defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring manually a device for a new VPN Location
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
    • Deploying your instance
      • Upgrading
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Downloading
  • Requirements
  • Installation
  • Usage
  • Debugging and troubleshooting

Was this helpful?

Edit on GitHub
  1. User documentation (help)

CLI Client

PreviousDesktop ClientNextTroubleshooting Guide

Last updated 2 months ago

Was this helpful?

Downloading

Latest release page:

Linux (AMD64)

Deb:

RPM:

Binary:

Linux (ARM64)

Deb:

RPM:

Binary:

Requirements

  • Root access on a given machine

  • Defguard proxy running and accessible from the machine the CLI will be installed on

  • resolvconf and ip commands available

Installation

Installation is straightforward. As a root, install it as any other package of a given type (deb/rpm).

Deb archive

apt install ./dg-linux-x86_64-v1.2.0-dg.deb

RPM

rpm -i ./dg-linux-x86_64-v1.2.0-dg.rpm

Post install

After installing the CLI, you should gain access to the dg command and a new dg service should've been created. You can interact with the client using the dg command alone or use the service to run it in background. You can test if the installation succeeded by trying to print the command's help:

dg --help

Usage

Defguard core setup

After you've configured your network device on Defguard core, you will be presented with the following command:

dg enroll -u <ENROLLMENT_URL> -t <TOKEN>

Enrollment

Execute the command obtained in the previous step to configure defguard CLI on the machine of your choice. The enrollment command will pull all the information required to establish a connection from your Defguard instance (through the Defguard proxy, so make sure it can be accessed) and will save it in a configuration file. Run the enroll command only when you need to retrieve your network configuration and apply it to the CLI Client. If you have access to the enterprise features, the CLI should automatically handle this when running.

Connecting

After completing the enrollment, you can connect to the given network by running the following command as root:

dg

After executing the command you should see a message stating that you have been connected to your network of choice.

Automatic config fetching (polling)

If you have access to the enterprise features, CLI will periodically fetch the latest network config and apply it if it has changed. This is useful because when you edit your network configuration in Defguard core, you won't have to manually re-configure every network device.

Running in the background (service)

systemctl start dg

You can configure the service and set the log verbosity by editing /etc/defguard/dg.conf.

Debugging and troubleshooting

It may be easier to identify a problem by passing one of the following flags, which control the logging verbosity level:

--debug 
--verbose

Those flags can be passed to any command to display more detailed information about the given process.

Common issues and messages

Specified IFLA_INET6_STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate

This shouldn't affect anything and can be ignored in most cases.

Defguard CLI works only with , so to use it, you will need to first add a new network device. Refer to the network device documentation to learn more.

Copy the command and proceed with .

After installing the CLI, a systemd service will be automatically setup. The service won't be running at first as the manual is needed beforehand. After you've completed the enrollment, you can start the service, e.g. by doing:

https://github.com/DefGuard/client/releases/tag/v1.2.0
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-x86_64-v1.2.0-dg.deb
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-x86_64-v1.2.0-dg.rpm
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-x86_64-v1.2.0-dg.tar.gz
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-aarch64-v1.2.0-dg.deb
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-aarch64-v1.2.0-dg.rpm
https://github.com/DefGuard/client/releases/download/v1.2.0/dg-linux-aarch64-v1.2.0-dg.tar.gz
network devices
enrollment
enrollment