defguard
  • Welcome
  • Getting help
  • About
    • About defguard
    • Features overview
  • Getting started
    • One-line install script
  • Admin Features
    • Overview
    • Zero-Trust VPN with 2FA/MFA
      • Create/manage VPN Location
      • Network overview
      • Executing custom gateway commands
      • Multi-Factor Authentication (MFA/2FA)
        • MFA Architecture
      • Remote desktop client configuration
      • DNS and domains
    • Remote user enrollment
      • User onboarding after enrollment
    • SSO (OpenID Connect)
      • Portainer
      • Grafana setup
      • Proxmox
      • Matrix / Synapse
      • Django
      • MinIO
      • Vault
    • SMTP for email notifications
    • YubiKey Provisioning
    • Webhooks
    • Forward auth
    • SSH Authentication
    • Network devices
    • Activity & Audit logs
    • Gateway notifications
    • New version notifications
  • User features
    • Overwiew
    • Desktop Client
    • CLI Client
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
  • Enterprise Features
    • Overview
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Deployment strategies
    • Prerequisites
    • Standalone package based installation
    • Docker images and tags
    • Docker Compose
    • Kubernetes
    • Terraform
    • High Availability and Failover
    • Upgrading
    • Pre-production and development releases
    • Gateway
      • Running gateway on MikroTik routers
  • Securing gRPC communication
  • OpenID RSA key
  • Health check
  • Configuration
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Architecture
      • How do VPN statistics work
      • Security concepts
    • Roadmap
    • Release cycle
  • For Developers
    • Contributing
    • Environment setup
      • Translations (core/web)
        • Switching language
        • Adding translations
      • Translations (client)
        • Adding translations
  • Resources
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
      • Client "All traffic" connection issues
      • WebAuthn security keys
Powered by GitBook
On this page
  • What is Defguard?
  • Basic security concept
  • Incorporating IdP and VPN in one solution
  • Pentested!

Was this helpful?

Edit on GitHub
  1. About

About defguard

PreviousGetting helpNextFeatures overview

Last updated 11 days ago

Was this helpful?

What is Defguard?

Defguard is a comprehensive Remote Access Management solution incorporating in one solution:

Our primary focus at defguard is on prioritizing security. Then, we aim to make this challenging topic both useful and as easy to navigate as possible.

Having said that, this security platform is for building secure and privacy-aware organizations, as we put great effort not only on functionality but first and foremost on secure code, architecture and testing (application and security).

Basic security concept

The main architecture concept is that all critical data should be in the internal (Intranet) network and not exposed in the public Internet (contrary to typical and common cloud approach) and only services that need to be exposed to the Internet - should be exposed in a controled (DMZ) network segments:

This approach is vastly different from most (if not all) VPN/IdP solutions, which are a simple or monolithic applications focus on functionalities and most of the time is publicly available in the Internet for any attacker to exploit.

Of course you can deploy defguard in a typical scenario (all services on one server and even all publicly available) - but that should be for you to decide!

Incorporating IdP and VPN in one solution

Incorporating IDM, ALM, VPN has also other advantages:

  2. Your organization may use just one account (login) for access control to all your applications as well as VPN.

  3. It simplifies deployment, maintenance, audits.

Pentested!

True Zero-Trust ,

Identity Management with ,

Account Lifecycle management with .

Defguard is a true Zero-Trust , as each connection requires MFA (and not only when logging in into the client application like other solutions):

Internal IdP with 2FA/MFA enables us to provide - and not like most applications just 2FA when opening the app (and not during the connection process). Even if you use (Google/Microsoft/Custom - which defguard supports), we still use our internal IdP for 2FA/MFA.

More about .

Checked by professional security researchers (see )

WireGuard® VPN with 2FA/Multi-Factor Authentication
SSO based on OpenID Identity Provider
secure remote account onboarding
WireGuard® VPN with 2FA/Multi-Factor Authentication
real VPN 2FA/MFA
external OIDC
defguard's architecture and security can be found here
comprehensive security report
Internet, DMZ & Internal network segments