/defguard

OpenID, Wireguard Provider (with 2FA/MFA), management UIs, easy deployment

Primary LanguageTypeScriptOtherNOASSERTION

defguard

In a nutshell, from a functionality point defguard is an **OpenID Identity Provider (SSO for your apps with some unique features) and Wireguard VPN Service Provider for building secure private networks (roadwarrior, mesh/peer-to-peer, site-to-site).

On a broader aspect, it's a security platform for building secure and privacy-aware organizations (with its secure architecture).

By design defguard core is meant to be deployed in your secure network segments (available only from an internal network or by VPN) and operations that require public access (like user onboarding, enrollment, password reset, etc.) are done using a secure proxy.

Read more about this in our documentation.

Implemented & production tested features:

  • OpenID Connect provider - with unique features:
    • Secure remote (over the internet) user enrollment
    • User onboarding after enrollment
    • LDAP (tested on OpenLDAP) synchronization
    • forward auth for reverse proxies (tested with Traefik and Caddy)
    • nice UI to manage users
    • Users self-service (besides typical data management, users can revoke access to granted apps, MFA, Wireguard, etc.)
  • Wireguard:tm: VPN management with:
    • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
    • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
    • import your current WireGuard server configuration (with a wizard!)
    • in-development: Desktop Clients!
    • automatic IP allocation
    • kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support with our Rust library
    • dashboard and statistics overview of connected users/devices for admins
    • defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.
  • Multi-Factor/2FA Authentication:
    • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
    • WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
    • Web3 - authentication with crypto software and hardware wallets using Metamask, Ledger Extension
  • Yubikey hardware keys provisioning for users by one click
  • Email/SMTP support for notifications, remote enrollment and onboarding
  • Easy support with sending debug/support information
  • Webhooks & REST API
  • Web3 wallet validation
  • Build with Rust for portability, security, and speed
  • UI Library - our beautiful React/TypeScript UI is a collection of React components:
    • a set of custom and beautiful components for the layout
    • Responsive Web Design (supporting mobile phones, tablets, etc..)
    • iOS Web App
  • Checked by professional security researchers (see comprehensive security report)
  • End2End tests

Better quality video can be found here to download

Roadmap

A detailed product roadmap can be found here.

Quick start

The easiest way to run your own defguard instance is to use Docker and our one-line install script.

Just run the command below in your shell and follow the prompts:

curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh

To learn more about the script and available options please see the documentation.

Manual deployment examples

Why?

The story and motivation behind defguard can be found here: https://teonite.com/blog/defguard/

Documentation

See the documentation for more information.

Community and Support

Find us on Matrix: #defguard:teonite.com

Contribution

Please review the Contributing guide for information on how to get started contributing to the project. You might also find our environment setup guide handy.

Legal

WireGuard is registered trademarks of Jason A. Donenfeld.