About Defguard

What is Defguard?

Defguard is an enterprise-ready platform built on top of WireGuard®, designed to make private networking simple, scalable, and secure.

It integrates identity management, policy enforcement, and secure access provisioning into a single, cohesive system - whether you deploy it in your own infrastructure or in the cloud.

Defguard helps organizations:

• Manage VPN access for distributed teams.

• Integrate identity sources such as LDAP, Active Directory, or external OIDC providers.

• Enforce multi-factor authentication (MFA).

• Automate device enrollment.

• Simplify network segmentation and access control using policies.

For a detailed list of features go to the Features overview section.

Why choose Defguard?

Defguard was built with security, transparency, and control at its core - more in our Secure by design and Architecture documentation.

Here’s why organizations choose it over traditional VPN management or proprietary systems:

🏗️ Self-Hosted and Privacy-Focused

Defguard can be deployed on your own infrastructure, giving you full ownership of data and keys.

No external cloud relay, no hidden telemetry - your traffic and user data never leave your environment.

🔒 Zero Trust by Design

Authentication and authorization with MFA happen continuously, not just at login.

Access decisions are policy-driven and identity-based, reducing lateral movement risks and insider threats.

🔑 True MFA (Multi-Factor Authentication) for VPN Access

Most applications provide MFA only when opening or logging into the app - not during the VPN connection itself.

Defguard takes a different approach.

Thanks to its internal Identity Provider (IdP), Defguard enforces real, connection-level MFA, ensuring that multi-factor authentication is applied as part of the VPN handshake - not just the UI login step.

Even when using external OIDC providers (Google, Microsoft, or a custom one supported by Defguard), Defguard still applies its internal IdP-based MFA for actual VPN session authentication.

This design delivers true, end-to-end verification that protects both users and infrastructure from credential theft or token replay attacks.

⚙️ Open, Extensible, and Interoperable

Defguard integrates cleanly with your existing identity stack - LDAP, AD, or OIDC - without forcing vendor lock-in.

Its webhooks make it easy to extend or automate within DevOps workflows.

🧭 Simple for Users, Powerful for Admins

End users enjoy one-click VPN access via the Defguard apps, while admins gain granular control through a modern web interface.

🧩 Modular and Scalable

Each component (Core, Gateway, Proxy) can be deployed independently, allowing flexible scaling - from a single office setup to multi-region enterprise deployments.

🧱 Security Built into the Development Process

Defguard follows modern software supply-chain and security best practices:

• Signed container images and binaries.

• Publishing SBOMs.

• Scanning for and reacting to vulnerabilities on a daily basis.

• Regular penetration testing.

🌱 Open Source and Transparent by Design

Defguard is open source - you can inspect, audit, and contribute to the code that powers your infrastructure.

We believe transparency is a cornerstone of security and trust.

Our approach goes beyond code:

• Open organisation: we share our development roadmap, security practices, and architecture decisions publicly.

• Open processes: our builds, signing, and release workflows are verifiable end-to-end.

• Open security scans: we publish penetration tests reports, and daily SBOM CVE scan reports.

• Community-driven development: we welcome feedback, issues, and contributions from users and integrators.

• No black boxes: every component, from Core to Gateway, can be deployed, configured, and verified independently.

Defguard’s openness ensures trust through verifiability, not promises — aligning with the principles of modern, transparent cybersecurity.

How is Defguard built?

Defguard consists of several modular services that can be deployed together or separately, depending on your architecture:

• Core – the main service responsible for user management, authentication, configuration storage, and integrations.

• VPN Gateway – provides the VPN endpoint for clients; runs WireGuard and synchronizes configuration with Core.

• Public Proxy – an optional component that handles communication between the Core and external services or clients in restricted environments.

• Desktop and Mobile Apps – client applications for macOS, Windows, Linux, Android, and iOS, allowing users to connect easily and securely.

This layered architecture with a strict division of responsibility guarantees maximum security (verified by multiple in-depth penetration tests).

For the reasoning behind this division, please refer to the Architecture documentation.