Hardware, OS, network and firewall recommendations
Before Defguard can be deployed please get familiar with the following recommendations
Server & environment requirements
Defguard can be deployed on multiple servers (physical or virtual) or on a single server (which is not recommended).
Recommended setup:
Dedicated server or Virtual Machine for Core (control plane) - that is in the Intranet network segment, not exposed in the public Internet in any way. Core needs to be accessible from the local (secure) network and VPN (to access Defguard securely). Recommended hardware parameters:
CPU: min. 1 CPU/vCPU per location - eg. if Defguard handles 2 VPN locations recommended is min. 2 CPU/vCPU
RAM: min. 1GB per location
Disk: min 8GB and more (since statistics will be gathered)
Dedicated server or Virtual Machine for Proxy (external and public enrollment service) - this server/VM needs to be deployed in DMZ/public/external systems network segment - as this service will be exposed and must be available publicly from the Internet. Recommended hardware parameters:
CPU: min. 1 CPU/vCPU per location
RAM: min. 1GB
Disk: min 1GB
Dedicated server or Virtual Machine for Gateway - this server/VM needs to be deployed in:
DMZ/public/external systems network segment - as this service will be exposed and must be available publicly from the Internet.
Has access on Internal network interfaces to all network segments that will be exposed from VPN for users.
Recommended hardware parameters:
CPU: min. 1 CPU/vCPU per location
RAM: min. 1GB
Disk: min 4GB (mostly for logs)
Operating system and software requirements
Package based installation
Package based install requires Debian GNU/Linux min. 13.x or Ubuntu Linux min. 24.04.x
Docker based installation
Docker deployment requires the system to have official Docker Engine installation (not distribution based packages).
Network IP & DNS setup
Gateway server - where WireGuard VPN tunnels itself will be launched
must have a public IP assigned on which the WireGuard port will be exposed in the Internet
must have all networks on internal interfaces addresses configured, that should be accessible from VPN
Recommended: to have a public domain assigned to this IP for VPN server, eg. vpn.company.com
Proxy - public web service for enrollment & desktop client configuration
must have a public IP assigned on which the enrollment domain will be configured and HTTPS server will be exposed
must have a public enrollment domain assigned to this IP, eg. enrollment.company.com (or vpn-config.company.com, etc..)
Core & database server
should be internal / private IP addresses accessible only from Intranet and VPN
must have internal domain name assigned in the local network DNS server, eg. defguard.company.com
Firewall settings
Gateway
Please open the public port you wish the VPN to be working on - eg. 50555
Please open on the firewall: local network access from the Gateway server/VM → to Defguard Core gRPC port - more info here: https://docs.defguard.net/deployment-strategies/configuration#grpc-server-configuration
Proxy
please open the public 443 port on the server (recommended to rewrite port 80 to redirect to 443)
please open gRPC port on the internal network - so that the Defguard Core can connect to this port - more details here: https://docs.defguard.net/1.5/deployment-strategies/configuration#proxy-service
Core
please open 443 port for web interface accessible only from local/VPN network
please open a gRPC port for the gateway server to connect to this port - more info here: https://docs.defguard.net/deployment-strategies/configuration#grpc-server-configuration
Last updated
Was this helpful?