Overview:
Defguard is an enterprise-grade, open-source VPN solution built on the WireGuard® protocol. It uniquely integrates multi-factor authentication (MFA) directly into the VPN connection itself, rather than as a separate step. The platform provides a comprehensive security platform combining VPN access control, identity management, and user enrollment. It is designed for organizations that need a self-hosted, verifiable system for securing remote network access. Defguard offers an integrated SSO, LDAP synchronization, and a desktop client with real-time settings synchronization, targeting security-conscious teams and system administrators.
Core Features:
WireGuard VPN with MFA: Provides multi-factor authentication (TOTP, email-based tokens, WebAuthn) directly for the WireGuard VPN tunnel, not just for the web application.
Built-in SSO & Identity Management: Includes an integrated OpenID Connect SSO provider with support for external providers (Google, Microsoft, Okta, JumpCloud) and two-way Active Directory/LDAP synchronization.
Secure Remote Enrollment & Onboarding: Supports passwordless enrollment and automatic client configuration over the public internet, with customizable onboarding templates.
Desktop Client with Real-Time Sync: A WireGuard client that automatically and in real-time synchronizes user settings, including all VPN locations and connections, from the server.
ACL & Firewall Management: Provides access control lists and firewall management for Linux and FreeBSD/OPNSense systems.
High Availability Gateways: Supports multiple gateways per VPN location with failover on a cluster of routers/firewalls for Linux and FreeBSD/PFSense.
Use Cases:
Organizations requiring VPN with 2FA/MFA: Teams that need to enforce multi-factor authentication on every VPN connection, beyond just a web admin panel.
IT admins managing multiple VPN sites: System administrators who need to manage multiple remote locations and network segments with defined access policies.
Enterprises with existing identity providers: Companies using Google, Microsoft, LDAP, or other OpenID Connect providers who want to extend them into their VPN solution.
Security-conscious deployments: Teams looking for a transparent, verifiable platform with public penetration test reports, daily SBOM CVE scans, and release asset verification.
Why It Matters:
Defguard provides a self-contained, open-source alternative that integrates VPN, SSO, and identity management into a single platform. This reduces dependency on multiple third-party services for authentication, which can simplify deployment and maintenance. Its focus on verifiable security, with public audit reports and signed Docker images, offers transparency not always available in commercial VPN solutions. The project’s use of Rust for core components aims for both performance and memory safety, while the built-in desktop client with real-time settings sync provides a managed user experience for organizations.
