OVA
Defguard provides OVA images that can be imported into VMware, Proxmox, or any other solution that supports the standard OVA format. The image is based on Ubuntu 24 and supports configuration via cloud-init. It contains the full Defguard stack (Defguard Core, Edge, Gateway), a database, and a reverse proxy (NPM).
The latest image can be downloaded here: https://defguard-downloads.s3.eu-central-1.amazonaws.com/ova/defguard-latest.ova
Importing the image
After importing the image, make sure to:
Attach an appropriate network interface so the virtual machine can access your network.
If you would like to change default user/password you can do so with cloud-init - if not, default user ubuntu with pass ubuntu will be created.
Setting up Defguard
Once booted, the virtual machine will have all Defguard components pre-configured. To complete the setup, simply visit the Defguard Core dashboard: http://<VM_IP_OR_DOMAIN>:8000. Follow the on-screen wizard to finalize your configuration.
For example setup walkthrough see this guide.
If you would like to setup a reverse-proxy beforhand (which enables automated SSL Certificates with Let's Encrypt), go to this section for more details.
Accessing the VM
You can access the VM using the following default credentials (requires changing after first login):
Login
ubuntu
Password
ubuntu
Verifying the running Defguard stack
When booting the machine for the first time, the whole Defguard stack will be launched using Docker Compose. All Defguard files (Docker compose, environment variables) can be found under the /opt/stacks/defguard/ directory.
To verify that Defguard is running, use the following command inside the VM:
Here is the breakdown of accessible services deployed on the VM:
Core
8000
HTTP (web dashboard)
Edge
8080
HTTP (enrollment portal)
Gateway
51820
UDP (VPN port)
Nginx Proxy Manager
80, 443, 81
HTTP(S) and the management dashboard on port 81
Getting logs
You can access all components logs by remote access via SSH and in the Dockage UI.
Accessing logs via SSH
To access logs for all components access the VM via SSH (see above) and:
Accessing logs via Dockage
Enable Dockage (see chapter below).
Choose "defguard" in the left menu.
Go to the UI to the "Terminal" section:
Setting up a reverse proxy
Defguard has a built in SSL termination and can automatically obtain certificates from https://letsencrypt.org/ (or issue own certificates from our CA) - but deploying a Reverse Proxy is always recommended.
Setting up a reverse proxy will require you to prepare two domains: one for Defguard Core (internal), one for Defguard Edge (public)
To configure the reverse proxy, register an account in the NPM dashboard, accessible via http://<VM_IP_OR_DOMAIN>:81.
After creating your account, go to Proxy Hosts and configure the proxy for Core and Edge:
This will allow you to access Core and Edge via your respective domains, using the standard HTTP/HTTPS ports. We also recommend setting up SSL. Please make sure you don't expose Defguard Core publicly. See Architecture for details.
Managing and updating containers
By default the docker compose config included by the OVA uses a floating Docker image tag pinned to the latest stable major version, for example 2.
This means that updating the containers like described below will fetch the latest release matching this major version, for example 2.1.2, 2.3.1 or whatever is the latest release at the given time.
If you'd like to explicitly control the component versions see the instructions below.
Containers can be updated using the following commands in the /opt/stacks/defguard directory:
This can also be achieved without accessing the VM using the Dockge dashboard, refer to this section for more information.
Using specific image tags
If you'd like to manually set the specific Docker image tags used by each component you can edit the .env file found in /opt/stacks/defguard and update the following environment variables:
Then use the same docker compose command as above to update the running containers.
Cloud-Init options
Selecting what components to run (Proxmox)
As mentioned previously, the VM starts the full stack by default. If you would like to separate the components (which is the recommended way of deploying Defguard), you can use custom cloud-init configuration to specify which component to run for a given VM instance.
Create the following snippet. The content can be core, edge, or gateway:
In Proxmox, save the snippet to (or your selected snippet directory, if you are using a non-standard one):
Then attach it to the VM on which you want to run the selected Defguard component:
Next, boot the VM. Now, only the selected component should run.
Here is the full breakdown of what runs for each profile:
core
Core, database, NPM
edge
Edge, NPM
gateway
Gateway
Using different solution that Proxmox will require creating a custom cloud-init that will write one of the profiles above to the /opt/defguard/active-profiles file.
Dockge
You can additionally enable Dockge to easily manage and update all Defguard containers. To do so, add the following to your cloud-init snippet (this was explained more in-depth in the Selecting what components to run (Proxmox) section):
After the virtual machine starts, Dockge dashboard should be available at http://<VM_IP_OR_DOMAIN>:5001 . Access it in order to create a Dockge admin account.
Updating containers with Dockge
If you've enabled Dockge you can use it to update the running containers by opening the dashboard, selecting the defguard stack and clicking Update:
To set a specific Docker image tag you can instead click the Edit button, then scroll down to the .env section and edit the highlighted environment variables:
Once the variables are set you can scroll back up and click the Deploy button:
Was this helpful?