defguard
  • Welcome
  • Getting help
  • About
    • About defguard
    • Features overview
  • Getting started
    • One-line install script
  • Admin Features
    • Overview
    • Zero-Trust VPN with 2FA/MFA
      • Create/manage VPN Location
      • Network overview
      • Executing custom gateway commands
      • Multi-Factor Authentication (MFA/2FA)
        • MFA Architecture
      • Remote desktop client configuration
      • DNS and domains
    • Remote user enrollment
      • User onboarding after enrollment
    • SSO (OpenID Connect)
      • Portainer
      • Grafana setup
      • Proxmox
      • Matrix / Synapse
      • Django
      • MinIO
      • Vault
    • SMTP for email notifications
    • YubiKey Provisioning
    • Webhooks
    • Forward auth
    • SSH Authentication
    • Network devices
    • Activity & Audit logs
    • Gateway notifications
    • New version notifications
  • User features
    • Overwiew
    • Desktop Client
    • CLI Client
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
  • Enterprise Features
    • Overview
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • Access Control List
        • ACL Aliases
        • Implementation Details
      • Audit Log Streaming to SIEM systems
        • Supported SIEM systems integrations
          • Vector integration guide
          • Logstash integration guide
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • REST API
  • Deployment strategies
    • Prerequisites
    • Standalone package based installation
    • Docker images and tags
    • Docker Compose
    • Kubernetes
    • Terraform
    • High Availability and Failover
    • Upgrading
    • Pre-production and development releases
    • Gateway
      • Running gateway on MikroTik routers
  • Securing gRPC communication
  • OpenID RSA key
  • Health check
  • Configuration
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Architecture
      • How do VPN statistics work
      • Security concepts
    • Roadmap
    • Release cycle
  • For Developers
    • Contributing
    • Environment setup
      • Translations (core/web)
        • Switching language
        • Adding translations
      • Translations (client)
        • Adding translations
  • Resources
    • Troubleshooting Guide
      • Sending support information
      • Client Windows installer exit codes
      • Client "All traffic" connection issues
      • WebAuthn security keys
Powered by GitBook
On this page
  • Introduction
  • Deploying your VPN server
  • Connecting to your VPN using defguard desktop client
  • Adding new location
  • Enabling to access Internet through your VPN
  • Final thoughts

Was this helpful?

Edit on GitHub
  1. Tutorials

Step by step setting up a VPN server

PreviousConfigurationNextAdding additional VPN locations

Last updated 1 month ago

Was this helpful?

Introduction

This tutorial aims to show how quick and easy is to deploy your VPN server using defguard.

This tutorial is also availabe as a video:

We assume you have:

  • a server with a public IP (and you know what that IP address is and to which interface it's assigned) - in this example it's: 185.33.37.51

  • you have a domain name and know how to assign IP and manage subdomains, in our example:

    • defguard main url will be my-server.defguard.net (and the subdomain is pointed to 185.33.37.51)

    • defguard enrollment service that will enable to easy configure Desktop Clients just with one token is: enroll.defguard.net (this subdomain also points to 185.33.37.51)

  • server is Debian/Ubuntu-based

  • If you have a firewall, we assume you have open ports (if not below we will show you how to enable and secure your server):

    • 443 - in order to expose both defguard & enrollemnt service - but also to automatically issue for these domains SSL Certificates (which the installer script does)

    • 50555 - on this port the WireGuard VPN server will be listning for incoming connections from clients

Deploying your VPN server

Deployment is really easy and will be done automatically if you follow these steps.

There are multiple ways to install defguard tailored to your network & infrastructure - in fact, defguard as a VPN server is one of the few to support secure deployments with network segmentation and secure communication, but for the purpose of this tutorial we will do the easiest setup and install all components on this server using docker & docker-compose. The installation process will also automatically configure and deploy all your services and issue SSL certificates.

To do so just execute by root this simple command and follow the instructions:

curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh

In this example we are answering the questions with the following answers:

Enter defguard domain [default: ]: my-server.defguard.net
Enter enrollment domain [default: ]: enroll.defguard.net
Use HTTPS [default: false]: true
Enter VPN location name [default: ]: Example
Enter VPN server address and subnet (e.g. 10.0.60.1/24) [default: ]: 10.22.33.1/24
Enter VPN gateway public IP [default: ]: 185.33.37.51
Enter VPN gateway public port [default: ]: 50555

When finished you should see the following message:

defguard setup finished successfully
If your DNS configuration is correct your defguard instance should be available at:

	Web UI: https://my-server.defguard.net
	Enrollment service: https://enroll.defguard.net

You can log into the UI using the default admin user:

	username: admin
	password: bQ63RSp4o5ZAnIkv

And voila! It was that easy!

When you log in to your instance with user admin and the password that was generated for you, you should see that the VPN gateway is connected:

Connecting to your VPN using defguard desktop client

No go to defguard Web UI (in this example: https://my-server.defguard.net) and go to My Profile and click on Add Device:

Then choose Defguard Client Remote Desktop Activation - which will easly configure your Desktop client:

Defguard will show what URL (which is - as you see - your enrollment service URL) and token to paste to your desktop client:

You can easily copy those with buttons provided in defguard, and paste to your desktop client.

