Features overview

Defguard combines secure remote access, modern identity management, and powerful integrations - all in one open-source platform. Below you’ll find an overview of its main capabilities, designed for both administrators and end users.

🌐 Remote Access with WireGuard® VPN + 2FA/MFA

Secure, high-performance VPN built on WireGuard® protocol, enhanced with real multi-factor authentication.

Multi-Factor Authentication using our desktop client
Multiple VPN Locations (networks/sites) - define access for all users or selected admin groups
Multiple Gateways per VPN Location with high availability/failover
Import your existing WireGuard configuration easily with a guided wizard
Self-service device setup - users can add their devices on their own
Automatic IP allocation for connected devices
Kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support
Dashboard & statistics for admins - track users and connections

💻 Desktop, 📱 Mobile & 🧰 CLI Clients

Defguard provides modern, easy-to-use clients for every platform - giving users secure, MFA-protected VPN access wherever they work.

Desktop Client - available for Windows, macOS, and Linux
- Enables direct VPN connection using MFA/2FA
- One-click enrollment via secure deep links received from the administrator
Mobile Apps - available for Android and iOS
- Connect securely to the Defguard VPN using multi-factor authentication
- Includes an additional biometric factor (Face ID / Touch ID) for MFA confirmation
- Allows fast approval of authentication requests directly from the phone
CLI Client - lightweight and script-friendly tool for Linux
- Provides full VPN control via terminal
- Ideal for automation, servers, or advanced users preferring CLI workflows

🔑 Multi-Factor/2FA Authentication

Add another layer of protection to user accounts.

Time-based One-Time Password (TOTP) - compatible with Google Authenticator, Authy, etc.
WebAuthn / FIDO2 - hardware keys, Face ID, Touch ID, and other authenticators
Email tokens as an additional authentication method
Biometric verification via the mobile app - use your device’s built-in Face ID or fingerprint sensor to confirm login or VPN access

👤 Identity Management

Manage your users and their access in one place.

OpenID Connect based SSO
External OpenID providers for login/account creation (Google/Microsoft/Custom)
LDAP and Active Directory integration
Simple, modern UI for managing users
User self-service - manage data, revoke app access, reset MFA, control WireGuard devices

🧭 Account Lifecycle Management

Automated, secure, and user-friendly onboarding.

Secure remote (over the Internet) user enrollment
User onboarding after enrollment
Self-service password reset

🧱 Access Control List

Granular, instant control over VPN access.

Access rules per VPN location
Allow or deny access based on users or groups
Changes are applied in real time

🔐 OpenID Connect

Defguard acts as your internal OIDC provider - giving you full control over identity and SSO.

Defguard is an internal OIDC provider for Single Sign-On
Supports external OpenID providers for authentication

🧾 Activity & Audit Logs

Monitor and understand what’s happening across your system with detailed, searchable logs.

User event logging with complete metadata
Advanced filtering by user, module, event type, or time range
Role-based visibility - users only see their own events
Logs grouped by module (Defguard, enrollment, VPN)
Real-time log streaming to SIEM tools (Enterprise feature)

📬 Notifications

Stay in the loop with real-time notifications.

🛡️ YubiKey Provisioning

Easily create and populate the SSH and GPG/OpenPGP keys on a YubiKey hardware key.

YubiKey hardware keys provisioning for users with one click

🔗 Integrations

Easily connect Defguard with your existing systems.

Webhooks for automation
REST API for integrations and scripting

⚙️ Built with Rust

Built in Rust - delivering portability, security, and speed from the ground up.

PreviousAbout Defguard NextOne-line install script

Last updated 14 days ago

Was this helpful?