Open Source Security Swiss Army Knife

(Identity Provider, Wireguard VPN, Yubikey, Web3)

Building a secure organization has always been difficult and costly. Defguard provides a beautiful, easy-to-use (business users) and deploy (admin/devops) fundament to make your organization secure.

built by main image
circuits wave
feature_icon

Identity Provider

The power of every organization is its users. As a core principle, defguard is based and built on open standards:

  • OpenID Connect based Identity Provider

  • OpenLDAP synchronization - currently supporting users and groups synchronization

  • PostgreSQL as core data backend

  • In development:

    • Active Directory synchronization

circuits
feature_icon

Wireguard VPN Management

  • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
  • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
  • import your current WireGuard server configuration with a wizard!
  • dashboard and statistics overview of connected users/devices for admins
  • automatic IP allocation
  • kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support with our Rust library

defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.

feature_icon

Multi-Factor Authentication

MFA is currently supported with the following methods:

  • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
  • WebAuthn / FIDO2 - for hardware key authentication support
  • Web3 - authentication with crypto software and hardware wallets using Metamask, Wallet Connect, Ledger Extension

circuits
feature_icon

Enrollment & Onboarding

Secure remote enrollment process, during which the user can: double-check their data, setup their password, and add their initial device to access VPN as a nice wizard!

After enrollment the user can be onboarded with relevant company information, links to company systems, security guidelines, etc. In the enrollment module, you can write custom messages using markdown that will be shown on the last step of the enrollment process and sent to the user via email.

feature_icon

Yubikey provisioning

An easy way to provision YubiKey hardware keys in an organization, generate signing keys - GPG/PGP and authentication keys - e.g. SSH

circuits
feature_icon

Checked by professionals

defguard was thoroughly and comprehensively audited by one of the best security researchers in Poland: ISEC. ISEC is also a strategic partner of defguard, reviewing every major release from a security perspective, making defguard one of the most secure core components in the open source ecosystem.

All Critical and Major issues have been fixed in dedicated pull requests. Retest will follow soon (we’ll notify on our Twitter).

feature_icon

Integrations

Automate processes that involve your organization’s data using:

  • API - all functionalities are exposed via REST API
  • Webhooks - outgoing webhooks are a simple way for defguard to notify your systems of ongoing changes in identity management (user was added, deleted, modified) or hardware key provisioning (easily propagateGPG/PGP or SSH keys to your internal systems)

circuits
feature_icon

Web3

Since defguard secures the whole user journey (connections), from secure communication using VPN, to authentication based on company identity and Multi-Factor Authentication (supporting crypto wallets), it’s a perfect web2 -> web3 gateway for your organization.

Wallet management with MetaMask and Wallet Connect is an easy way for users to validate the ownership of wallets as there is no need to send wallet addresses through Slack/email anymore.

feature_icon

Portability & speed

We’ve implemented defguard in Rust for code portability, security, and speed. You can easily run defguard on various Linux-based systems on x86, arm, and other architectures (including Raspberry PI, OpenWRT, etc.) and Unix systems FreeBSD, OpenBSD, and others. We’ve prepared various Linux and OPNSense (FreeBSD) but we are constantly working on other platforms.

circuits

Testimonials

  • defguard secures infrastructure for wideStreet’s banking grade trading system debtSpot.

  • defguard secures infrastructure and multiple systems access for highly sensitive government data used by MonitorMiast ecosystem