Features overview
Defguard combines secure remote access, modern identity management, and powerful integrations - all in one open-source platform. Below you’ll find an overview of its main capabilities, designed for both administrators and end users.
🌐 Remote Access with WireGuard® VPN + 2FA/MFA
Secure, high-performance VPN built on WireGuard® protocol, enhanced with real multi-factor authentication.
Multi-Factor Authentication using our desktop client
Multiple VPN Locations (networks/sites) - define access for all users or selected admin groups
Multiple Gateways per VPN Location with high availability/failover
Import your existing WireGuard configuration easily with a guided wizard
Self-service device setup - users can add their devices on their own
Automatic IP allocation for connected devices
Kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support
Dashboard & statistics for admins - track users and connections
💻 Desktop, 📱 Mobile & 🧰 CLI Clients
Defguard provides modern, easy-to-use clients for every platform - giving users secure, MFA-protected VPN access wherever they work.
Desktop Client - available for Windows, macOS, and Linux
Enables direct VPN connection using MFA/2FA
One-click enrollment via secure deep links received from the administrator
CLI Client - lightweight and script-friendly tool for Linux
Provides full VPN control via terminal
Ideal for automation, servers, or advanced users preferring CLI workflows
🔑 Multi-Factor/2FA Authentication
Add another layer of protection to user accounts.
Time-based One-Time Password (TOTP) - compatible with Google Authenticator, Authy, etc.
WebAuthn / FIDO2 - hardware keys, Face ID, Touch ID, and other authenticators
Email tokens as an additional authentication method
Biometric verification via the mobile app - use your device’s built-in Face ID or fingerprint sensor to confirm login or VPN access
👤 Identity Management
Manage your users and their access in one place.
OpenID Connect based SSO
Simple, modern UI for managing users
User self-service - manage data, revoke app access, reset MFA, control WireGuard devices
🧭 Account Lifecycle Management
Automated, secure, and user-friendly onboarding.
Secure remote (over the Internet) user enrollment
Self-service password reset
🧱 Access Control List
Granular, instant control over VPN access.
Allow or deny access based on users or groups
Changes are applied in real time
🔐 OpenID Connect
Defguard acts as your internal OIDC provider - giving you full control over identity and SSO.
Defguard is an internal OIDC provider for Single Sign-On
Supports external OpenID providers for authentication
🧾 Activity & Audit Logs
Monitor and understand what’s happening across your system with detailed, searchable logs.
User event logging with complete metadata
Advanced filtering by user, module, event type, or time range
Role-based visibility - users only see their own events
Logs grouped by module (Defguard, enrollment, VPN)
Real-time log streaming to SIEM tools (Enterprise feature)
📬 Notifications
Stay in the loop with real-time notifications.
Email notifications via SMTP
Gateway disconnect/reconnect alerts
New version notifications
🛡️ YubiKey Provisioning
Easily create and populate the SSH and GPG/OpenPGP keys on a YubiKey hardware key.
YubiKey hardware keys provisioning for users with one click
🔗 Integrations
Easily connect Defguard with your existing systems.
⚙️ Built with Rust
Built in Rust - delivering portability, security, and speed from the ground up.
Last updated