defguard
Enterprise-grade open-source VPN solution with multi-factor authentication for WireGuard connections.
What is defguard?
Defguard is an open-source, enterprise-grade VPN and access management platform that provides multi-factor authentication for WireGuard connections. It integrates identity management, SSO, and comprehensive access controls into a single security solution, enabling organizations to implement Zero-Trust principles for remote access.
System administrators, DevOps engineers, and security teams in organizations needing secure, self-hosted VPN solutions with advanced authentication and access management capabilities.
Developers choose Defguard because it is the only open-source solution offering true MFA for WireGuard VPNs, combines VPN and identity management in one platform, and is built with Rust for security and performance, all while being fully self-hostable and transparent.
Overview
Zero-Trust access management with true WireGuard® 2FA/MFA
Use Cases
Best For
- Implementing Zero-Trust network access with WireGuard VPN
- Organizations requiring MFA/2FA for VPN connections
- Self-hosting an enterprise-grade VPN solution
- Integrating VPN access with existing SSO providers like Active Directory or Okta
- Managing complex VPN networks with multiple locations and gateways
- Teams needing secure remote user enrollment and onboarding
Not Ideal For
- Organizations requiring VPN protocols other than WireGuard, such as OpenVPN or IPSec for legacy compliance
- Small teams or individuals lacking dedicated DevOps resources for self-hosted deployment and ongoing maintenance
- Projects needing out-of-the-box, fully-featured mobile VPN clients, as Defguard's primary focus is desktop
- Environments where cloud-managed solutions are preferred over self-hosted infrastructure due to operational overhead
Pros & Cons
Pros
It is the only solution offering true multi-factor authentication for WireGuard VPN connections, supporting TOTP, biometrics via WebAuthn, and email tokens—not just for application access, as highlighted in the README.
Features built-in OpenID Connect SSO with support for external providers like Google, Microsoft, and Active Directory/LDAP, enabling seamless identity management and cost savings, per the documentation.
Provides automatic and real-time synchronization of desktop client settings across all VPN locations and gateways, ensuring consistent configuration without manual updates.
Designed for high availability with support for multiple locations, gateways, and Kubernetes deployment, making it scalable and robust for large organizations.
Built with Rust for safety and performance, and offers public penetration test reports and daily SBOM CVE scans, ensuring verifiable and inspectable security practices.
Cons
Requires Docker, Docker Compose, or Kubernetes for installation, which can be daunting for teams without infrastructure expertise, despite the one-line install script.
Limited to WireGuard, so it's not suitable for environments that rely on other VPN protocols like OpenVPN or IPSec due to compatibility or regulatory requirements.
Some advanced features are only available in the enterprise version under a separate license, as noted in the dual licensing model and enterprise-only features section.
The README emphasizes the desktop client, and while it may support mobile via WireGuard configs, native mobile apps are not prominently featured, potentially limiting on-the-go access.
Frequently Asked Questions
Related Projects
clash-verge-revA modern GUI client based on Tauri, designed to run in Windows, macOS and Linux for tailored proxy experience
denoA modern runtime for JavaScript and TypeScript.
AlacrittyA cross-platform, OpenGL terminal emulator.
TypstA markup-based typesetting system that is powerful and easy to learn.
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.