M4IP - Any IP Access

Enable remote access if you want to

Define devices allowed to access resources
Role based access to IP resources
On Demand access to IP resources
Multi-factor access to IP resources

What is an IP resource?

An IP resource is any subnet or ip + port(s) combination. For example, & ports 22,80,443,5600-5609 & ports 80,443

It is recommend that users NOT be provided with direct IP access to ssh and databases. Best practice is for those connections to go through their respective proxies. This provides improved management, security, monitoring and activity recording.


Remote access is provided via wireguard vpn. Wireguard is a fast VPN that uses state-of-the-art cryptography. It is faster and simpler than IPsec and considerably more performant than OpenVPN.

Mamori simplifies the wireguard configuration and integrates it with identity management, 2FA, Access On-Demand and monitoring services.

What triggers user's multi-factor authentication?

A user's multi-factor authentication is triggered when they access an IP - not when they activate the network. The authentication remains active until a user is inactive for a specified amount of time.


To configure remote access via mamori follow the steps below


Installed mamori server

Used wireguard port configuration

Configured users

Step 1 - Configure Wireguard

Step 2 - Define IP resources

Step 3 - Grant IP resources to users and/or roles

Step 4 - Add user devices

Step 5 - Define on-demand resources to users and/or roles

Configure Wireguard

The wireguard configuration is broken up into three parts:

  • Virtual peer network
  • Subnets to publish
  • Email template users recieve for a new peer

To view and manage the wireguard configuation

Click Wireguard

Click Settings

Click NETWORK in the dialog

Next, enter the details

Public Addressdefaults to your mamori server ip
Portdefaults to 51871
Private IP AddressDesired Server IP in new subnet
Private IP Subnet Maskdefaults to
Your DNS Server IP (optional)Set if you want to access resources by name
Maximum Transmission Unit (MTU)Default 1420. If connectivity issues exist, then set to lower value.
Intrusion Alert ChannelsThe alert channel to notify when a device is locked.
Intrusion Scan ThreshholdDefault 25. Number of unique IPs and ports a device can scan before being blocked.
Auto-enrollment Role(s)Select PUBLIC to ensure all users will have peers automatically added when they login for the first time.
Max number Of User Added Peer(s)Max number of devices a user can self-register.

Click SUBNETS in the dialog

Next, enter the details

Exposed Subnetscomma separated list of local subnets to publish.
Network Interfacecomma separated list of interfaces for each subnet.

Click Generate to generate the network UP script

Click EMAIL in the dialog

Review & edit the new user peer email template

Click Save

To access an updated or new subnet the client's peer tunnel configuration will need to be updated to include the allowed IPs.

Define IP resources

To view and manage the wireguard configuation

Click Wireguard

Click IP Resources

Click Add

Next, enter the details

Resource Namegrant reference label
IP AddressExample: will cover 10.0.100.*
PortsExample: 22,43,80,5000-6000

Click ADD

Grant IP resources to users and/or roles

To grant IP resources to a user or role

Navigate to users or roles

Click Users


Click Roles

Click Edit


Click IP Resources

Select IP Resources

For on-demand access grant the IP resources to a roles. The role will be then be granted to the specified user by an on-demand policy. The grant will expire as per the policy.

Add User Device(s)

To grant IP resources to a user or role

Click Wireguard

Click Peers

Click Add

Next, enter the details

Mamori UserThe identity this device will be linked to
Device NameReference name for device
Advanced Option: Peer Public KeyDevice's public key
Advanced Option: Peer Private IP AddressDevice's IP in wireguard network

Click Add Peer

After adding the peer mamori will display the device configuration.

Click on Email Configuration to email the configuration and client setup instructions to the user.

Define on-demand access policies

To create on-demand IP resource policies


Define IP resources

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script

On Demand Policy
GRANT YOUR_IPRESOURCE_NAME TO :applicant VALID for :time minutes;

Example Policy Grant Statements

  • dev_web & dev_ssh are IP Resources
  • :applicant is the user making the request
  • :time is the custom parameter
On Demand Policy
GRANT dev_web TO :applicant VALID for :time minutes;
GRANT dev_ssh TO :applicant VALID for :time minutes;

Edit this page on GitHub Updated at Wed, Mar 9, 2022