Features overview

Remote Access with WireGuard® VPN 2FA/MFA:

• Multi-Factor Authentication using our desktop client

• Multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)

• Multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense

• Import your current WireGuard server configuration (with a wizard!)

• Easy device setup by users themselves (self-service)

• Automatic IP allocation

• Kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support

• Dashboard and statistics overview of connected users/devices for admins

Defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.

Activity & Audit Logs

• User event logging with detailed metadata

• Advanced filtering and search by user, module, event type and time range

• Role-based visibility - users can see only their events

• Grouped logs by modules (Defguard, enrollment, VPN)

• Real-time log streaming to SIEM tools (Enterprise feature)

OpenID Connect

• Defguard is an internal OIDC provider for Single Sign-On.

• Supports external OpenID providers for user authentication.

Access Control List

• Access rules for VPN locations

• Allow or deny access based on users or groups

• Changes are applied in real time

Identity Management:

• OpenID Connect based SSO

• External OpenID providers for login/account creation (Google/Microsoft/Custom)

• LDAP (tested on OpenLDAP) synchronization

• Nice UI to manage users

• Users self-service (besides typical data management, users can revoke access to granted apps, MFA, WireGuard, etc.)

Multi-Factor/2FA Authentication

• Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)

• WebAuthn / FIDO2 - for hardware key authentication support (e.g. YubiKey, Face ID, Touch ID, ...)

• Email tokens

Account Lifecycle Management:

• Secure remote (over the internet) user enrollment

• User onboarding after enrollment

• Self-service for password reset

Notifications

• Email notifications via SMTP

• Gateway disconnect/reconnect notifications

• New version notifications

YubiKey Provisioning

YubiKey hardware keys provisioning for users with one click

Integrations

Webhooks & REST API

Build with Rust for portability, security, and speed