At a Glance:
Defguard is a self-hosted secure remote access platform that integrates WireGuard VPN, identity and access management, multi-factor authentication (TOTP, WebAuthn, email), and per-location firewall rules for controlling access to infrastructure and private networks.
Overview:
Defguard is a self-hosted security platform designed to consolidate remote access management for organizations. It combines WireGuard VPN with built-in identity and access management, multi-factor authentication, and network access control. The platform supports internal and external OIDC providers, LDAP/AD synchronization, and provides desktop and mobile clients for managing WireGuard connections. Its architecture separates core management, public-facing edge services, and gateway policy enforcement to reduce attack surface. Defguard also offers a REST API and webhook integrations, with real-time SIEM streaming available in the Enterprise edition.
Key Decision Points:
Fully self-hosted deployment: Operates completely on your own infrastructure with no external dependencies, ensuring data remains within your environment.
Unified platform vs. separate tools: Combines VPN, identity management, MFA, and firewall rules into a single solution, reducing the need to integrate multiple disconnected products.
Client support for end-user devices: Provides dedicated desktop (Linux, macOS, Windows) and mobile (Android, iOS) applications for WireGuard VPN management with MFA and self-service device enrollment.
Component-based architecture: Separates the Core (identity and policy management), Edge (public entry point), and Gateway (traffic policy enforcement), allowing for network segmentation in deployment.
Enterprise streaming capabilities: Real-time SIEM streaming is listed as an Enterprise feature, indicating a tiered delivery model for advanced auditing.
Core Features:
WireGuard VPN with per-location access control: Manages multiple VPN locations with distinct user and group-level access permissions, supporting both kernel and userspace WireGuard implementations.
Identity and access management with OIDC and LDAP: Acts as an internal OIDC provider for single sign-on and supports external OIDC providers (Google, Microsoft, custom) and LDAP/AD synchronization.
Multi-factor authentication: Enforces MFA at the connection level using TOTP, WebAuthn/FIDO2, email tokens, or biometric verification through the mobile app.
Real-time per-location firewall: Applies allow and deny rules for each VPN location based on user or group identity, with real-time enforcement.
Audit logging and SIEM integration: Provides a filterable and searchable activity log for all administrative and connection events, with real-time streaming to SIEM systems in the Enterprise tier.
REST API and webhooks: Enables programmatic control and integration with external systems through a documented API and webhook callbacks.
Use Cases:
Unifying remote access for organizations: IT administrators can replace separate VPN, SSO, and MFA tools with a single self-hosted platform to enforce access policies for private networks and infrastructure.
Enforcing Zero-Trust access with MFA: Security teams can require per-connection multi-factor authentication for WireGuard VPN tunnels and apply real-time firewall rules based on user identity.
Onboarding remote employees and devices: End users can use self-service desktop and mobile applications with QR code enrollment to set up authenticated WireGuard connections to corporate locations.
Open-Source Alternative Value:
Defguard’s core is open source, allowing organizations to self-host a unified remote access platform without routing authentication or traffic data through external services. It functions as a self-contained alternative to assembling separate commercial VPN, identity provider, and MFA products by integrating these capabilities under a single deployment. The published SBOMs, penetration test reports, and architecture decision records provide transparency into the platform's security posture, and the component-based architecture allows administrators to inspect and segment its management, public-facing, and gateway layers.
