DefGuard is an open-source, enterprise-grade access management platform that combines WireGuard® VPN with multi-factor authentication (MFA) and OpenID Connect SSO. Unlike traditional VPN solutions that apply MFA only at the login screen, DefGuard enforces MFA directly on WireGuard connections using pre-shared keys and TOTP/WebAuthn, ensuring every tunnel is authenticated at the network layer. Built in Rust for performance and security, it provides a unified control plane for managing users, devices, firewalls, and VPN gateways across distributed environments. It’s designed for organizations that need granular access control, secure remote onboarding, and integration with existing identity providers like Google, Microsoft Entra ID, LDAP, or Okta.
DefGuard is not just a VPN server—it’s a complete identity-aware access platform with built-in YubiKey provisioning, SSH/GPG key management, forward-auth for reverse proxies, and a cross-platform desktop client that auto-syncs WireGuard configurations in real time. Its architecture supports Kubernetes, standalone deployments, and multi-location gateway clusters, making it suitable for teams managing complex, hybrid networks with strict compliance requirements.
What You Get
- WireGuard® VPN with true MFA/2FA - Enforces multi-factor authentication directly on WireGuard connections using TOTP, WebAuthn (YubiKey, FaceID), or email-based tokens, with pre-shared keys (PSK) for secure tunnel establishment.
- Automatic real-time desktop client sync - Users’ WireGuard configurations (including multiple locations and network settings) are automatically updated across all devices when changes occur in DefGuard’s admin panel.
- OpenID Connect SSO integration - Supports Google, Microsoft, Okta, JumpCloud, and any standards-compliant OpenID Provider for centralized identity management without manual user provisioning.
- Two-way LDAP/Active Directory synchronization - Bi-directional sync for user accounts and group memberships, enabling seamless integration with existing enterprise directories.
- YubiKey hardware key provisioning - Admins can issue and manage YubiKeys via one-click enrollment, including public key registration and device binding directly from the UI.
- Remote user enrollment & onboarding - New users can securely enroll over the internet via web or desktop client, set up MFA, and receive pre-configured WireGuard profiles without IT intervention.
- ACLs and firewall management - Define granular access rules for Linux, FreeBSD, OPNsense, and PFSense systems using DefGuard’s centralized policy engine.
- Forward Auth for reverse proxies - Integrate with Traefik or Caddy to protect web applications using DefGuard’s authentication layer without modifying app code.
- SSH and GPG key management - Users can upload, manage, and revoke SSH public keys for server access directly from their DefGuard profile.
- Enterprise-grade deployment options - Deploy via Docker Compose, Kubernetes, or standalone packages with support for multi-gateway clusters and DMZ architectures.
- Desktop client with live metrics - Cross-platform desktop app (Windows, macOS, Linux) with real-time network charts, live logs, dark/light themes, and support for importing any WireGuard tunnel.
Common Use Cases
- Building a zero-trust remote workforce - A company with 500+ distributed employees uses DefGuard to replace OpenVPN, enforcing MFA on every WireGuard connection and syncing client configs automatically so users never misconfigure their VPN.
- Securing hybrid cloud infrastructure with SSO - An IT team integrates DefGuard with Microsoft Entra ID to grant secure, MFA-protected access to on-premises and cloud-based resources via WireGuard, eliminating password-based VPN logins.
- Problem → Solution flow: Manual device provisioning is error-prone and slow → DefGuard enables self-service enrollment - New hires receive an email with a link to enroll, set up MFA via YubiKey or Google Authenticator, and instantly get their WireGuard config without IT tickets.
- Team/workflow scenario: DevOps teams managing microservices across multiple cloud providers - Teams use DefGuard’s multi-location gateways and ACLs to segment access between staging, production, and internal services while maintaining audit trails and centralized user management.
Under The Hood
Defguard is a comprehensive secure access management platform designed for modern infrastructure, combining identity and access control with WireGuard-based networking. It provides enterprise-grade security features through a modular architecture that supports multiple directory sync providers and robust authentication mechanisms.
Architecture
The system adopts a monolithic yet modular structure, separating backend and frontend components with clear layers of concern.
- The backend is organized into a core crate and supporting modules, enabling layered architecture with distinct responsibilities such as authentication and database interaction.
- The frontend is built using React and TypeScript, following a component-based organization that enhances maintainability and scalability.
- Design patterns like centralized error handling and modular configuration management support a cohesive system design.
- API-driven communication and state management systems ensure decoupled yet integrated component interactions.
Tech Stack
The project leverages a hybrid tech stack that combines Rust for backend services and TypeScript/React for the frontend, supported by modern development tools.
- The primary backend is built in Rust, while the frontend uses TypeScript and React with a rich ecosystem of libraries like Zustand and TanStack Query.
- Key frontend dependencies include Lodash, Axios, and React Hook Form, while the backend integrates with various Rust crates for security and networking.
- Development workflows are supported by Vite, Biome, and Prettier for builds and formatting, with Docker enabling containerized deployments.
- Testing is handled through Playwright for end-to-end validation and Vitest for unit testing, ensuring broad coverage across the application.
Code Quality
The codebase reflects a mixed quality with strengths in test coverage and error handling, though some areas show signs of technical debt.
- Extensive end-to-end tests using Playwright cover critical user flows and authentication scenarios, ensuring reliability.
- Error handling is consistently implemented across Rust modules, particularly in LDAP integration and other external service interactions.
- Code style and structure follow established conventions, with modular organization promoting code clarity and reusability.
- Indicators of technical debt include duplicated logic and incomplete test coverage in some areas.
What Makes It Unique
Defguard distinguishes itself through its integration of secure networking and identity management in a single platform, tailored for enterprise environments.
- A modular monorepo design enables flexible deployment models with clear separation between core and enterprise features.
- Native support for multiple directory providers (LDAP, Google, Okta, Microsoft) offers unified authentication and user management capabilities.
- Built-in activity logging and stream support enhance compliance readiness and auditability.
- Strong emphasis on multi-factor authentication with WebAuthn, YubiKey, and OAuth2/OpenID Connect ensures robust security posture.