Select a plan
Flexible solutions to fit specific requirements of every client.
Open Source
Best for developers and small teams needing core features and self-managed deployment.
Always free
One of the best solutions on the market - completely free.
Built-in SSO with Multi-Factor Authentication
Multiple VPN Locations
VPN Location access based on Groups
VPN Multi-Factor Authentication based on Internal SSO
VPN Multi-Factor Authentication based on mobile biometry
Secure Remote User Enrollment & Onboarding
Zero-touch Desktop Client Provisioning
Activity & Audit Logs
Client configuration update based on tokens
Business
Most popular
Ideal for growing companies requiring advanced features and centralized management.
Start for free
Everything in Open Source, plus:
External SSO support (Google, Microsoft EntraID, Okta, JumpCloud)
VPN Multi-Factor Authentication with External SSO
Real-time Client Configuration Sync
Firewall (ACLs)
LDAP & Active Directory sync
Admin only Device Management
Client Traffic Policies
Log Streaming to SIEM
Rest API
Enterprise
Built for large organizations with complex infrastructure and high security demands.
Custom
Fully scalable solution for organizations with advanced security needs.
Everything in Business, plus:
High Availability Active-Active (multiple Edge and Gateways)
Service VPN Locations (pre-login & always on location)
Offline License
Pay by Invoice
Custom Support
Device Policy Postures
Coming soon
Device Attestation
Coming soon
Plans comparison
Plans features
Business
Enterprise Authentication & Identity
Built-in Identity Provider
OpenID Connect provider for user authentication
External OIDC Authentication
Login via Google, Microsoft, Okta, JumpCloud, or custom providers
VPN-Level MFA (Internal)
True connection-level multi-factor authentication (TOTP/Email/Biometric)
VPN-Level MFA (External SSO)
MFA enforced per VPN location with external IdP (Desktop & Mob)
Secure Remote Enrollment via Internal OIDC
Secure remote user enrollment and client configuration using internal OIDC
Secure Remote Enrollment via External OIDC
Secure remote user enrollment and client configuration using external OIDC (Google/Microsoft/Okta/...)
Two-way LDAP & Active Directory Integration
Bi-directional synchronization with LDAP / AD
Client & VPN Management
Desktop & Mobile VPN Clients
Native apps for Windows, macOS, Linux, iOS, Android
Native apps for Windows, macOS, Linux, iOS, Android
Automatic, instant configuration updates to all clients
Real-time Client Configuration Sync
Any changes in VPN configuration are synced real-time to Desktop & Mobile clients
Admin-only Device Management
Prevent users from managing their own devices
Enforced Defguard Client Usage
Block configuration of non-Defguard WireGuard clients
Client Traffic Policies
Configure and enforce VPN client traffic behavior
Service VPN Locations
VPN connections established at system boot level
Pre-logon VPN Mode
Establish VPN before user login
Always-on VPN Mode
Persistent VPN connection that auto-reconnects
Device Posture Checks (coming to 2.1)
Verify that devices meet specific security and configuration requirements before granting them access to the network
Device Attestation (coming to 2.2)
Cryptographically verifies a device's hardware identity to confirm it is a known and trusted machine
Security, Compliance & High Availability
Activity & Audit Logs
Comprehensive logging of all system activity
Firewall & Access Control Lists (ACL)
Define and enforce granular network access rules
Active-Active High Availability
Setup multiple active-active Edge & WireGaurd® Gateways in High Availability Cluster
Log Streaming to SIEM
Stream logs in real-time to external SIEM systems
Integrations & Automation
Remote User Enrollment
Self-service user onboarding and device setup
REST API Access
Integrate Defguard with external systems and tooling