defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Hardware requirements
  • Quick start
  • Manual deployment
  • Tips
  • Updates
  • Backup
  • Failover/HA/Clustering

Was this helpful?

Edit on GitHub
  1. Admin & features

Deploying your instance

PreviousCLI ClientNextOne-line install script

Last updated 3 months ago

Was this helpful?

defguard comes with four main components:

  • Core service - main web UI and database

  • Proxy service - used to safely expose a subset of public functionalities

  • VPN gateway server - retrieves configuration from core and configures VPN interfaces on the gateway server

  • Provisioning station - client application which can be started on any pc to auto generate PGP keys for YubiKey

There is one external component required: PostgreSQL database.

Hardware requirements

All defguard components are very low resource-consuming. All of them are written in and are single binaries. As minimum setup as follows should be more then enough:

Resource
Minimum requirements

CPU

1 GHz

RAM

2 GB (mostly for PostgreSQL)

Disk

2 GB

Architecture

x86_64, ARM64

Quick start

The easiest way to run your own defguard instance is to use Docker and our .

Just run the command below in your shell and follow the prompts:

curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh

Manual deployment

If you prefer to configure and deploy defguard manually see the examples below:

Client services

On initial startup a new admin user will be created with a password which can be configured by the DEFGUARD_DEFAULT_ADMIN_PASSWORD environment variable (by default it's pass123). Use those credentials to log in and start exploring the system.

Tips

Updates

All services within the Defguard architecture can be updated independently although it's recommended to always use newest version of services and update them all together to avoid situtations like Core expecting some not existing feature in Gateway. Check the GitHub repositories for each service to find their newest releases and release notes.

  • Docker - For Docker and Kubernetes based setup just change docker image version for service you want to update.

  • Packages(DEB, RPM, etc.) - Currently we don't have any package repository so if you want to update your service installed as package you have to download new version from service repository.

GitHub Repositories:

Backup

Example database backup:

docker exec {container_name} pg_dump -U {user_name} > {backup_file_name}

Failover/HA/Clustering

To learn more about the script and available options please see the .

See our document to check all configurable things before you start. And learn about our Architecture to see how it works.

is the only service which uses persistent data storage which is PostgreSQL database. Every SQL migration is applied automatically while bringing up core server and we try our best not to break anything in the process. It's recommended to do database, configuration and Settings(SMTP, Branding) backup before every update in case of some unexpected failure.

For now the can be deployed on multiple servers/firewall/routers for failover and HA - even if the connection to the Core will be lost, gateways will operate with their local cache/data and the VPN will be working. Same works the other way around if gateway don't work or is not available other features from Core like OpenID will be working.

Rust
one-line install script
documentation
Docker Compose
Kubernetes
Gateway
YubiBridge
Configuration
here
Defguard Core
Defguard Proxy
Defguard Gateway
Defguard YubiBridge
Core service
Gateway