Defguard is an open-source Zero-Trust access management platform that delivers true multi-factor authentication (MFA) at the WireGuard® VPN protocol level, not just at the web interface. Designed for IT leaders and security teams, it solves the critical gap in traditional VPNs by enforcing MFA during the actual connection handshake, preventing bypasses and meeting compliance standards like NIS2 and ISO 27001. Built in Rust for performance and security, it integrates with existing identity systems like Google, Microsoft Entra ID, Okta, and Active Directory while providing full control over deployment and data sovereignty.
The platform combines a WireGuard® server, desktop and mobile clients, and a unified control plane with ACLs, forward auth, SSH/GPG key management, and real-time configuration sync. It supports Kubernetes, Docker Compose, and standalone deployments, and includes enterprise features like high-availability gateways, SIEM integration, and ISO 27001 certification. All components are open, auditable, and free from third-party metadata leaks.
What You Get
- WireGuard® Protocol-Level MFA - Enforces multi-factor authentication (TOTP, WebAuthn/FIDO2, email tokens) directly during the WireGuard® handshake, preventing bypasses at the application layer.
- Automatic Real-Time Client Sync - Dynamically pushes updated VPN configurations, routes, and device policies to desktop and mobile clients without manual reconfiguration.
- OpenID Connect SSO Integration - Supports Google, Microsoft Entra ID, Okta, JumpCloud, Keycloak, and any standards-compliant OpenID Provider for centralized identity management.
- Two-Way LDAP/Active Directory Sync - Synchronizes user accounts and groups bidirectionally between Defguard and on-premises or cloud-based LDAP/AD directories.
- YubiKey Hardware Key Provisioning - Enables one-click enrollment and management of YubiKey FIDO2 security keys for users across the organization.
- ACLs and Firewall Management - Defines granular access control lists for Linux, FreeBSD, OPNsense, and PFSense gateways to restrict network traffic by user, group, or device.
- Forward Auth for Reverse Proxies - Integrates with Traefik and Caddy to enforce authentication before traffic reaches internal web applications.
- SSH and GPG Key Management - Allows users to upload and manage public SSH and GPG keys for secure server access directly from their Defguard profile.
- Remote User Enrollment & Onboarding - Enables secure, self-service device setup over the internet with guided flows, custom messages, and biometric authentication.
- Enterprise Gateways & High Availability - Deploys multiple WireGuard® gateways across locations with failover support for mission-critical networks.
- Desktop & Mobile Clients with Live Monitoring - Official clients provide real-time network charts, live logs, dark/light themes, and support for importing any WireGuard® tunnel.
Common Use Cases
- Securing remote workforce access to internal services - A global company uses Defguard to enforce MFA at the WireGuard® level for employees accessing internal apps, databases, and file servers, eliminating credential stuffing risks.
- Compliance-driven VPN deployment for regulated industries - A financial institution deploys Defguard to meet NIS2 and ISO 27001 requirements by implementing protocol-level MFA and full audit logging for remote access.
- Managing hybrid cloud and on-premises networks with SSO - An enterprise with Active Directory and cloud apps uses Defguard to unify user access across WireGuard® VPNs and internal web services via OpenID Connect.
- IT teams managing hundreds of remote devices - A managed service provider uses Defguard’s real-time client sync and remote enrollment to onboard and update thousands of customer devices without manual configuration.
Under The Hood
Architecture
- Modular Rust monorepo with clearly defined crates for business logic, HTTP API, gRPC contracts, and event-driven workflows, enforcing strict layering and separation of concerns
- gRPC-first design using protobuf-defined services to decouple internal systems from HTTP clients, enabling polyglot interoperability and clean service boundaries
- Constructor-based dependency injection throughout service layers and HTTP handlers, avoiding global state and promoting testability
- Event-driven architecture via a dedicated event router that decouples authentication, provisioning, and logging through domain events
- Multi-container deployment with isolated services for core functionality, network gateway, and observability, reinforcing bounded contexts and process isolation
Tech Stack
- Rust backend leveraging Axum for HTTP routing, Tonic for gRPC, and SQLx for type-safe PostgreSQL interactions
- PostgreSQL with schema migrations and offline query validation to ensure database correctness at compile time
- Protobuf for service contracts, compiled via cross-platform build scripts to support multi-architecture deployments
- Docker-based infrastructure with multi-stage builds combining Node.js for frontend assets and Rust toolchain for binary generation
- Comprehensive observability stack with log aggregation and pipeline processing for operational visibility
- CI/CD automation with pre-commit hooks, security auditing, and cross-platform container builds
Code Quality
- Extensive test coverage across unit, integration, and end-to-end layers with clear feature-based organization
- Robust error handling through structured HTTP responses and framework-level propagation, avoiding runtime exceptions
- Consistent, domain-driven naming conventions across Rust and TypeScript codebases
- Strong type safety enforced via Rust’s type system and TypeScript interfaces, with explicit serialization and validation
- Clear separation of concerns with modular test files and dedicated E2E suites for critical authentication flows
What Makes It Unique
- Seamless integration of WireGuard with role-based access control at the network layer, enabling dynamic, policy-driven device authentication without external identity providers
- Self-service enrollment portal with adaptive UI that dynamically restructures based on user role and enterprise context
- Granular, attribute-based access grants that auto-provision network configurations from user metadata, eliminating manual device management
- Native WebUI using CSS-in-SCSS with semantic grid and media queries to create role-aware interfaces without JavaScript-driven layout
- Resource-centric API design with consistent payloads that enable automated client generation and reduce integration friction
- Enterprise access patterns implemented as declarative configuration, allowing audit trails and policy enforcement to emerge directly from resource state