Comprehensive Access Management

Secure Remote Access Management (WireGuard® 2FA/MFA), Account Lifecycle (Onboarding), Identity and Access Management (OpenID Connect SSO), Open Source & On-Premise

defguard vpn overview image

Unique set of features combined in a secure architecture:

Enterprise WireGuard® VPN with MFA/2FA

Defguard has a unique and secure architecture as well as first of it’s kind Multi-Factor Authentication for WireGuard® with TOTP/Email and WireGuard® session Pre-Shared Keys. Since WireGuard® protocol doesn’t support 2FA, most (if not all) available WireGuard® solutions use 2FA authorization to the “application” itself (not Wireguard® tunnel). By using our desktop application defguard provides real MFA/2FA - read more about it in our documentation. Other features:

  • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
  • beautiful desktop clients for Mac, Windows & Linux
  • automatic and real-time synchronization for users’ desktop client settings (including all VPNs/locations).
  • control users ability to manage devices and VPN options
  • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/pfSense®/OPNsense®
  • import your current WireGuard® server configuration with a wizard!
  • dashboard and statistics overview of connected users/devices for admins
  • automatic IP allocation
  • kernel (Linux, FreeBSD/OPNsense®/pfSense®) & userspace WireGuard® support with our Rust library

defguard is not an official WireGuard® project, and WireGuard® is a registered trademark of Jason A. Donenfeld.

Secure Remote Enrollment & Onboarding

The only solution that provides a secure and remote user enrollment - a process, during which the user can: double-check their data that admin provided during account setup, setup their password, automatically configure the desktop client with all VPNs/locations, and if in trouble get admin contact details.


After enrollment the user can be onboarded with relevant company information, links to company systems, security guidelines, etc. In the enrollment module, you can write custom messages using markdown that will be shown on the last step of the enrollment process and sent to the user via email.


Enrollment is supported as a website, or can be done with defguard client which makes it a lot simpler and more secure.

SSO & Identity Provider

As a core principle, defguard is based and built on open standards with OpenID Connect based Identity Provider with Multi-Factor Authentication to secure your apps and VPNs:

  • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
  • Email tokens
  • WebAuthn / FIDO2 - for hardware key authentication support and Passkeys

Already using Google/Microsoft or other OpenID Provider?, defguard supports external OpenID provider login & registration.

Beautiful desktop client

defguard client is the only open source client to support Multi-Factor Authentication with TOTP, Email & Pre-Shared WireGuard® session keys! Also has:

  • The only WireGuard® client to support automatic and real-time synchronization for users’ desktop client settings (including all VPNs/locations).
  • Live statistics, VPN details, logs, dark theme, settings, and more!
  • Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks
  • Onboarding - displaying custom onboarding messages, with templates, links …
  • Ability to route predefined VPN traffic or ALL traffic throuhg the VPN
  • Supports not only defguard instances, but any WireGuard® VPN sever (just import your config)

Yubikey provisioning

An easy way to provision YubiKey hardware keys in an organization, generate signing keys - GPG/PGP and authentication keys - e.g. SSH

Checked by professionals

defguard was thoroughly and comprehensively audited by one of the best security researchers in Poland: ISEC.

ISEC is also a strategic partner of defguard, reviewing every major release from a security perspective, making defguard one of the most secure core components in the open source ecosystem.

All Critical and Major issues have been fixed in dedicated pull requests. Retest will follow soon (we’ll notify on our Twitter).

Integrations

Automate processes that involve your organization’s data using:

  • API - all functionalities are exposed via REST API
  • Webhooks - outgoing webhooks are a simple way for defguard to notify your systems of ongoing changes in identity management (user was added, deleted, modified) or hardware key provisioning (easily propagateGPG/PGP or SSH keys to your internal systems)

Portability & speed

We’ve implemented defguard in Rust for code portability, security, and speed. You can easily run defguard on various Linux-based systems on x86, arm, and other architectures (including Raspberry PI, OpenWRT, etc.) and Unix systems FreeBSD, OpenBSD, and others. We’ve prepared various Linux and OPNsense® (FreeBSD) but we are constantly working on other platforms.

Designed and developed by

Join the conversation