VPN Multi-Factor Authentication (MFA/2FA)
Choose Internal SSO (TOTP/Email) or External SSO on each VPN location
External SSO MFA/2FA with all major identity providers (Google, Microsoft, Okta, JumpCloud, etc.)
Innovative biometric Multi-Factor for WireGuard® connections with Mobile Client (touch/face ID) on Desktop Client
Seamless SSO & Identity integration
Easy integration and Two-Factor Authentication enforcing with Google Workspace, Microsoft EntraID, Okta, JumpCloud, and other OIDC compliant IdP
Integration with LDAP and Active Directory
Directory Synchronization (users/groups) for cloud SSO and LDAP/AD
Firewall Policy Orchestration
Manage multiple gateways and firewalls across Linux and *BSD systems, including the OPNsense plugin, FreeBSD, and NetBSD
Firewall access management (ACLs) based on SSO (internal/external) users and groups (RBAC)
Unique firewall approach with aliases, pre-defined locations and zero-downtime rules deployment
Enterprise Ready Secure Solution
Active-Active High Availability for critical public components (Edge and VPN Gateways)
Log streaming to external SIEM systems
Zero-touch client provisioning including automated Active Directory/GPD and EntraID scalable rollout's
Defguard puts security first and builds features on a secure foundation.
It follows a Secure by Design approach, with principles in both its architecture
and code
Defguard is the only VPN with fully isolated control plane in a segregated environment. No direct Internet exposure, reducing attack surface compared to cloud-based and legacy VPN solutions that publicly expose core components.
No user or device is trusted by default. Access is limited. Defguard enforces this by requiring MFA/2FA at the WireGuard® VPN data plane level for every connection and Firewall access management (ACLs) based on SSO (internal/external) users and groups (RBAC).
Defguard is open source (and open-code for Enterprise components) and uniquely provides public security audits, daily CVE/SBOM vulnerability reports, and complete transparency into its roadmap, development process, and architecture decisions
Redesigned UI, High Availability, secure automated component adoption/setup & much more! See it in action:
Set up locations and adopt gateways remotely from a single UI. Deploy using Docker, system packages, OVF, or any preferred method — with ready-to-use commands provided. Intuitive wizard with health checks, connection status, and error diagnostics.
Prusa achieved fast, secure, role-based access for 490+ employees with seamless onboarding and no operational complexity.
We migrated 300–400 employees from FortiGate and saw immediate gains in speed, security, and user experience, all at a lower cost.
Defguard enables you stay compliant with modern regulations including ISO27001, NIS2, GDPR and HIPPA.
Enforce Zero-Trust with MFA
WireGuard Multi-Factor Authentication: Secure your tunnels with true protocol-level Multi-Factor Authentication to satisfy Zero-Trust mandates.)
Total Data Sovereignty
A 100% self-hosted architecture that keeps sensitive metadata and keys on your hardware, ensuring full GDPR & HIPAA residency compliance.
Granular Access Control
Enforce the Principle of Least Privilege ith managed firewall rules (Access Control Lists) that prevent lateral movement—mapping directly to ISO 27001 Annex A requirements.
Automated Audit Trails
Maintain "audit-ready" status with comprehensive logging of sessions and admin actions, facilitating the ISO 27001 "Logging and Monitoring" controls
Verifiable Security
Gain full visibility with a detailed Software Bill of Materials (SBOM) and public pen-testing results, ensuring no "black box" vulnerabilities and meeting strict supply chain security
100% EU-Based
Defguard is ISO 27001 certified and developed in the EU (Poland). This ensures zero exposure to the US CLOUD Act, providing a legally "clean" environment for GDPR and HIPAA compliance
