DefGuard

Self-hosted secure remote access that unifies WireGuard VPN, identity management, and connection-level MFA in one open-source platform.

2.8Kstars
106forks
Custom / Unknown

Defguard is a self-hosted secure remote access platform that brings WireGuard VPN, identity and access management, multi-factor authentication, and network access control together in a single deployable solution. Unlike traditional VPNs that bolt on MFA as an afterthought at the web interface, Defguard enforces authentication at the WireGuard connection handshake itself — meaning a stolen credential alone cannot establish a tunnel.

Built in Rust for performance and memory safety, the platform is organized around three discrete components: a Core that manages identity, authentication, and policy; an Edge proxy that provides a hardened public-facing entry point; and a Gateway that enforces network access rules on protected infrastructure. This separation means the management plane never needs direct internet exposure, substantially reducing the attack surface.

The platform integrates natively with existing identity infrastructure — Google, Microsoft Entra ID, Okta, JumpCloud, Keycloak, and any OIDC-compliant provider — while also offering its own built-in OIDC server for SSO across internal applications. LDAP and Active Directory synchronization keeps user accounts and group memberships in sync bidirectionally. YubiKey FIDO2 provisioning, SSH and GPG key management, and a self-service enrollment portal round out the identity surface.

Defguard is designed for organizations that need the auditability and control of self-hosting without accepting weaker security guarantees. It publishes SBOMs, penetration test reports, and architecture decision records, and holds ISO 27001 certification for the enterprise tier.

What You Get

  • WireGuard VPN with Connection-Level MFA - Enforces TOTP, WebAuthn/FIDO2, email tokens, or biometric authentication directly during the WireGuard handshake, preventing credential-only access to tunnels.
  • Built-in OIDC Provider and SSO - Ships an internal OpenID Connect server so internal applications can use Defguard as their identity provider, alongside support for external OIDC providers like Google, Microsoft Entra ID, Okta, and Keycloak.
  • LDAP and Active Directory Sync - Bidirectionally synchronizes user accounts and group memberships with on-premises or cloud-based LDAP and AD directories, keeping access policies in sync automatically.
  • Per-Location Firewall Rules - Defines allow/deny access control rules per VPN location by user or group, applied to Linux, FreeBSD, OPNsense, and PFSense gateways in real time without manual firewall edits.
  • YubiKey FIDO2 Hardware Key Provisioning - Enables administrators to enroll and manage YubiKey security keys for users organization-wide from the management interface.
  • SSH and GPG Key Management - Lets users upload and manage their public SSH and GPG keys from their Defguard profile, centralizing server access credential management.
  • Self-Service Remote Enrollment - Provides a guided, internet-accessible enrollment flow so new users can set up their VPN devices and MFA without administrator intervention, including biometric authentication via the mobile app.
  • Desktop and Mobile Clients - Official clients for Linux, macOS, Windows, Android, and iOS support MFA, multi-instance and multi-location connections, real-time connection statistics, and QR-code-based onboarding.
  • Forward Auth for Reverse Proxies - Integrates with Traefik and Caddy to enforce Defguard authentication before requests reach internal web applications, extending access control beyond VPN tunnels.
  • Activity Log and SIEM Streaming - Provides a searchable audit log of all access events with real-time streaming to external SIEM systems in the Enterprise tier.
  • High-Availability Gateway Support - Deploys multiple WireGuard gateways across locations with failover for mission-critical network access scenarios.

Common Use Cases

  • Replacing a corporate VPN with auditable MFA enforcement - A security team deploys Defguard to replace a legacy VPN that only checks credentials, ensuring every remote connection requires a second factor at the protocol level before a tunnel is established.
  • Unifying SSO across internal tools and VPN - An engineering organization uses Defguard as both the WireGuard server and the OIDC identity provider, so developers authenticate once to get VPN access and SSO into internal dashboards, wikis, and CI systems.
  • Compliance-driven remote access for regulated industries - A healthcare or financial services company deploys Defguard to meet NIS2 or ISO 27001 requirements, leveraging connection-level MFA, full audit logging, and published penetration test reports as compliance evidence.
  • Onboarding distributed teams without IT overhead - A remote-first company uses Defguard’s self-service enrollment portal so new hires can configure their VPN devices and register their MFA method without requiring a helpdesk ticket or administrator involvement.
  • Securing Kubernetes and internal APIs with forward auth - A platform team fronts internal services with Caddy or Traefik and Defguard forward auth, ensuring even services not natively OIDC-aware require authenticated VPN sessions before any request reaches them.

