- Real WireGuard® MFA (not 2FA to "access application" like most solutions)
- Integrated SSO based on OpenID Connect:
- significant cost saving, simplifying deployment and maintenance
- enabling features unavailable to VPN platforms relying upon 3rd party SSO integration
- Already using Google/Microsoft or other OpenID Provider? - integrated external OpenID provider support
- Yubico YubiKey Hardware security key management and provisioning
- Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.
- Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)
- Build on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN
- Build with Rust for speed and security
See below full list of features
Better quality video can be found here to download
- 2FA / Multi-Factor Authentication with TOTP or email based tokens & WireGuard PSK
- Defguard instances as well as any WireGuard tunnel - just import your tunnels - one client for all WireGuard connections
- Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks
- Onboarding - displaying custom onboarding messages, with templates, links ...
- Ability to route predefined VPN traffic or all traffic (server needs to have NAT configured - in gateway example)
- Live & real-time network charts
- live VPN logs
- light/dark theme
The easiest way to run your own defguard instance is to use Docker and our one-line install script.
Just run the command below in your shell and follow the prompts:
curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.shTo learn more about the script and available options please see the documentation.
Just follow this tutorial
A detailed product roadmap and development status can be found here
Here is a dedicated view for good first bugs
The story and motivation behind defguard can be found here: https://teonite.com/blog/defguard/
- WireGuard® VPN server with:
- Real and unique Multi-Factor Authentication with TOTP/Email & Pre-Shared Session Keys
- multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
- multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
- import your current WireGuard® server configuration (with a wizard!)
- most beautiful Desktop Client! (in our opinion ;-))
- automatic IP allocation
- kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard® support with our Rust library
- dashboard and statistics overview of connected users/devices for admins
- defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.
- Integrated SSO: OpenID Connect provider - with unique features:
- Secure remote (over the internet) user enrollment
- User onboarding after enrollment
- LDAP (tested on OpenLDAP) synchronization
- forward auth for reverse proxies (tested with Traefik and Caddy)
- nice UI to manage users
- Users self-service (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)
- Multi-Factor/2FA Authentication:
- Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
- WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
- Email based TOTP
- Extenal SSO: External OpenID Providers support - in testing, watch this issue - Google, Microsoft or custom
- SSH & GPG public key management in user profile - with SSH keys authentication for servers
- Yubikey hardware keys provisioning for users by one click
- Email/SMTP support for notifications, remote enrollment and onboarding
- Easy support with sending debug/support information
- Webhooks & REST API
- Build with Rust for portability, security, and speed
- UI Library - our beautiful React/TypeScript UI is a collection of React components:
- a set of custom and beautiful components for the layout
- Responsive Web Design (supporting mobile phones, tablets, etc..)
- iOS Web App
- Checked by professional security researchers (see comprehensive security report)
- End2End tests
See the documentation for more information.
Find us on Matrix: #defguard:teonite.com
Please review the Contributing guide for information on how to get started contributing to the project. You might also find our environment setup guide handy.
WireGuard® is registered trademarks of Jason A. Donenfeld.