# Create/Manage VPN Location

A VPN location is a VPN network to which users can connect to. Every location has a [dedicated gateway](https://docs.defguard.net/deployment-strategies/gateway) (or [multiple gateways if you deploy a high-availability solution](https://docs.defguard.net/deployment-strategies/high-availability-and-failover#gateway-high-availability)).

{% hint style="success" %}
Defguard supports **multiple locations**, for each location to work you need to configure it and deploy a dedicated gateway.
{% endhint %}

{% hint style="info" %}
If you are looking for MFA settings, go [here](#multi-factor-authentication-for-a-location).
{% endhint %}

When creating a new VPN location, you can choose if you want to **create it from scratch (Manual Configuration)** or **import your current WireGuard configuration**:

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-8235e63ad9202f685e6b65bfbd059a9fe41c21fb%2FScreenshot%202024-11-21%20at%2014.19.04.png?alt=media" alt=""><figcaption></figcaption></figure>

## VPN Location settings

Next step is configuring the location settings:

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-ee0039a7c500a8058fefb140c8cf20c18307be94%2FScreenshot%202024-11-21%20at%2014.29.53.png?alt=media" alt=""><figcaption></figcaption></figure>

### Location name

It's a name that will be visible both on the UI, but also in the desktop client for all the users. For example, if you name your location *Monaco Office*, the desktop client will show:

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-495af07b501e4ccf243de245ac439880d1c820f8%2FScreenshot%202024-11-21%20at%2014.37.51.png?alt=media" alt="" width="375"><figcaption></figcaption></figure>

### Gateway VPN IP addresses and masks

By providing the VPN IPs/masks, you are configuring both: **the VPN internal networks and VPN server IPs**. Every gateway will bind to these addresses, and Defguard will also generate and assign IP addresses for devices in this location from these networks.

This field can contain multiple IP addresses (both IPv4 and IPv6), separated by a comma (e.g. `10.10.20.1/24,fc00::abcd:0:1/96`).

{% hint style="info" %}
**Dual-stack VPN networks**

Defguard supports dual-stack VPN networks, allowing simultaneous assignment of both IPv4 and IPv6 addresses to clients. Each VPN network can include multiple IPv4 and IPv6 subnets, and connected clients will automatically receive one address from each defined subnet. This enables seamless communication over both IP versions within a single VPN session.
{% endhint %}

{% hint style="warning" %}
Defguard assigns IP addresses to clients by sequentially scanning each defined subnet and selecting the first available address. If no free address is found in any of the configured networks, the client will not receive an IP assignment. In such cases, you’ll need to adjust the network configuration - such as expanding the address pool by decreasing the netmask - to accommodate additional clients.
{% endhint %}

#### Examples

1. 10.11.0.1/8
   1. internal VPN network will be: 10.11.0.0 with netmask 255.0.0.0
   2. VPN gateway internal IP address will be: 10.11.0.1
2. 192.168.8.1/24,fc00::1/112
   1. internal VPN networks will be: `192.168.8.0` with netmask `255.255.255.0` and `fc00::0` with netmask FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:0000
   2. VPN gateway internal IP addresses will be: 192.168.8.1 and fc00::1

### Gateway address

It's the **public IP address** or **DNS domain** to which the remote peer's/users will connect to. This address is **will be shared in the configuration** for the clients, but Defguard gateways do **not bind to this address**.

{% hint style="info" %}
**Defguard gateways bind to all IP addresses and the port defined below.**

This is very handy if you are setting up a **high availability active-active** solution with multiple gateways - then this public IP needs to be exposed and controled by load-balancers or any other solution that will forward this to gateways.
{% endhint %}

{% hint style="success" %}
DNS domain is **very useful** for example is a setup uses Dynamic DNS (DDNS).
{% endhint %}

### Gateway port

Defguard **gateways bind to this port**, and this port is shared in configuration to any client.

### Allowed IPs

Defines the IP ranges a device is allowed to route or communicate with.

