All release packages are available in the Defguard repository on GitHub on the releases page. The table below summarises the available options (X.Y.Z stands for a version).
Once the package is downloaded, install it using the package tool appropriate for your operating system.
On Debian/Ubuntu:
On Fedora/Red Hat/SUSE:
On FreeBSD:
You can check whether Defguard Gateway has been installed correctly:
Configuration
The Defguard Gateway configuration file should be located at /etc/defguard/gateway.toml. An example configuration file looks as follows:
Service
The Defguard Gateway package automatically installs its service definition. On Linux, it is in /usr/lib/systemd/system/defguard-gateway.service. On BSD, it is in /usr/local/etc/rc.d/defguard-gateway.
On Linux, the service is run as a dedicated defguard user with appropriate capabilities. The user is created automatically on package installation.
On BSD, the service runs as the root user.
If there are changes to the configuration file, the Defguard Gateway service must be restarted.
On Linux:
On BSD:
Logs
On Linux, logs can be viewed using the journalctl command:
# This is an example config file for Defguard Gateway.
# To use it, fill in the actual values for your deployment below.
# Required: use userspace WireGuard implementation
userspace = false
# Required: how often should interface stat updates be sent to Defguard Core (in seconds)
stats_period = 60
# Required: name of WireGuard interface
ifname = "wg0"
# Optional: write PID to this file
# pidfile = defguard-gateway.pid
# Required: enable logging to syslog
use_syslog = false
# Required: which syslog facility to use
syslog_facility = "LOG_USER"
# Required: which socket to use for logging
syslog_socket = "/var/run/log"
# Optional: command that will be run before bringing the interface up
# Example: Allow all traffic through WireGuard interface:
#pre_up = "/path/to/iptables -A INPUT -i wg0 -j ACCEPT
# example with multiple commands - add them to a shell script
#pre_up = "/path/to/shell /path/to/script"
# Optional: command that will be run after bringing the interface up
# Example: Add a default route after WireGuard interface is up:
#post_up = "/path/to/ip route add default via 192.168.1.1 dev wg0"
# Optional: command that will be run before bringing the interface down
# Example: Remove WireGuard-related firewall rules before interface is taken down:
#pre_down = "/path/to/iptables -D INPUT -i wg0 -j ACCEPT"
# Optional: command that will be run after bringing the interface down
# Example: Remove the default route after WireGuard interface is down:
#post_down = "/path/to/ip route del default via 192.168.1.1 dev wg0"
# An HTTP port that exposes the REST gateway health status
# STATUS CODES:
# 200 - Gateway is working and is connected to CORE
# 503 - Gateway works but is not connected to CORE
#health_port = 55003
# Optional: enable automatic masquerading of traffic by the firewall
#masquerade = true
# Optional: set the priority of the Defguard forward chain
#fw_priority = 0
systemctl restart defguard-gateway
/usr/local/etc/rc.d/defguard-gateway restart
journalctl -u defguard-gateway.service | tail -n 50
[2024-07-27T16:37:56Z INFO defguard_gateway::gateway] Starting defguard gateway version 0.7.0 with configuration: Config { token: "***", name: Some("Gateway on server X"), grpc_url: "https://my-server.defguard.net:444/", userspace: false, grpc_ca: None, stats_period: 60, ifname: "wg0", pidfile: None, use_syslog: false, syslog_facility: "LOG_USER", syslog_socket: "/var/run/log", config_path: None, pre_up: None, post_up: None, pre_down: None, post_down: None, health_port: None }
[2024-07-27T16:37:56Z INFO defguard_gateway::gateway] gRPC server connection setup done.
[2024-07-27T16:37:56Z INFO defguard_wireguard_rs::wgapi_linux] Creating interface wg0
[2024-07-27T16:37:56Z INFO defguard_wireguard_rs::wgapi_linux] Configuring interface wg0 with config: InterfaceConfiguration { name: "Szczecin", address: "10.22.33.1/24", port: 50051, peers: [], mtu: None, .. }
[2024-07-27T16:37:56Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 288, got 296
[2024-07-27T16:37:56Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 288, got 296
[2024-07-27T16:37:56Z INFO defguard_gateway::gateway] Reconfigured WireGuard interface Szczecin (address: 10.0.0.1/24)
[2024-07-27T16:37:56Z INFO defguard_gateway::gateway] Stats thread spawned.
[2024-07-27T16:37:56Z INFO defguard_gateway::gateway] Connected to defguard gRPC endpoint: https://my-server.defguard.net:444/
