing decisions are made at the gateway
- hosts behind the gateway typically rely on it for both outbound and inbound 44Net traffic
In some applications, it is important that all traffic associated with a service appear to come from the same public address. In those cases, a full-tunnel configuration or a gateway model may be more appropriate than per-host split tunneling.
Choosing a model
As a starting point:
- Use per-host tunnels if you are working with one or a few systems and want the simplest setup.
- Use a gateway if you need to support multiple hosts or devices that cannot run WireGuard themselves.
You can also mix the two. Some systems can run their own tunnels, while others use a gateway. The choice depends on how you want to manage configuration, routing, and exposure.
If you are unsure, start with a per-host tunnel. It is easier to reason about, and you can move to a gateway model later as your setup grows.
Further reading
- Phil Karn KA9Q and others discussing 44Net Connect deployment models on the ARDC groups.io list
- WireGuard Quick Start for the underlying tunnel model used by 44Net Connect
- WireGuard conceptual overview for a concise explanation of peers, routing, and interface behavior