defguard
  • Welcome
  • Getting help
  • About
    • About defguard
    • Features overview
  • Getting started
    • One-line install script
  • Admin Features
    • Overview
    • Zero-Trust VPN with 2FA/MFA
      • Create/manage VPN Location
      • Network overview
      • Executing custom gateway commands
      • Multi-Factor Authentication (MFA/2FA)
        • MFA Architecture
      • Remote desktop client configuration
      • DNS and domains
    • Remote user enrollment
      • User onboarding after enrollment
    • SSO (OpenID Connect)
      • Portainer
      • Grafana setup
      • Proxmox
      • Matrix / Synapse
      • Django
      • MinIO
      • Vault
    • SMTP for email notifications
    • YubiKey Provisioning
    • Webhooks
    • Forward auth
    • SSH Authentication
    • Network devices
    • Activity & Audit logs
    • Gateway notifications
    • New version notifications
  • User features
    • Overwiew
    • Desktop Client
    • CLI Client
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
  • Enterprise Features
    • Overview
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Deployment strategies
    • Prerequisites
    • Standalone package based installation
    • Docker images and tags
    • Docker Compose
    • Kubernetes
    • Terraform
    • High Availability and Failover
    • Upgrading
    • Pre-production and development releases
    • Gateway
      • Running gateway on MikroTik routers
  • Securing gRPC communication
  • OpenID RSA key
  • Health check
  • Configuration
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Architecture
      • How do VPN statistics work
      • Security concepts
    • Roadmap
    • Release cycle
  • For Developers
    • Contributing
    • Environment setup
      • Translations (core/web)
        • Switching language
        • Adding translations
      • Translations (client)
        • Adding translations
  • Resources
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
      • Client "All traffic" connection issues
      • WebAuthn security keys
Powered by GitBook
On this page
  • Pre-requirements
  • Package Install
  • Docker Compose
  • OPNsense plugin
  • Binary Install

Was this helpful?

Edit on GitHub
  1. Deployment strategies

Gateway

PreviousPre-production and development releasesNextRunning gateway on MikroTik routers

Last updated 14 days ago

Was this helpful?

If you are looking for

Pre-requirements

Please remember that one gateway corresponds to one VPN location.

You can also deploy multiple gateways for one location for High Availability.

To deploy the gateway you need to have defguard core running and know it's (meaning what is the host/ip where the core is running and the gRPC port defined in core by DEFGUARD_GRPC_PORT configuration variable) and a token.

Token can be obtained when you go to VPN Locations -> Edit location settings (in top right corner) -> Select the desired location -> the right panel describes how to deploy the gateway for the location as well as lists the gateway authentication token:

Package Install

  2. Install the package using relevant system tools:

    Ubuntu/Debian:

    sudo dpkg -i <path_to_deb_package>

    Fedora/Red Hat Linux/SUSE:

    sudo rpm -i <path_to_rpm_package>

    FreeBSD:

    pkg add <path_to_txz_package>

  3. Fill in the default configuration file (/etc/defguard/gateway.toml) with values corresponding to your Defguard installation (token and gRPC enpoint URL).

  4. Enable and start the systemd service.

    sudo systemctl enable defguard-gateway.service
sudo systemctl start defguard-gateway.service

Docker Compose

git clone --recursive https://github.com/DefGuard/deployment.git && cd deployment/gateway

  1. Copy and fill in the .env file:

cp .env.template .env

  1. Finally, run the service with Docker Compose:

docker compose up

OPNsense plugin

To start Defguard Gateway as OPNsense plugin:

  2. Install the package:

pkg add defguard-gateway_VERSION_x86_64-unknown-opnsense.pkg

  1. Refresh your OPNsense UI by running below command:

opnsense-patch

  1. Go to you OPNsense UI and navigate to VPN > Defguard Gateway.

  1. Fill out the form with appropriate values, click Save, and then click Start/Restart.

Binary Install

  2. Decompress and move to bin directory

tar xcf ./gateway.tar.gz
sudo chmod +x gateway
sudo mv gateway /usr/bin/

  1. Start gateway gateway -g <CORE_GRPC_URL:GRPC_PORT> -t <DEFGUARD_TOKEN>

Also, if core has a custom SSL CA to secure gRPC communication,

On the find and download a correct software package for your system (currently DEB, RPM and TXZ are available).

To start Defguard Gateway using :

We prepared a with Docker Compose configuration, clone it:

If everything went well, Defguard Gateway should be connected to Defguard Core and you can start .

is an open source, feature rich firewall and routing platform, offering cutting-edge network protection.

On the find and download OPNsense package which will be named: defguard-gateway_VERSION_x86_64-unknown-opnsense.pkg – this package includes both Defguard Gateway and OPNsense plugin.

You can find detailed description of all fields .

If everything went well, Defguard Gateway should be connected to Defguard Core and you can start .

See also:

Checkout Gateway releases and download compatible binary from GitHub page.

you need the CA certificate (more here).
release page
Docker Compose
git repository
adding new devices to your network
OPNsense®
release page
here
adding new devices to your network
how to configure Defguard in OPNsense
here
gateway High Availability, go to this document.
gRPC url