Manage multiple VPNs (locations) from a single central control plane
View all user activity and statistics at a glance on a unified dashboard, or dive into detailed views for each location.
Deploy multiple Defguard instances and access them from a single client
Defguard is uniquely designed for MSPs, cloud providers, and data centers. It allows deployment of multiple isolated Defguard instances (for different clients, sites, etc.) while maintaining unified access through a single desktop app.
Mobile support coming in version 1.5!
True 2FA/Multi-Factor authentication on WireGuard®
- Each connection can require 2FA/MFA—using either the built-in Defguard IdP or external SSO providers like Google, Microsoft, Okta, and others—enabling true Zero Trust security.
- Adhering to the highest security standards — VPN peers are configured only after successful 2FA/MFA, and session-based, randomly generated WireGuard® pre-shared keys are used to maximize security
Integration with SSO providers, Active Directory, and LDAP
Defguard supports user and group synchronization with providers like Google, Microsoft, Okta, and JumpCloud, making onboarding and offboarding easy. It also uniquely enables two-way sync with Active Directory and LDAP.
The only ACL solution with build in firewall management on Linux and FreeBSD/OPNSense
Defguard, in addition to access rules for VPN based on selected users and groups, is the only solution that also offers low-level ACLs by managing the firewall (NFTables on Linux and Packet Filter on FreeBSD/OPNSense).
Instant VPN configuration updates and flexible client management
Defguard enables real-time synchronization and configuration of client applications used by users. Any changes in VPN configuration or access management are immediately reflected on the user side. Additionally, it allows managing client behavior (e.g., enabling full traffic routing through the VPN or blocking certain features of the client).
Comprehensive auditing and seamless SIEM integration
Defguard supports full auditability and provides detailed visibility into user activity, including information such as time and date, IP addresses, and event descriptions, along with extensive search and filtering capabilities. It also enables exporting complete activity logs to external SIEM systems.
Easy and secure remote user Enrollment & Onboarding
Whether Defguard acts as an IdP or uses an external IdP/SSO, it provides a very easy and secure enrollment process and supports onboarding by displaying and sending administrator-prepared information templates to new users.
Secure architecture with no data exposed
- Defguard features a secure and robust architecture, with components and microservices that can be seamlessly deployed in diverse network setups (e.g., utilizing network segments like Demilitarized Zones, Intranet with no external access, etc.), ensuring a secure environment.
- When properly deployed with the core placed in an Intranet segment inaccessible from the Internet, no user data is exposed to the public network. The public proxy component is stateless and holds no information about users or devices.
Yubico YubiKey Hardware security key management and provisioning
Defguard offers a Yubico YubiKey provisioner — a component that initiates and populates user data on YubiKeys by generating SSH keys as well as GPG/OpenPGP keys. It also stores detailed information about each user's key, including the serial number and date of provisioning.
Built-in OIDC SSO, key management, forward-auth for legacy systems
Defguard comes with a built-in Identity Provider/SSO based on the OpenID Connect standard, allowing you to replace any existing SSO solution in your organization. Additionally, it supports GPG and SSH key management, as well as forward-auth functionality for systems that do not support OIDC-based SSO.
Easy depoloyment
Defguard offers a variety of deployment methods such as Docker, system packages, Kubernetes, and Terraform, making it easy to integrate into your environment. It also provides a quick way to try it out via a script that automatically sets up and launches a test instance.
See the one-line deployFull rest API and webhooks
Defguard provides a full REST API for integration, including API key management, as well as webhook functionality for simpler integrations.
All written in Rust for security!
Rust prevents memory bugs at compile time — eliminating entire classes of vulnerabilities before they reach production.
Ready to Implement Enterprise-Grade WireGuard® VPN?
See how Defguard fits into your zero-trust architecture and existing infrastructure.