WireGuard in Defguard uses modern and most secure algorithms, not supporting outdated or insecure algorithms like 3DES, Blowfish, or RSA. These are:

• ChaCha20 (encryption)
• Poly1305 (authentication)
• Curve25519 (key exchange)

Defguard uses the WireGuard protocol for VPN infrastructure access. It is technologically and security-wise more modern and secure than SSL VPN and IPsec. Examples of innovations not supported by IPsec/SSL VPN include:

• Stateless: No session renegotiation, full resilience to packet loss, which means faster connections, resilience to network disruptions and IP changes, and ideal for mobile users, VPN always-on, and roaming.
• High performance: WireGuard operates in the system kernel (Linux kernel module), providing 2–5 times faster data transfer than OpenVPN and is significantly more CPU efficient than IPsec.

Learn more about WireGuard and Zero-Trust VPN in the Defguard docs

WireGuard® offers ~10x faster speeds, lower latency, seamless roaming during network changes, and near-instant connection setup compared to OpenVPN, which is slower, less responsive to network shifts, and takes longer to establish connections.

More info about openvpn and how to migrate from OpenVPN here.

Defguard is the only solution that supports Multi-Factor Authentication (MFA) at the WireGuard protocol level. This means that every connection undergoes multi-factor authentication, not just a 2FA process during application startup or configuration, making Defguard offer a Zero-Trust VPN. It has advanced MFA methods that support (beyond private and public keys):

• The first authentication step
• The second authentication step using WireGuard PSK (Pre-Shared Key) keys, which enhances encryption and protects against post-quantum attacks.
• The third level is the exchange of WireGuard PSK session keys.
• The fourth level is the physical configuration of the Gateway server after the entire multi-factor session, without which the VPN server has no configuration for a given client/device.

See MFA architecture in Defguard docs

For the first authentication step, Defguard supports:

• Time-Based One-Time Password (TOTP), e.g., Google Authenticator or other desktop/mobile applications.
• Time-based One-Time Password via EMAIL.
• On mobile devices: Biometrics (Touch ID, Face ID).
• In case of integration with an external identity provider (SSO), authentication occurs with that provider (e.g., Google, Microsoft, Okta, JumpCloud, OIDC) through a dedicated authentication session in the browser.
• Hardware keys (e.g., YubiKey) are supported when Defguard acts as an embedded identity provider for applications using SSO.

Explore MFA setup and onboarding

Yes, Defguard supports Access Control Lists (ACLs) starting from version 1.3. This feature enables administrators to define and manage precise access rules for network resources, specifying which users, groups, or devices can access particular destinations based on IP addresses, ports, and protocols. ACLs can be applied per location, allowing for granular control over network access. Additionally, administrators can set default policies (allow or deny) for unspecified traffic, ensuring a secure and tailored network environment.

Defguard supports Google Workspace: login and automatic account creation upon login, full user and group synchronization, and automatic user disabling or deletion based on Google’s user status.

This functionality requires an Enterprise License and is a paid feature.

Please remember that Defguard has also built in SSO based on OpenID Connect, so you can migrate your apps to authorize with Defguard instead of 3rd party service (and this is an Open Source feature)!

Protection against post-quantum attacks is achieved through the second authentication step using WireGuard PSK (Pre-Shared Key) keys. This is a secret generated for each VPN session, optionally used alongside public/private keys, which enhances encryption.

Learn about PSK-based MFA in the docs

Defguard is the only provider supporting multi-factor authentication using external identity providers and supports VPN authorization with them, such as:

• Google Workspace
• Microsoft EntraID (formerly Azure EntraID)
• Okta
• JumpCloud
• Zitadel
• Any other provider supporting the OpenID Connect (OIDC) protocol

See all supported external SSO providers

Defguard supports Microsoft: login and automatic account creation upon login, full user and group synchronization, and automatic user disabling or deletion based on Microsoft’s user status.

This functionality requires an Enterprise License and is a paid feature.

Please remember that Defguard has also built in SSO based on OpenID Connect, so you can migrate your apps to authorize with Defguard instead of 3rd party service (and this is an Open Source feature)!

Defguard supports KeyCloak login and automatic account creation upon login.

This functionality requires an Enterprise License and is a paid feature.

Please remember that Defguard has also built in SSO based on OpenID Connect, so you can migrate your apps to authorize with Defguard instead of 3rd party service (and this is an Open Source feature)!

Defguard is the only solution offering secure remote client configuration (Desktop & Mobile) that does not require critical components to be publicly exposed (such as the user database or the main control plane integrated with an identity provider) on the internet. These components should only be accessible within the Intranet. Instead, Defguard handles configuration using a secure, stateless proxy component, which:

• Can be safely exposed on the internet.
• Does not have access to the Intranet/corporate network; it is the main control plane (Defguard core) that connects to the proxy, ensuring secure firewall rules.
• Configuration occurs using tokens unique to the user and device, valid for 24 hours from issuance and 10 minutes from their use.
• All business operations are performed in a secure segment inaccessible from the public network, and only the result of these operations is passed to the proxy.

