OVA
Defguard provides OVA images that can be imported into VMware, Proxmox, or any other solution that supports the standard OVA format. The image is based on Ubuntu 24 and supports configuration via cloud-init. It contains the full Defguard stack (Defguard Core, Edge, Gateway), a database, and a reverse proxy (NPM).
The image is available for download here: https://defguard-downloads.s3.eu-central-1.amazonaws.com/defguard-alpha2.ova
Importing the image
After importing the image, make sure to:
Attach an appropriate network interface so the virtual machine can access your network.
If you would like to change default user/password you can do so with cloud-init - if not, default user ubuntu with pass ubuntu will be created.
Setting up Defguard
Once booted, the virtual machine will have all Defguard components pre-configured. To complete the setup, simply visit the Defguard Core dashboard: http://<VM_IP_OR_DOMAIN>:8000. Follow the on-screen wizard to finalize your configuration.
For example setup walkthrough see this guide.
If you would like to setup a reverse-proxy beforhand (which enables automated SSL Certificates with Let's Encrypt), go to this section for more details.
Accessing the VM
You can access the VM using the following default credentials (requires changing after first login):
Login
ubuntu
Password
ubuntu
Verifying the running Defguard stack
When booting the machine for the first time, the whole Defguard stack will be launched using Docker Compose. All Defguard files (Docker compose, environment variables) can be found under the /opt/defguard/ directory.
To verify that Defguard is running, use the following command inside the VM:
Here is the breakdown of accessible services deployed on the VM:
Core
8000
HTTP (web dashboard)
Edge
8080
HTTP (enrollment portal)
Gateway
51820
UDP (VPN port)
Nginx Proxy Manager
80, 443, 81
HTTP(S) and the management dashboard on port 81
Setting up a reverse proxy
Setting up a reverse proxy will require you to prepare two domains: one for Defguard Core (internal), one for Defguard Edge (public)
To configure the reverse proxy, register an account in the NPM dashboard, accessible via http://<VM_IP_OR_DOMAIN>:81.
After creating your account, go to Proxy Hosts and configure the proxy for Core and Edge:
This will allow you to access Core and Edge via your respective domains, using the standard HTTP/HTTPS ports. We also recommend setting up SSL. Please make sure you don't expose Defguard Core publicly. See Architecture for details.
Cloud-Init options
Selecting what components to run (Proxmox)
As mentioned previously, the VM starts the full stack by default. If you would like to separate the components (which is the recommended way of deploying Defguard), you can use custom cloud-init configuration to specify which component to run for a given VM instance.
Create the following snippet. The content can be core, edge, or gateway:
In Proxmox, save the snippet to (or your selected snippet directory, if you are using a non-standard one):
Then attach it to the VM on which you want to run the selected Defguard component:
Next, boot the VM. Now, only the selected component should run.
Here is the full breakdown of what runs for each profile:
core
Core, database, NPM
edge
Edge, NPM
gateway
Gateway
Using different solution that Proxmox will require creating a custom cloud-init that will write one of the profiles above to the /opt/defguard/active-profiles file.
Last updated
Was this helpful?