In desktop client click on _+ Add instance _ and provide the URL and token:

After that, the client will ask you to name your device (however you like), after that click finish:

The client will instantly show your defguard instance and the VPN (we named Example):

Also, in defguard you should see in your profle, that the client is configured and visible (for now - no details of IPs, etc - will automaticaly show details when you connect with your client):

Now let's click Connect and see if the VPN works, the best way to do so, is to open a terminal app and ping the VPN server address. Also to see nice statistics, choose in the client menu from Grid view (which is nice if you have multiple VPNs) the option Detailed view:

Now let's test if the VPN network is accessible. To do so, let's ping the VPN gateway internal IP: 10.22.33.1

As an administrator, you will probably be happy to see this - defguard VPN dashboard:

This completes your VPN setup - both server and client.

But if you would like to configure your VPN server to allow accessing Internet through the VPN gateway, please read the chaptare below.

Adding new location

Enabling to access Internet through your VPN

The most common purpose to setup your own VPN is to provide you (and your users - defguard supports multiple users!) anonimity and privacy when accessing public internet.

It's great for every day use (if you want to hide your real IP/location) or for example to encrypt all your traffic when your are in a public location - like beeing on Wi-Fi in a coffee shop, hotels, etc. - since most if not all those places do not provide encrypted Wi-Fi (just open hotspots).

So defguard as a VPN service is one thing, but we need to do few commands on the server, to enable routing all traffic through this server and your VPN. For your convenience those we will explain in detail.

First of all we need a simple and easy way to manage firewall. In order to do so on Debian install UFW (it's automatically installed on Ubuntu):

root@server# apt install ufw

Now let's enable on the firewall rules that provide packet forwarding (from your VPN to the Internet and vice versa).

Edit the /etc/default/ufw file to enable default policies for packet forwarding to ACCEPT

root@server:~# vi /etc/default/ufw
# line 19 : change
DEFAULT_FORWARD_POLICY="ACCEPT"

# reload
root@server:~# ufw reload

Edit the /etc/sysctl.conf file to enable pocket forwarding in the kernel:

root@server:~# vi /etc/sysctl.conf
# line 28 : uncomment
net.ipv4.ip_forward=1

# reload settings
root@server:~# sysctl -p

We know that VPN network is 10.22.33.0/24 now we need to be sure what interface has the public IP (in our case: 185.33.37.51) - let's figure it out with this command:

root@server:~# ip a | grep 185.33.37.51
    inet 185.33.37.51/24 brd 185.33.37.255 scope global ens18

So, our public interface is: ens18

Now just add the following to /etc/ufw/before.rules just before the filter rules:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward VPN network traffic through ens18 - Change to match your egress interface
-A POSTROUTING -s 10.22.33.0/24 -o ens18 -j MASQUERADE

# don't delete the 'COMMIT' line or these NAT table rules won't
# be processed
COMMIT

Typical ufw configuration is that INPUT traffic is disabled, so we need to open ports for our WEB and WireGuard gateway:

# allow HTTPS to access defguard
root@server# ufw allow https

# allow WireGuard VPN which is on port 50555 with UDP protocol
root@server# ufw allow 50555/udp

# for the time being, you might also consider to allow SSH management
# until you learn how to allow traffic to SSH from VPN
root@server# ufw allow ssh

On Ubuntu, UFW is enabled by default, but on Debian it has to be enabled manually:

root@server# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

On Ubuntu, we need to reload the configuration:

root@server# ufw reload

Let's check the UFW configuration, should look like this:

root@server# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
50555/udp                  ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
50555/udp (v6)             ALLOW IN    Anywhere (v6)
22/tcp (v6)                ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)

Testing your configuration with defguard client

Defguard is the only (known to us) WireGuard client that during connection provides a choice to route all your traffic through the VPN. Just (before connecting) choose the option: Allow all traffic and click connect!

This is very usefull, since some of the times you just want to be connected to your VPN to have the server/VPN networks accessible, and sometimes (like in the scenarious mentioned before) you want to hide and encrypt your traffic.

Final thoughts

We put a lot! of effort in development, testing and documentation - to make difficult things like security, VPN easy and good looking. So for now, we kindly ask you to:

  • and spread the word about defguard however you like!

have installed the and (from our experience it's better to use the official Docker Engine then docker shipped with distro packages - but this should also work with distro packages) and have

VPN network will be: 10.22.33.0/24 - but you can assign and use it in this tutorial - we will name it Example

Download the latest client from: and install it - which is (during writing this article) version 0.1.1.

If you would like to have multiple VPN locations -

Now we need to configure firewall , so that the server will "translate/masq" VPN traffic behind its public IP. In order to do that, we need to add rules to MASQUERADE VPN network behind the public interface of the sever.

From version 1.3.0, gateway can automatically apply masquerade to traffic on all interfaces without the need for manual configuration. Refer to for details. If you use this feature, you can skip the following manual masquerade setup step.

In order to check if everything works, let's visit a website - that will show our public IP. If everything went smootly, you should see your VPN server public IP (which in our example is: 185.33.37.51):

star us on GitHub:

Thank you from the whole

official Docker Engine
docker-compose
any private network address
https://github.com/DefGuard/client/releases
please read this tutorial how to add another location in this setup.
NAT
https://ifconfig.co
https://github.com/defguard/defguard
defguard team.
Access Control List
defguard live status of WireGuard VPN gateway
Adding a new device/desktop client in defguard user profile
Defguard supports both it's desktop client and configuring any Wireguard Client
Just by simply providing URL & token your client will be automatically configured
Configuring the client with a new instance
Naming your device
Client after succesfully adding a new instance
Defguard showing the newly configured client in user profile
Nice statistics in defguard client
VPN gateway responding to ping after connecting to VPN
defguard VPN dashboard
Choosing to forward all traffic through VPN
Success! Defguard is AWESOME!