Under The Hood

Architecture Defguard is structured as a Rust workspace of discrete, single-responsibility crates: the core manages identity, HTTP API, and policy; an event router acts as a thin central hub receiving domain events via MPSC channels and dispatching them to a gateway manager, session manager, and event logger without performing processing itself; a proxy manager handles the public-facing entry point separately; and a session manager tracks VPN client lifecycle independently. Dependency direction is strictly inward — no inner crate has knowledge of outer orchestration — and the main binary wires everything together without leaking domain logic into startup code. This decomposition means each service component can evolve, be tested, and potentially be deployed independently, while the event-driven integration boundary prevents tight coupling between authentication flows, network provisioning, and audit logging.

Tech Stack The backend is Rust on the Tokio async runtime using Axum 0.8 for HTTP routing, Tonic 0.14 for gRPC with Protobuf-defined service contracts, and SQLx 0.8 for compile-time-validated PostgreSQL queries backed by an extensive migration history. The frontend is React 19 with TypeScript using TanStack Router for type-safe file-based routing, TanStack Query for server state management, Zustand for local state, Zod v4 for schema validation, and Recharts for real-time VPN statistics visualization. Styling uses SCSS with Sass. The build system combines Vite 8 for the frontend and multi-stage Docker builds that assemble the frontend assets and Rust binary in separate stages. CI runs Playwright E2E tests across multiple configuration profiles, Vitest for frontend unit tests, cargo-deny for supply-chain and license auditing, and Biome for code formatting.

Code Quality Test coverage spans multiple layers: unit tests are present in individual Rust crates including certificate management, event logging, and static IP allocation; integration tests cover the proxy manager and setup wizard flows; the frontend has Vitest unit tests for validators, license logic, and utilities; and a comprehensive Playwright E2E suite runs against live instances with dedicated configs for auto-adoption and migration scenarios. Error handling uses thiserror-derived typed errors per crate with anyhow for application-level propagation, ensuring errors carry context without being swallowed. Compile-time SQL query validation via SQLx catches schema mismatches before deployment. The deny.toml enforces supply-chain and license policies across all dependencies, and CI runs security audits on every push.

What Makes It Unique The defining technical choice is enforcing MFA at the WireGuard handshake rather than at an overlying application layer — the gateway validates authentication state as part of connection negotiation, so a stolen WireGuard private key and server endpoint alone cannot establish a tunnel without a valid second factor. The dual-licensing model is unusual: enterprise features live in a dedicated directory whose source code is openly readable but licensed under a paid proprietary license, making the security-relevant implementation visible for audit without being freely redistributable. The three-component architecture (Core, Edge, Gateway) is designed so the management plane never needs direct internet exposure — the Edge component provides a hardened entry point and handles inbound public traffic, and the Gateway communicates back to Core over an authenticated channel, substantially shrinking the exposed attack surface compared to monolithic VPN servers.

Self-Hosting

Defguard uses a dual-licensing model. The core codebase, covering VPN management, identity, MFA, and most integrations, is licensed under the GNU Affero General Public License v3 (AGPL-3.0). This means you can use, modify, and self-host it freely, including for commercial purposes, but if you distribute modified versions or run it as a network service for others, you must release your modifications under the same license. The enterprise feature directory is covered by a separate proprietary license that allows use by paying customers but prohibits redistribution, sublicensing, or building derivative products. Notably, the enterprise source code is openly readable for security auditing, which is an unusual and positive transparency commitment.

Running Defguard yourself means operating three distinct components: the Core, the Edge proxy, and one or more Gateway instances deployed at each network location. You are responsible for provisioning PostgreSQL, keeping each component updated, managing TLS certificates (the platform includes a built-in certificate authority to help), and handling high-availability at the infrastructure level if you need it. The platform supports Docker Compose for single-node deployments and has documentation for multi-node and Kubernetes configurations, but you own backup, disaster recovery, scaling under load, and responding to security advisories on the underlying operating system and database.

The paid Enterprise tier adds SIEM streaming for real-time audit log forwarding, advanced ACL and destination management, and formal support with SLAs from the defguard team. If you are self-hosting the open-source tier, you rely on GitHub issues, community discussions, and the publicly available documentation. The defguard team also offers managed deployment assistance and commercial support contracts, so the gap between self-hosting and a fully managed solution is bridgeable, but it requires intentional effort to set up and maintain the operational infrastructure around the application itself.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search