defguard
  • Welcome
  • Getting help
  • About
    • About defguard
    • Features overview
  • Getting started
    • One-line install script
  • Admin Features
    • Overview
    • Zero-Trust VPN with 2FA/MFA
      • Create/manage VPN Location
      • Network overview
      • Executing custom gateway commands
      • Multi-Factor Authentication (MFA/2FA)
        • MFA Architecture
      • Remote desktop client configuration
      • DNS and domains
    • Remote user enrollment
      • User onboarding after enrollment
    • SSO (OpenID Connect)
      • Portainer
      • Grafana setup
      • Proxmox
      • Matrix / Synapse
      • Django
      • MinIO
      • Vault
    • SMTP for email notifications
    • YubiKey Provisioning
    • Webhooks
    • Forward auth
    • SSH Authentication
    • Network devices
    • Activity & Audit logs
    • Gateway notifications
    • New version notifications
  • User features
    • Overwiew
    • Desktop Client
    • CLI Client
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
  • Enterprise Features
    • Overview
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Deployment strategies
    • Prerequisites
    • Standalone package based installation
    • Docker images and tags
    • Docker Compose
    • Kubernetes
    • Terraform
    • High Availability and Failover
    • Upgrading
    • Pre-production and development releases
    • Gateway
      • Running gateway on MikroTik routers
  • Securing gRPC communication
  • OpenID RSA key
  • Health check
  • Configuration
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Architecture
      • How do VPN statistics work
      • Security concepts
    • Roadmap
    • Release cycle
  • For Developers
    • Contributing
    • Environment setup
      • Translations (core/web)
        • Switching language
        • Adding translations
      • Translations (client)
        • Adding translations
  • Resources
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
      • Client "All traffic" connection issues
      • WebAuthn security keys
Powered by GitBook
On this page
  • Adding a new network device
  • Displaying network device configuration and enrollment token

Was this helpful?

Edit on GitHub
  1. Admin Features

Network devices

PreviousSSH AuthenticationNextActivity & Audit logs

Last updated 4 months ago

Was this helpful?

Network devices are like regular user devices but can only be managed by admins and have access to only one network. They are designed to be used with the .

Adding a new network device

In order to add a new network device, navigate to the network device menu (select it from the menu bar at the left).

While in the network device menu, click the "Add new" button. You will be presented with a popup prompting you to select your method of setting up the network device.

  • Defguard Command Line Client - choose it to automatically configure your device with the

  • Manual WireGuard Client - choose it if you don't want to use the Defguard CLI client. You will need to configure your network device manually with a WireGuard config file.

Using the Defguard CLI client

After selecting the first option you will be presented with the initial setup screen.

You can specify here the following settings:

  • Device name - the name used to identify the device, keep it unique in regard to other network devices. This name will be displayed on the network device list,

  • Location - the network to which the device should have access,

  • Assigned IP Address - automatically suggested IP address, you may change it as needed,

  • Description - the description to help you identify the device, it will be displayed in the device list.

Using the Manual WireGuard client

The screen here is similar to that of the CLI client configuration, except for the additional public key field.

The fields are as follows:

  • Device name - the name used to identify the device, keep it unique in regard to other network devices. This name will be displayed on the network device list,

  • Location - the network to which the device should have access,

  • Assigned IP Address - automatically suggested IP address, you may change it as needed,

  • Description - the description to help you identify the device, it will be displayed in the device list.

If you already have a public key for your device, insert it into the public key field. Otherwise, select the option to generate the key pair.

On the next screen you will be presented with the WireGuard configuration file. Copy, download or scan it to import it to your WireGuard client.

Displaying network device configuration and enrollment token

After you've configured your network device, you can display its enrollment token again, by interacting with the following menu:

  • Selecting "Generate auth token" will re-generate the enrollment token and will allow you to enroll your CLI client again. Use it if you want to manually pull the newest network configuration for your client.

  • Selecting the "View config" option will display the WireGuard configuration file (without the private key, as Defguard doesn't store it).

After you've finished setting those values, proceed to the next step. You will be presented with an enrollment command. Learn more about further steps from the .

CLI client documentation
Defguard CLI client
Defguard CLI client