Configure Remote Access

Enable remote access if you want to

Define devices allowed to remotely access resources
Role based remote access to IP resources
On Demand remote access to IP resources
Multi-factor access to IP resources

What is an IP resource?

An IP resource is any subnet or ip + port(s) combination. For example, & ports 22,80,443,5600-5609 & ports 80,443

It is recommend that users NOT be provided with direct IP access to ssh and databases. Best practice is for those connections to go through their respective proxies. This provides improved management, security, monitoring and activity recording.


Remote access is provided via wireguard vpn. Wireguard is a fast VPN that uses state-of-the-art cryptography. It is faster and simpler than IPsec and considerably more performant than OpenVPN.

Mamori simplifies the wireguard configuration and integrates it with identity management, 2FA, Access On-Demand and monitoring services.

What triggers user's multi-factor authentication?

A user's multi-factor authentication is triggered when they access an IP - not when they activate the network. The authentication remains active until a user is inactive for a specified amount of time.


To configure remote access via mamori follow the steps below


Server port configuration

Configure users

Step 1 - Configure wiregard subnet

Step 2 - Define IP resources

Step 3 - Grant IP resources to users and/or roles

Step 4 - Add user devices & email user connection details

Step 5 - Define on-demand resources to users and/or roles

Configure Wireguard Subnet

To view and manage the wireguard configuation

Click Wireguard

Click Settings

Next, enter the details

Public Addressdefaults to your mamori server ip
Portdefaults to 51871
Private IP AddressDesired Server IP in new subnet
Private IP Subnet Maskdefaults to
Exposed Subnetslocal subnets that contain target IPs. eg,,
Your DNS Server IP (optional)Set if you want to access resources by name
Network UP Script (optional)

Click Update

Define IP resources

To view and manage the wireguard configuation

Click Wireguard

Click IP Resources

Click Add

Next, enter the details

Resource Namegrant reference label
IP AddressExample: will cover 10.0.100.*
PortsExample: 22,43,80,5000-6000

Click ADD

Grant IP resources to users and/or roles

To grant IP resources to a user or role

Navigate to users or roles

Click Users


Click Roles

Click Edit


Click IP Resources

Select IP Resources

For on-demand access grant the IP resources to a roles. The role will be then be granted to the specified user by an on-demand policy. The grant will expire as per the policy.

Add User Device(s)

To grant IP resources to a user or role

Click Wireguard

Click Peers

Click Add

Next, enter the details

Mamori UserThe identity this device will be linked to
Device NameReference name for device
Advanced Option: Peer Public KeyDevice's public key
Advanced Option: Peer Private IP AddressDevice's IP in wireguard network

Click Add Peer

After adding the peer mamori will display the device configuration.

Click on Email Configuration to email the configuration and client setup instructions to the user.

Define on-demand access policies

To create on-demand IP resource policies


Define IP resources

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script

On Demand Policy
GRANT YOUR_IPRESOURCE_NAME TO :applicant VALID for :time minutes;

Example Policy Grant Statements

  • dev_web & dev_ssh are IP Resources
  • :applicant is the user making the request
  • :time is the custom parameter
On Demand Policy
GRANT dev_web TO :applicant VALID for :time minutes;
GRANT dev_ssh TO :applicant VALID for :time minutes;

Edit this page on GitHub Updated at Sun, Oct 17, 2021