It supports multiple networks separated with comma, e.g. 10.11.1.0/0, 192.168.1.0/24

{% hint style="danger" %}
Right now Defguard only manages routing of Allowed IPs (adding to routing table the networks defined in Allowed IPs).

If you want the *All Traffic* to work in the desktop client you need to also configure MASQUARED/NAT for the VPN interface. [Example of that here.](https://docs.defguard.net/tutorials/step-by-step-setting-up-a-vpn-server#enabling-to-access-internet-through-your-vpn)
{% endhint %}

{% hint style="info" %}

## Allowed IPs with exceptions

If you use broad *Allowed IPs* (for example `0.0.0.0/0`) and want to exclude specific networks, note that WireGuard does not support explicit exclusions. Instead, the allowed range must be split into multiple CIDR blocks that cover everything except the excluded subnets.

To simplify this, you can use an **Allowed IPs calculator** to generate the correct set of CIDR blocks for your intended traffic routing.
{% endhint %}

### DNS

This specifies DNS resolvers and search domains. Supported format is by comma separation, e.g.:

`IP, IP, search.domain.net, second.search.domain.com`

### Allowed groups

Here, you can specify **what groups (users assigned to those groups) have access to this VPN Location.**

{% hint style="warning" %}
By default (if no group is chosen) **all users will have access to this location.**

By defining a group, assigning users to that group and then choosing this group(s) you can restrict access to VPN Locations.
{% endhint %}

### Multi-Factor Authentication for a Location

#### Require MFA for this location

By enabling this setting, this location **will require Multi-Factor Authentication** on each connection to this location.

{% hint style="danger" %}
This feature is only supported in [**Defguard Desktop Client**](https://docs.defguard.net/using-defguard-for-end-users/desktop-client)**.**
{% endhint %}

Each connection in the client:

1. Will require the user to provide either TOTP token or Email code.
2. After authorizing, Defguardwill do a key exchange and set up a pre-shared session key unique for this connection.

{% hint style="warning" %}
For this feature to work, the user must:

1. configure their [TOTP settings in the profile](https://docs.defguard.net/using-defguard-for-end-users/setting-up-2fa-mfa#one-time-password)
2. [SMTP settings needs to be set up](https://docs.defguard.net/features/notifications/setting-up-smtp-for-email-notifications) and the user must enable Email tokens in their profile.
   {% endhint %}

#### Keep alive interval

Configurable time interval (in seconds) used to send periodic packets to ensure that the connection remains active. This is particularly useful in environments like NAT (Network Address Translation) or firewalls that may close idle connections.

#### **Client disconnect threshold**

Since Multi-Factor Authentication (MFA) is used to enforce zero-trust security, a peer (user) that remains inactive for a specified time interval (defined in seconds within the settings) will be disconnected. Additionally, the session configuration will be removed from the gateway. This ensures that when the peer reconnects, they must complete the MFA process again.

{% hint style="warning" %}
Minimal value for this setting is 120 (2 minutes).

Recommended is more then 300.
{% endhint %}

#### Multi-Factor Authentication with external OIDC/SSO (Google/Microsoft/Okta/...)

{% hint style="info" %}
This feature is currently [available in pre-release](https://docs.defguard.net/deployment-strategies/pre-production-and-development-releases) version 1.5 - please help us test it!
{% endhint %}

On each location, you can choose if the Location should support our Internal MFA (configured by each user in their own profile) or (if you have [external OIDC/SSO configured](https://docs.defguard.net/features/external-openid-providers)) external MFA:

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-a6da3d4745d77ea02bc0a12deed50a6f184e1d39%2FScreenshot%202025-07-29%20at%2012.12.18.png?alt=media" alt=""><figcaption></figcaption></figure>

When enabled, on the desktop client when authenticating the user will be required on **each connection** to authenticate with the configured External OIDC/SSO:

<figure><img src="https://3466771104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fe86iamwJVSYnIRsyVEAV%2Fuploads%2Fgit-blob-ef8e195b45c07c5e81dabafb63c62f9c916b96cf%2FScreenshot%202025-07-29%20at%2012.20.01.png?alt=media" alt="" width="375"><figcaption></figcaption></figure>