One-line install script
One-line install script
Welcome to getting started with Defguard. This section guides you through setting up a simplified Defguard instance so you can get familiar with its features.
The instance deployed by the script serves as a starting point and makes some tradeoffs to enable automated setup. In general, it is not recommended for production. We strongly encourage you to customize it for your infrastructure using more advanced deployment strategies.
To simplify setup and enable automated deployment, we prepared a script that deploys a complete Defguard instance, including an enrollment Edge component and VPN Gateway.
The command will automatically provision all Defguard components and perform an initial configuration. Once complete, a step-by-step wizard will guide you through the remaining setup in your browser.
Use one of the following commands to run the script:
Production Release (most stable)
Pre-release (latest alpha/beta/release candidate)
If you used the installation script before and would like to upgrade to the pre-release version, you can update your .env file. It should be located next to the docker-compose.yml file created by the script:
Running docker compose down and docker compose up -d afterwards should pull the correct images.
Downgrading to the production release may not be trivial afterwards because of the changes made to the database during the upgrade.
Latest development builds
If you used the installation script before and would like to upgrade to the development version, you can update your .env file. It should be located next to the docker-compose.yml file created by the script:
Downgrading to the production release may not be trivial afterwards because of the changes made to the database during the upgrade.
Running docker compose down and docker compose up -d afterwards should pull the correct images.
After the script finishes, open the displayed URL in your browser and continue with the provided instructions.
If you feel uneasy about running a shell script from the internet, inspect the source code first.
The script does the following:
Prepares a Docker Compose file
Automatically generates an
.envfile for the compose stackCreates a
.volumesdirectory for persistent storageAutomatically adopts all Defguard components (Edge and Gateway)
Starts the compose stack
By default, the script enables masquerade on the Gateway container. This allows all traffic coming through the VPN to leave the container and reach any destination accessible from the host system. To disable this behavior, use the relevant configuration option or set up proper ACL/firewall rules.
Prerequisites
The script requires specific tools and a few infrastructure settings.
Tools
bashopensslcurlsedgrepdocker- we recommend official Docker Engine packages rather than packages shipped with distributionsdocker-compose- not required if you use Docker 20.10+ with thedocker composecommand
Environment setup and securing access
Deploy this setup on a bare-metal server or a virtual machine. It will not run inside an LXC container.
A server with a public IP address, if you want Defguard to provision HTTPS certificates with Let's Encrypt
A public domain/DNS record for Defguard Edge
An internal domain/DNS record for Defguard Core
Permission for Docker to bind to host ports 80 and 443. Sometimes this requires setting the
net.ipv4.ip_unprivileged_port_startsysctl variable to80Firewall rules:
Allow incoming traffic on the VPN UDP port chosen during the web wizard
Allow incoming traffic on one of the following ports:
If you chose NOT to provision HTTPS: TCP 8080
If you chose to provision HTTPS using self signed certificates or your own uploaded certificates: TCP 443
If you chose to provision HTTPS using Let's Encrypt: TCP 443 and TCP 80 (required for domain validation)
CLI options
Advanced deployment strategies
For more advanced deployment strategies, go to our deployment strategies section.
Was this helpful?