Skip to content
@DefGuard

defguard

Enterprise Open Source SSO & VPN
README.md

defguard is an SSO & VPN Server based on OpenID and Wireguard VPN with unique secure&private architecture for building secure and privacy-aware organizations.

By design defguard core is meant to be deployed in your secure network segments (available only from an internal network or by VPN) and operations that require public access (like user onboarding, enrollment, password reset, etc.) are done using a secure proxy. By design defguard core is meant to be deployed in your secure network segments (available only from an internal network or by VPN) and operations that require public access (like user onboarding, enrollment, password reset, etc.) are done using a secure proxy.

Read more about this in our documentation.

Implemented & production tested features:

  • OpenID Connect provider - with unique features:
    • Secure remote (over the internet) user enrollment
    • User onboarding after enrollment
    • LDAP (tested on OpenLDAP) synchronization
    • nice UI to manage users
    • Users self-service (besides typical data management, users can revoke access to granted apps, MFA, Wireguard, etc.)
  • Wireguard:tm: VPN management with:
    • multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
    • multiple Gateways for each VPN Location (high availability/failover) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
    • import your current WireGuard server configuration (with a wizard!)
    • in-development: Desktop Clients!
    • automatic IP allocation
    • kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard support with our Rust library
    • dashboard and statistics overview of connected users/devices for admins
    • defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.
  • Multi-Factor/2FA Authentication:
    • Time-based One-Time Password Algorithm (TOTP - e.g. Google Authenticator)
    • WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
    • Web3 - authentication with crypto software and hardware wallets using Metamask, Ledger Extension
  • Yubikey hardware keys provisioning for users by one click
  • Email/SMTP support for notifications, remote enrollment and onboarding
  • Easy support with sending debug/support information
  • Webhooks & REST API
  • Web3 wallet validation
  • Build with Rust for portability, security, and speed
  • UI Library - our beautiful React/TypeScript UI is a collection of React components:
    • a set of custom and beautiful components for the layout
    • Responsive Web Design (supporting mobile phones, tablets, etc..)
    • iOS Web App
  • Checked by professional security researchers (see comprehensive security report)
  • End2End tests

Pinned

  1. defguard defguard Public

    Enterprise, fast, secure VPN & SSO platform with hardware keys, 2FA/MFA

    TypeScript 658 18

  2. wireguard-rs wireguard-rs Public

    Rust library providing unified WireGuard interface to native/kernel and userspace implementations

    Rust 110 7

  3. client client Public

    Best WireGuard desktop client with Multi-Factor Authentication

    TypeScript 57 9

  4. avanguard avanguard Public

    OpenID Connect Web3 Identity Provider

    Rust 4 1

  5. gateway gateway Public

    Defguard gateway

    Rust 15 1

  6. deployment deployment Public

    Deployment files for defguard service

    Shell 5 4

Repositories

Showing 10 of 16 repositories
View all repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.