Enterprise VPN Re‑Engineered for Security and Total Sovereignty.

Unify WireGuard® VPN with integrated 2FA/MFA and Enterprise IAM on your own infrastructure.
Secure by design, open-source by nature, and 100% under your control

Core Security Capabilities

VPN Multi-Factor Authentication (MFA/2FA)

Enforcing Multi-Factor Authentication (MFA/2FA) on every connection for WireGuard® protocol

Choose Internal SSO (TOTP/Email) or External SSO on each VPN location

External SSO MFA/2FA with all major identity providers (Google, Microsoft, Okta, JumpCloud, etc.)

Innovative biometric Multi-Factor for WireGuard® connections with Mobile Client (touch/face ID) on Desktop Client

Security feature preview

Seamless SSO & Identity integration

Manage WireGuard users and groups with major cloud and on-premise SSO/IdPs

Easy integration and Two-Factor Authentication enforcing with Google Workspace, Microsoft EntraID, Okta, JumpCloud, and other OIDC compliant IdP

Integration with LDAP and Active Directory

Directory Synchronization (users/groups) for cloud SSO and LDAP/AD

Security feature preview

Firewall Policy Orchestration

Zero-Trust Firewall Rules. One Control Plane, Many Gateways

Manage multiple gateways and firewalls across Linux and *BSD systems, including the OPNsense plugin, FreeBSD, and NetBSD

Firewall access management (ACLs) based on SSO (internal/external) users and groups (RBAC)

Unique firewall approach with aliases, pre-defined locations and zero-downtime rules deployment

Security feature preview

Enterprise Ready Secure Solution

Zero downtime with HA and automated deployments at scale

Active-Active High Availability for critical public components (Edge and VPN Gateways)

Log streaming to external SIEM systems

Zero-touch client provisioning including automated Active Directory/GPD and EntraID scalable rollout's

Security feature preview

Device Policy Postures

Authenticate the device, not just the user.

Manage device trust across Windows, macOS, and Linux with centralized posture validation.

Device compliance enforcement based on endpoint security, and operating system health.

Customizable compliance checks, real-time validation, and zero-trust access decisions.

Security feature preview
Security feature preview

Zero-Trust Security, Built Into the Architecture

Defguard puts security first and builds features on a secure foundation.
It follows a Secure by Design approach, with principles in both its architecture and code

privacy section graph

Isolated Control Plane

Defguard is the only VPN with fully isolated control plane in a segregated environment. No direct Internet exposure, reducing attack surface compared to cloud-based and legacy VPN solutions that publicly expose core components.

On spot Zero-Trust

No user or device is trusted by default. Access is limited. Defguard enforces this by requiring MFA/2FA at the WireGuard® VPN data plane level for every connection and Firewall access management (ACLs) based on SSO (internal/external) users and groups (RBAC).

privacy section graph
privacy section graph

Complete Security Transparency

Defguard is open source (and open-code for Enterprise components) and uniquely provides public security audits, daily CVE/SBOM vulnerability reports, and complete transparency into its roadmap, development process, and architecture decisions

Memory-Safe by Design

Defguard is built in Rust - recommended by leading security organizations worldwide due to its strong memory safety guarantees and modern security model: NSA, CISA, DARPA, ANSSI

privacy section graph

Why Defguard?

A 1:30min video explaining why Defguard vs legacy VPN/Security approach:

Consumer grade experience. Enterprise grade security.

Set up locations and adopt gateways remotely from a single UI. Deploy using Docker, system packages, OVF, or any preferred method — with ready-to-use commands provided. Intuitive wizard with health checks, connection status, and error diagnostics.

slide 1

Trusted by industries where security comes first.

Defense & Security

50+ clients

Banking & Payment

20+ clients

Industry & Manufacturing

30+ clients

Data Center, Cloud & Hosting

20+ clients

Software & Gaming

100+ clients

Health Care

10+ clients

We've already helped 100+ companies to build
fully private and secure VPN infrastructure.

Prusa

Prusa achieved fast, secure, role-based access for 490+ employees with seamless onboarding and no operational complexity.

Dext logo

We migrated 300–400 employees from FortiGate and saw immediate gains in speed, security, and user experience, all at a lower cost.

Compliance & Sovereignty

Defguard enables you stay compliant with modern regulations including ISO27001, NIS2, GDPR and HIPPA.

ISO 27001NIS2 DirectiveGDPR Compliant

Enforce Zero-Trust with MFA

WireGuard Multi-Factor Authentication: Secure your tunnels with true protocol-level Multi-Factor Authentication to satisfy Zero-Trust mandates.)

Total Data Sovereignty

A 100% self-hosted architecture that keeps sensitive metadata and keys on your hardware, ensuring full GDPR & HIPAA residency compliance.

Granular Access Control

Enforce the Principle of Least Privilege ith managed firewall rules (Access Control Lists) that prevent lateral movement—mapping directly to ISO 27001 Annex A requirements.

Automated Audit Trails

Maintain "audit-ready" status with comprehensive logging of sessions and admin actions, facilitating the ISO 27001 "Logging and Monitoring" controls

Verifiable Security

Gain full visibility with a detailed Software Bill of Materials (SBOM) and public pen-testing results, ensuring no "black box" vulnerabilities and meeting strict supply chain security

100% EU-Based

Defguard is ISO 27001 certified and developed in the EU (Poland). This ensures zero exposure to the US CLOUD Act, providing a legally "clean" environment for GDPR and HIPAA compliance

Ready to secure your infrastructure with enterprise-grade WireGuard access?