defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Pre-requirements
  • Package Install
  • Docker-compose
  • OPNsense plugin
  • Binary Install

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Deploying your instance

Gateway

PreviousUpgradingNextRunning gateway on MikroTik routers

Last updated 4 months ago

Was this helpful?

If you are looking for

Pre-requirements

Please remember that one gateway corresponds to one VPN location.

You can also deploy multiple gateways for one location for High Availability.

To deploy the gateway you need to have defguard core running and know it's (meaning what is the host/ip where the core is running and the gRPC port defined in core by DEFGUARD_GRPC_PORT configuration variable) and a token.

Token can be obtained when you go to VPN Locations -> Edit location settings (in top right corner) -> Select the desired location -> the right panel describes how to deploy the gateway for the location as well as lists the gateway authentication token:

Package Install

  1. Install the package using relevant system tools: Ubuntu/Debian:

    sudo dpkg -i <path_to_deb_package>

    Fedora/Red Hat Linux/SUSE:

    sudo rpm -i <path_to_rpm_package>

    FreeBSD:

    pkg add <path_to_txz_package>
  2. Fill in the default configuration file (/etc/defguard/gateway.toml) with values corresponding to your Defguard installation (token and gRPC enpoint URL).

  3. Enable and start the systemd service.

    sudo systemctl enable defguard-gateway.service
    sudo systemctl start defguard-gateway.service

Docker-compose

To start your gateway using docker-compose:

git clone --recursive https://github.com/DefGuard/deployment.git && cd deployment/gateway
  1. Copy and fill in the .env file:

cp .env.template .env
  1. Finally, run the service with docker-compose:

docker-compose up

OPNsense plugin

To start your gateway as OPNsense plugin:

  1. Install the package:

pkg add <path_to_txz_package>
  1. Refresh your OPNsense UI by running below command:

opnsense-patch
  1. Go to you OPNsense UI and navigate VPN -> Defguard Gateway .

  1. Fill form with appropriate values click Save then Start/Restart

Binary Install

  1. Decompress and move to bin directory

tar xcf ./gateway.tar.gz
sudo chmod +x gateway
sudo mv gateway /usr/bin/
  1. Start gateway gateway -g <CORE_GRPC_URL:GRPC_PORT> -t <DEFGUARD_TOKEN>

Also, if core has a custom SSL CA to secure gRPC communication,

On the find and download a correct software package for your system (currently DEB, RPM and TXZ are available).

We prepared a with docker-compose configuration, clone it:

If everything went well, your Gateway should be connected to Defguard and you can start .

On the find and download OPNsense package which will be named: defguard-gateway_VERSION_x86_64-unknown-opnsense.pkg -this package includes the gateway as well as OPNSense plugin.

You can find detailed description of all fields .

If everything went well, your Gateway should be connected to Defguard and you can start .

Checkout Gateway releases and download compatible binary from Github page.

release page
git repository
adding new devices to your network
release page
adding new devices to your network
here
gateway High Availability, go to this document.
you need the CA certificate (more here).
gRPC url
here