defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • VPN Location settings
  • Location name
  • Gateway VPN IP addresses and masks
  • Gateway address
  • Gateway port
  • Allowed IPs
  • DNS
  • Allowed groups
  • Multi-Factor Authentication for a Location

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Features & configuration
  3. Zero-Trust VPN with 2FA/MFA

Create/manage VPN Location

PreviousZero-Trust VPN with 2FA/MFANextNetwork overview

Last updated 10 days ago

Was this helpful?

A VPN location is a VPN network to which users can connect to. Every location has a (or ).

Defguard supports multiple locations, for each location to work you need to configure it and deploy a dedicated gateway.

If you are looking for MFA settings, go here.

When creating a new VPN location you can choose if you want to create it from scratch (Manual Configuration) or import your current WireGuard configuration:

VPN Location settings

Next step is configuring the location settings:

Location name

It's a name that will be visible both on the UI, but also in the desktop client for all the users. For example if you name your location Monaco Office, the desktop client will show:

Gateway VPN IP addresses and masks

By providing the VPN IPs/masks, you are configuring both: the VPN internal networks and VPN server IPs. Every gateway will bind to these addresses and Defguard will also generate and assign IP addresses for devices in this location from these networks.

This field can contain multiple IP addresses (both IPv4 and IPv6), separated by a comma (e.g. 10.10.20.1/24,fc00::abcd:0:1/96).

Examples

  1. 10.11.0.1/8

    1. internal VPN network will be: 10.11.0.0 with netmask 255.0.0.0

    2. VPN gateway internal IP address will be: 10.11.0.1

  2. 192.168.8.1/24,fc00::1/112

    1. internal VPN networks will be: 192.168.8.0 with netmask 255.255.255.0 and fc00::0 with netmask FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:0000

    2. VPN gateway internal IP addresses will be: 192.168.8.1 and fc00::1

Gateway address

It's the public IP address to which the remote peer's/users will connect to. This IP address is will be shared in the configuration for the clients, but defguard gateways do not bind to this address.

Defguard gateways bind to all IP addresses and the port defined below.

This is very handy if you are setting up a high availability active-active solution with multiple gateways - then this public IP needs to be exposed and controled by load-balancers or any other solution that will forward this to gateways.

Gateway port

Defguard gateways bind to this port and this port is shared in configuration to any client.

Allowed IPs

Defines the IP ranges a device is allowed to route or communicate with.

It supports multiple networks separated with comma, eg. 10.11.1.0/0, 192.168.1.0/24

Right now defguard only manages routing of AllowedIPs (adding to routing table the networks defined in AllowedIPs).

DNS

This specifies DNS resolvers and search domains. Supported format is by comma separation, eg.:

IP, IP, search.domain.net, second.search.domain.com

Allowed groups

Here you can specify what groups (users assigned to those groups) have access to this VPN Location.

By default (if no group is chosen) all users will have access to this location.

By defining a group, assigning users to that group and then choosing this group(s) you can restrict access to VPN Locations.

Multi-Factor Authentication for a Location

Require MFA for this location

By enabling this setting this location will require Multi-Factor Authentication on each connection to this location.

Each connection in the client:

  1. Will require the user to provide either TOTP token or Email code.

  2. After authorizing defguard will do a key exchange and setup a pre-shared session key unique for this connection.

For this feature to work, the user must:

Keepalive interval

Configurable time interval (in seconds) used to send periodic packets to ensure that the connection remains active. This is particularly useful in environments like NAT (Network Address Translation) or firewalls that may close idle connections.

Peer disconnect threshold

Since Multi-Factor Authentication (MFA) is used to enforce zero-trust security, a peer (user) that remains inactive for a specified time interval (defined in seconds within the settings) will be disconnected. Additionally, the session configuration will be removed from the gateway. This ensures that when the peer reconnects, they must complete the MFA process again.

Minimal value for this setting is 120 (2 minutes).

Recommended is more then 300.

If you want the All Traffic to work in the desktop client you need to also configure MASQUARED/NAT for the VPN interface.

This feature is only supported in .

configure their

and the user must enable Email tokens in their profile.

Defguard Desktop Client
SMTP settings needs to be set up
dedicated gateway
TOTP settings in the profile
multiple gateways if you deploy a high-availability solution
Example of that here.