More on remote enrollment and secure configuration

Defguard supports Okta: login and automatic account creation upon login, full user and group synchronization, and automatic user disabling or deletion based on Okta user status.

This functionality requires an Enterprise License and is a paid feature.

Please remember that Defguard has also built in SSO based on OpenID Connect, so you can migrate your apps to authorize with Defguard instead of 3rd party service (and this is an Open Source feature)!

Defguard supports WireGuard VPN on operating systems such as: Linux, FreeBSD, OPNSense, NetBSD

See platform support overview

Desktop and Mobile clients offer many features:

• Automatic configuration synchronization.
• Support for multiple VPN locations and the ability to connect to multiple Defguard instances.
• The option to choose whether the VPN should route only administrator-defined traffic (predefined traffic) or all device traffic (all traffic), with the ability to disable this feature in the admin panel.
• The desktop client offers Grid views (displaying all VPN locations and their status/statistics) and Detailed views (details of the selected location/connection, statistics, activity history).
• An Enrollment process for the desktop client, which, during the first configuration, not only automatically configures VPN locations but also allows the user to securely remotely set the Defguard account password, verify account data, and display the administrator’s contact information.
• Defguard allows each user to configure their own Desktop & Mobile devices in their profile, without needing to contact an administrator, with the ability to enable this functionality.
• Support for managing network devices, where an administrator can configure device access to a selected VPN location using a server-side command-line client running as a system service (automatic synchronization) or manual WireGuard configuration (for older devices).

Details on client behavior customization

Yes, Defguard is an Identity Provider (IdP) compliant with the OIDC (OpenID Connect) protocol. This allows external applications to be configured to use Defguard as SSO, offering a “Log in with Defguard” option. It provides an easy GUI for application configuration and a list of authenticated applications in each user’s profile, with the ability to easily revoke consent for access.

As an IdP, Defguard supports multi-factor authentication using TOTP, EMAIL one-time passwords, and hardware keys (e.g., YubiKey) when logging into applications using Defguard-based SSO.

Thanks to its built-in IdP, Defguard provides a single solution for one login/password and MFA system for logging into business applications and remote access simultaneously.

Identity management and SSO details

Defguard supports two-way synchronization of user and group directories using an LDAP server and Microsoft Active Directory. It also allows choosing whether Defguard or LDAP/Active Directory is the primary source of user data during synchronization.

When Defguard is configured with an external identity provider, it supports synchronization of user and group directories with: Google Workspace, Microsoft EntraID, and Okta.

Learn about LDAP and external IdP sync

Defguard supports a full event log for both administrators (informing about every business event of each user, with detailed indication of VPN location, module, IP addresses) and for each user (detailed tracking of their own system activities).

The event log supports streaming events to external SIEM systems, such as:

• Vector: A lightweight observability pipeline program, enabling data forwarding to monitoring systems (Datadog, New Relic, Grafana Loki, Prometheus, InfluxDB, ClickHouse), SIEM and logging systems (ElasticSearch, Splunk HEC, Graylog, Mezmo, Axiom), and cloud services (AWS CloudWatch, Kinesis, S3, SNS/SQS; Google Cloud Pub/Sub, Monitoring, Storage).
• Logstash: Open-source server-side software that ingests, processes, and forwards data for logging and analysis purposes.

Audit log and SIEM integration guide

Defguard offers a hardware key configuration and initialization module (Workstation Provisioning), which enables simple and secure configuration of YubiKey hardware keys for users. These keys are used for authentication (SSH, GPG/FIDO2) as part of multi-factor authentication (MFA). After initialization, the user’s profile displays key details such as the YubiKey serial number and associated public keys (SSH and GPG).

YubiKey provisioning documentation

Defguard has a secure architecture that:

• Allows the main control plane component (Core) to run in an internal network inaccessible from the Internet, protecting all system and user data.
• All events requiring access from a public network (e.g., the Internet) are handled by a stateless and secure Proxy component.
• The Core component connects to the Proxy and performs all business operations in a secure segment inaccessible from the public network, passing only the result of these operations to the proxy component.

Architecture and security concepts

Defguard is written in Rust, which offers the following security benefits:

• Prevents errors: Rust prevents errors such as null pointer dereferences, buffer overflows, and use-after-free issues thanks to its ownership system, without the need for a garbage collector.
• Compile-time checks: It enforces strict compile-time checks regarding lifetimes, mutability, and borrowing, detecting many errors before the code even runs.
• Safe concurrent programming: Rust’s type system prevents data races at compile time.
• Secure dependency ecosystem: Cargo and crates.io support reproducible builds, cryptographic signatures, and dependency auditing.

Defguard supports the following integration methods:

• Full REST API
• For selected events, WebHooks configuration

Integrations overview: REST API & Webhooks