Meet Zdeněk Váňa, an IT Strategic Advisor at Prusa Research, who studied Cybersecurity and worked at Avast VPN division.
Zdenek began evaluating VPN solutions for the company’s expanding global operations, looking for something specific: a secure, self-hosted and open source platform that could scale to thousands of users, enforce multi-factor authentication (MFA) at the network level, and integrate cleanly with Prusa’s identity systems.
About the client - Prusa Research
Prusa Research, based in Prague, is widely known for its Original Prusa 3D printers and for its strong commitment to open-hardware values. With over 1000+ employees spanning software, hardware, logistics, and support teams—many working remotely or across multiple sites.
Challenges
Zdeněk knew the company’s VPN setup had to evolve. The team had experimented with WireGuard in the past, but out of the box, it lacked key features like true MFA enforcement and centralized user management. Prusa already utilises FortiGate router which can be at additional cost extended to handle MFA (with eg. FortiToken) for VPN, but the support is limited to IPsec and SSL VPN protocols (soon to be discontinued) which lack robustness and speed that WireGuard delivers.
Zdeněk ruled out most SaaS VPNs like Tailscale, Firezone or Netbird platforms early in the process. While Firezone is in theory self-hosted, in practice they don’t offer documentation or support.
“We didn’t want our VPN metadata or access records stored outside our infrastructure,” he explained. And lack of true VPN level MFA at Netbird was a deal breaker.
As Prusa scaled its operations, several critical infrastructure needs emerged:
True VPN-level MFA
Existing solutions based on WireGuard lacked robust, enforceable multi-factor authentication for client connections—an essential requirement. Additionally support for YubiKeys was favoured.
User Base Scale and Distribution
With over 490 users spread across engineering, operations, and support, the VPN solution needed to scale without manual overhead.
No Cloud Reliance
Unlike cloud-managed options like Tailscale and Firezone, Prusa required a fully self-hosted solution that stores no sensitive metadata or connection information outside their infrastructure.
Identity Integration
The VPN platform needed seamless sync with Google Workspace for identity for service-level role management.
Open-Source Preference
In line with Prusa’s values, open-source transparency was a key selection factor—both for internal auditing and long-term independence.
Solution
What stood out about Defguard was its architecture: self-hosted, open-source, built on WireGuard, and with features designed for teams that take security seriously.
The unique approach to Defguard services design, especially secure microservice architecture which separates the core from gateways and allows access via public proxy makes it very resilient when it comes to common thread vectors. That convinced the very security aware team at Prusa to adopt the solution in the first place.
Resource efficiency of defguard played a significant role and solidified the decision. The core components are implemented in highly efficient Rust language, making the solution fast and secure at the same time.
Prusa used it to set a secure hybrid VPN network design with 4 gateways; two hosted in internal infrastructure and two others hosted in Google Cloud. Internally Defguard runs on two VMs with 2 CPUs and 2GB of RAM each - other solutions would require much more resources.
Two other gateways run on Google Cloud (with Kubernetes) - it’s very cost friendly as with over 300 users (~150 concurrent connections) it uses only 0,5 CPU.
Active users
Defguard Gateway HW resources
Defguard Core HW resources
Defguard Proxy HW resources
Defguard PostgreSQL HW resources
True Two Factor authentication to VPN, that differentiates defguard from alternatives (like tailscale or netbird), because it’s actually implemented on WireGuard protocol level gives Prusa Research unprecedented security for over 490 users connecting to the infrastructure on a daily basis.
With so many users, whose identity is stored in Google Workspace and LDAP it was also important to have support for fast and effortless synchronisation with VPN - which defguard guarantees with one of its enterprise features. This solved the problem of manual user management inside the VPN solution.
Zdeněk also appreciated the direct access to the development team via defguard self-hosted Matrix communication platform and open source nature of the project which fosters self-resolution of issues.
“Most support teams I’ve worked with are slow and generic. Defguard’s team is the opposite — fast, technical, and actually helpful,” he said.
Results
Today, over 490 employees securely access internal systems through Defguard. Onboarding a new team member takes minutes not hours. No manual VPN configuration. No shared credentials. Just clean, automated, role-based access and smooth onboarding and enrollment process.
“We chose Defguard because it gives us control without complexity,” Zdeněk said.
“It’s rare to find a tool that aligns with both our technical standards and our open-source mindset.”
For Prusa, Defguard isn’t just a VPN. It’s the foundation of secure collaboration—built on principles the company believes in.