defguard
  • Welcome
  • Getting help
  • About
    • About defguard
    • Features overview
  • Getting started
    • One-line install script
  • Admin Features
    • Overview
    • Zero-Trust VPN with 2FA/MFA
      • Create/manage VPN Location
      • Network overview
      • Executing custom gateway commands
      • Multi-Factor Authentication (MFA/2FA)
        • MFA Architecture
      • Remote desktop client configuration
      • DNS and domains
    • Remote user enrollment
      • User onboarding after enrollment
    • SSO (OpenID Connect)
      • Portainer
      • Grafana setup
      • Proxmox
      • Matrix / Synapse
      • Django
      • MinIO
      • Vault
    • SMTP for email notifications
    • YubiKey Provisioning
    • Webhooks
    • Forward auth
    • SSH Authentication
    • Network devices
    • Activity & Audit logs
    • Gateway notifications
    • New version notifications
  • User features
    • Overwiew
    • Desktop Client
    • CLI Client
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
  • Enterprise Features
    • Overview
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Deployment strategies
    • Prerequisites
    • Standalone package based installation
    • Docker images and tags
    • Docker Compose
    • Kubernetes
    • Terraform
    • High Availability and Failover
    • Upgrading
    • Pre-production and development releases
    • Gateway
      • Running gateway on MikroTik routers
  • Securing gRPC communication
  • OpenID RSA key
  • Health check
  • Configuration
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Architecture
      • How do VPN statistics work
      • Security concepts
    • Roadmap
    • Release cycle
  • For Developers
    • Contributing
    • Environment setup
      • Translations (core/web)
        • Switching language
        • Adding translations
      • Translations (client)
        • Adding translations
  • Resources
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
      • Client "All traffic" connection issues
      • WebAuthn security keys
Powered by GitBook
On this page
  • C4 component model
  • Context
  • Containers
  • Components
  • Basics
  • Example setup flow

Was this helpful?

Edit on GitHub
  1. In depth

Architecture

PreviousAdding additional VPN locationsNextHow do VPN statistics work

Last updated 1 month ago

Was this helpful?

By design defguard core (the main component) is meant to be deployed in your secure network segments (available only from an internal network or by VPN) and operations that require public access (like user onboarding, enrollment, password reset, etc.) are done using a secure proxy:

This approach is vastly different from most (if not all) VPN/IdP solutions, which are a simple or monolithic application focus on functionalities (like generating configs, managing users, etc.) and most of the time is publicly available in the Internet for any attacker.

If you want full privacy, defguard only exposes publicly components designed for this purpose:

  • WireGuard® gateway - to enable VPN access

  • Public Proxy for secure remote processes like:

    • User enrollment and onboarding

    • Desktop Client configuration

C4 component model

Below you can see Defguard architecture in C4 model divided into context, containers and components.

Context

Containers

Components

Basics

Core is a Rust web server which is exposed as REST API and gRPC web server with typescript and rust clients, it handles connection to database, LDAP server and gateway. Core also handles user authorization via LDAP account. It's configurable using Environmental Variables which you can find here.

Gateway is a small CLI gRPC client written in Rust which sends network statistics to Core server and apply network configuration changes on message from core. Our frontend is React app written in Typescript which allows handling all API calls via Web UI. See detailed gRPC docs here

Example setup flow

After creating your network in our wizard and running our gateway program core will message it with network data. Gateway after receiving data will setup your network using wireguard commands you can think of it like a wrapper on wireguard commands which also sends network information through gRPC. After successfully setting up your network gateway will start sending your networks stats in period given as argument on gateway program start or if not provided at default which is 60 seconds. You can see all of your network statistics, connected users, bandwidth, user devices on the overview page.

defguard architecture
Context look at Defguard architecture
Containers look at Defguard architecture
Components look at Defguard architecture