The only open-source solution with real WireGuard MFA/2FA & integrated OpenID Connect SSO

Website | Getting Started | Features | Roadmap | Support ❤

• SSO, VPN, and hardware security key management combined, which provides:
  • significant cost saving, simplifying deployment and maintenance
  • enabling features unavailable to VPN platforms relying upon 3rd party SSO integration
• Real WireGuard® MFA (not 2FA to "access application" like most solutions)
• Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.
• Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)
• Build on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN
• Build with Rust for speed and security

See below full list of features

Control plane management

Better quality video can be found here to download

Desktop Client with Multi-Factor Authentication

Desktop client supports:

• Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks
• Onboarding - displaying custom onboarding messages, with templates, links ...
• Ability to route predefined VPN traffic or all traffic (server needs to have NAT configured - in gateway example)
• Live & real-time network charts
• In development: Multi-Factor Authentication for VPN, live logs, dark theme, settings, and more!

Roadmap

Quick start

The easiest way to run your own defguard instance is to use Docker and our one-line install script.

Just run the command below in your shell and follow the prompts:

curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh

To learn more about the script and available options please see the documentation.

Setup a VPN server under 5min!?

Just follow this tutorial

Manual deployment examples

• Using Docker Compose
• Using Kubernetes

Roadmap & Development

A detailed product roadmap and development status can be found here.

⛑️ Want to help? ⛑️

Here is a dedicated view for good first bugs

Why?

The story and motivation behind defguard can be found here: https://teonite.com/blog/defguard/

Features

• OpenID Connect provider - with unique features:
  • Secure remote (over the internet) user enrollment
  • User onboarding after enrollment
  • LDAP (tested on OpenLDAP) synchronization
  • forward auth for reverse proxies (tested with Traefik and Caddy)
  • nice UI to manage users
  • Users self-service (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)
  • Multi-Factor/2FA Authentication:
  • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
  • WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
  • Web3 - authentication with crypto software and hardware wallets using Metamask, Ledger Extension
• WireGuard® VPN management with:
  • Multi-Factor Authentication with TOTP/Email & Pre-Shared Session Keys
  • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
  • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
  • import your current WireGuard® server configuration (with a wizard!)
  • most beautiful Desktop Client! (in our opinion ;-))
  • automatic IP allocation
  • kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard® support with our Rust library
  • dashboard and statistics overview of connected users/devices for admins
  • defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.
• SSH & GPG public key management in user profile - with SSH keys authentication for servers
• Yubikey hardware keys provisioning for users by one click
• Email/SMTP support for notifications, remote enrollment and onboarding
• Easy support with sending debug/support information
• Webhooks & REST API
• Build with Rust for portability, security, and speed
• UI Library - our beautiful React/TypeScript UI is a collection of React components:
  • a set of custom and beautiful components for the layout
  • Responsive Web Design (supporting mobile phones, tablets, etc..)
  • iOS Web App
• Checked by professional security researchers (see comprehensive security report)
• End2End tests

Desktop Client

Desktop client supports:

• Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks
• Onboarding - displaying custom onboarding messages, with templates, links ...
• Ability to route predefined VPN traffic or all traffic (server needs to have NAT configured - in gateway example)
• Live & real-time network charts
• In development: Multi-Factor Authentication for VPN, live logs, dark theme, settings, and more!

Documentation

See the documentation for more information.

Community and Support

Find us on Matrix: #defguard:teonite.com

Contribution

Please review the Contributing guide for information on how to get started contributing to the project. You might also find our environment setup guide handy.

Built and sponsored by

Legal

WireGuard® is registered trademarks of Jason A. Donenfeld.