One-line install script
Last updated
Last updated
The instance deployed by the script is meant to serve as a starting point and makes some tradeoffs to enable automated setup. Most importantly it assumes that your Web UI is available publicly (to generate SSL certificates with Caddy). In general it's not recommended for production and we strongly encourage you to customize this setup to work better within your own infrastructure.
To simplify the setup and enable automated deployment we prepared a script which will deploy a complete defguard instance, including an enrollment proxy and VPN gateway.
Just by launching this one command there will be an interactive configuration and setup that will guide you step by step and deploy full defguard instance based on Docker Compose setup:
Just copy and paste this command and secure the setup afterwards:
If you used the install script before and would like to upgrade to the pre-release version, you can update your .env
file (it should be located next to the docker-compose.yml file created by the script) like this:
Downgrading to the production release may not be trivial afterwards because of the changes made to the database during the upgrade.
If you used the install script before and would like to upgrade to the development version, you can update your .env
file (it should be located next to the docker-compose.yml file created by the script) like this:
Downgrading to the production release may not be trivial afterwards because of the changes made to the database during the upgrade.
If you provide all required configuration options after the script finishes you should have a fully functional defguard instance with an enrollment proxy and VPN gateway to connect WireGuard clients to.
Of course if you feel rightly uneasy about running random shell scripts from the internet feel free to inspect the source code.
The script does the following:
reads configuration from environment variables, .env
file or user input
prepares a docker-compose file
prepares an .env
file for the compose stack
creates a .volumes
directory for persistent storage
generates secret keys and certificates
sets up an initial VPN location and VPN gateway
starts the compose stack
In order to work the script requires some specific tools to be available and also some infrastructure-level settings to be pre-configured.
bash
openssl
curl
sed
grep
docker
- we recommend official docker engine packages (not packages shiped with distros)
docker-compose
- not necessary if using newer Docker versions (20.10+) which include the docker compose
command
This setup should be deployed on a bare-metal or a virtual (VM) server - it will not run on a LXC container.
server has a public IP address
public DNS records for your chosen domain
allow Docker to bind on host ports 80 and 443; sometimes this requires setting the net.ipv4.ip_unprivileged_port_start
sysctl variable to 80
enable IP forwarding (sysctl -w net.ipv4.ip_forward=1
)
firewall rules
allow incoming traffic on chosen WireGuard port and port 443
enable MASQUERADE
for VPN traffic (for example iptables -t nat -I POSTROUTING 1 -s {vpn_subnet} -o {internet_interface} -j MASQUERADE
)
There are several options that can be configured to customize your defguard instance. They can be provided to the script in following ways:
by setting environment variables in your shell
by providing an .env
file in the working directory
by running the script manually and setting CLI options
by providing user input
DEFGUARD_DOMAIN
- domain for you defguard web UI (e.g. id.example.com
)
DEFGUARD_ENROLLMENT_DOMAIN
- (optional) domain for the enrollment service; if not set the service will not be deployed
DEFGUARD_USE_HTTPS
- (optional) set to any value if you want Caddy to generate SSL certificates and use HTTPS
DEFGUARD_VPN_NAME
- (optional) name of initial VPN location to create; if not provided the script will not set up the VPN gateway
DEFGUARD_VPN_IP
- (optional if VPN name not set) gateway address within the VPN network (e.g. 10.0.50.1/24
)
DEFGUARD_VPN_GATEWAY_IP
- (optional if VPN name not set) gateway public IP
DEFGUARD_VPN_GATEWAY_PORT
- (optional if VPN name not set) gateway public port
CORE_IMAGE_TAG
- (optional) tag to use for defguard
Docker image
PROXY_IMAGE_TAG
- (optional) tag to use for defguard-proxy
Docker image
GATEWAY_IMAGE_TAG
- (optional) tag to use for defguard-gateway
Docker image
After the installation please make sure that only the following ports are open on the server firewall:
HTTPS port for the proxy (and/or the defguard core if you want it to be public)
VPN server port (eg. WireGuard port)
DO NOT EXPOSE PUBLICLY THE gRPC ports of the core gateway and proxy, which are:
50052
50055
Also this setup provides only communication encryption between defguard components, if you additionally like for core/proxy and gateway to have authorization - please setup a custom SSL CA.