Open Source Security Swiss Army Knife

(Identity Provider, Wireguard VPN, Yubikey, Web3)

Building a secure organization has always been difficult and costly. Defguard provides a beautiful, easy-to-use (business users) and deploy (admin/devops) fundament to make your organization secure.

built by main image
circuits wave

Identity Provider

The power of every organization is its users. As a core principle, defguard is based and built on open standards:

  • OpenID Connect based Identity Provider

  • OpenLDAP synchronization - currently supporting users and groups synchronization

  • PostgreSQL as core data backend

  • In development:

    • Active Directory synchronization


Wireguard VPN Management

  • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
  • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
  • import your current WireGuard server configuration with a wizard!
  • dashboard and statistics overview of connected users/devices for admins
  • automatic IP allocation
  • kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support with our Rust library

defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.


Multi-Factor Authentication

MFA is currently supported with the following methods:

  • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
  • WebAuthn / FIDO2 - for hardware key authentication support
  • Web3 - authentication with crypto software and hardware wallets using Metamask, Wallet Connect, Ledger Extension


Enrollment & Onboarding

Secure remote enrollment process, during which the user can: double-check their data, setup their password, and add their initial device to access VPN as a nice wizard!

After enrollment the user can be onboarded with relevant company information, links to company systems, security guidelines, etc. In the enrollment module, you can write custom messages using markdown that will be shown on the last step of the enrollment process and sent to the user via email.


Yubikey provisioning

An easy way to provision YubiKey hardware keys in an organization, generate signing keys - GPG/PGP and authentication keys - e.g. SSH


Checked by professionals

defguard was thoroughly and comprehensively audited by one of the best security researchers in Poland: ISEC. ISEC is also a strategic partner of defguard, reviewing every major release from a security perspective, making defguard one of the most secure core components in the open source ecosystem.

All Critical and Major issues have been fixed in dedicated pull requests. Retest will follow soon (we’ll notify on our Twitter).



Automate processes that involve your organization’s data using:

  • API - all functionalities are exposed via REST API
  • Webhooks - outgoing webhooks are a simple way for defguard to notify your systems of ongoing changes in identity management (user was added, deleted, modified) or hardware key provisioning (easily propagateGPG/PGP or SSH keys to your internal systems)



Since defguard secures the whole user journey (connections), from secure communication using VPN, to authentication based on company identity and Multi-Factor Authentication (supporting crypto wallets), it’s a perfect web2 -> web3 gateway for your organization.

Wallet management with MetaMask and Wallet Connect is an easy way for users to validate the ownership of wallets as there is no need to send wallet addresses through Slack/email anymore.


Portability & speed

We’ve implemented defguard in Rust for code portability, security, and speed. You can easily run defguard on various Linux-based systems on x86, arm, and other architectures (including Raspberry PI, OpenWRT, etc.) and Unix systems FreeBSD, OpenBSD, and others. We’ve prepared various Linux and OPNSense (FreeBSD) but we are constantly working on other platforms.



  • defguard secures infrastructure for wideStreet’s banking grade trading system debtSpot.

  • defguard secures infrastructure and multiple systems access for highly sensitive government data used by MonitorMiast ecosystem