{"id":13815811,"url":"https://github.com/DefGuard/defguard","last_synced_at":"2025-05-15T09:33:59.305Z","repository":{"id":164699510,"uuid":"554110348","full_name":"DefGuard/defguard","owner":"DefGuard","description":"Zero-Trust access management with true WireGuard® 2FA/MFA","archived":false,"fork":false,"pushed_at":"2025-05-13T15:09:19.000Z","size":15658,"stargazers_count":1986,"open_issues_count":115,"forks_count":67,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-05-14T09:12:36.110Z","etag":null,"topics":["authentication","forwardauth","keycloak","multifactor-authentication","oauth","oauth-provider","oauth2-server","oidc","oidc-provider","openid","openid-connect","openid-connect-provider","openvpn","pritunl","security","vpn","vpn-server","wireguard","wireguard-ui","yubikey"],"latest_commit_sha":null,"homepage":"https://defguard.net","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DefGuard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"ko_fi":"defguard","custom":["https://paypal.me/defguard"]}},"created_at":"2022-10-19T09:09:46.000Z","updated_at":"2025-05-14T08:13:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"587f6719-f427-49a4-ab4e-381d54124ce0","html_url":"https://github.com/DefGuard/defguard","commit_stats":null,"previous_names":[],"tags_count":75,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DefGuard","download_url":"https://codeload.github.com/DefGuard/defguard/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254314162,"owners_count":22050177,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","forwardauth","keycloak","multifactor-authentication","oauth","oauth-provider","oauth2-server","oidc","oidc-provider","openid","openid-connect","openid-connect-provider","openvpn","pritunl","security","vpn","vpn-server","wireguard","wireguard-ui","yubikey"],"created_at":"2024-08-04T04:04:06.032Z","updated_at":"2025-05-15T09:33:59.294Z","avatar_url":"https://github.com/DefGuard.png","language":"TypeScript","funding_links":["https://ko-fi.com/defguard","https://paypal.me/defguard"],"categories":["Rust","security","TypeScript","vpn","VPN"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  Defguard is a \u003cstrong\u003etrue Zero-Trust WireGuard® VPN with 2FA/Multi-Factor Authentication\u003c/strong\u003e, as each connection requires MFA (and not only when logging in into the client application like other solutions)\n  \u003cimg width=\"1096\" alt=\"zero-trust\" src=\"https://github.com/user-attachments/assets/a3bed030-0d82-4f8c-9687-01cc5780eff7\" /\u003e\n  Our primary focus at defguard is on prioritizing security. Then, we aim to make this challenging topic both useful and as easy to navigate as possible.\n\n[Website](https://defguard.net) | [Getting Started](https://docs.defguard.net/#what-is-defguard) | [Features](https://github.com/defguard/defguard#features) | [Roadmap](https://github.com/orgs/defguard/projects/5) | [Support ❤](https://github.com/defguard/defguard#support)\n\n\u003c/div\u003e\n\n### Defguard provides Comprehensive Access Control (a complete security platform):\n\n- **[WireGuard® VPN with 2FA/MFA](https://docs.defguard.net/admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/architecture)** - not 2FA to \"access application\" like most solutions\n    - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n    - Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)\n- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/admin-and-features/openid-connect): \n    - significant cost saving, simplifying deployment and maintenance\n    - enabling features unavailable to VPN platforms relying upon 3rd party SSO integration\n- Already using Google/Microsoft or other OpenID Provider? - [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)\n- Only solution with [secure remote user Enrollment \u0026 Onboarding](https://docs.defguard.net/help/enrollment)\n- Yubico YubiKey Hardware [security key management and provisioning](https://docs.defguard.net/admin-and-features/yubikey-provisioning)\n- Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.\n- Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)\n- Built on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN\n- Built with Rust for speed and security\n\nSee:\n- [full list of features](https://github.com/defguard/defguard#features)\n- [enterprise only features](https://docs.defguard.net/enterprise/all-enteprise-features)\n\n### Defguard makes it easy to manage complex VPN networks in a secure way\n\n\u003cimg width=\"1564\" alt=\"locations-connections\" src=\"https://github.com/user-attachments/assets/f886750b-1d4e-467e-917d-bc19a86e275c\" /\u003e\n\n#### Video introduction\n\nBear in in mind we are no youtubers - just engineers - here is a video introduction to defguard:\n\n\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  \n[![Introduction to defguard](https://img.youtube.com/vi/4PF7edMGBwk/hqdefault.jpg)](https://www.youtube.com/watch?v=4PF7edMGBwk)\n\n\u003c/p\u003e\n\u003c/div\u003e\n\n### Control plane management (this video is few versions behind... - a lot has changed!)\n\n![](https://defguard.net/images/product/core/hero-image.png)\n\n![](https://github.com/DefGuard/docs/blob/docs/screencasts/defguard.gif?raw=true)\n\nBetter quality video can [be viewed here](https://github.com/DefGuard/docs/raw/docs/screencasts/defguard-screencast.mkv)\n\n### Desktop Client with 2FA / MFA (Multi-Factor Authentication)\n\n#### Light\n\n![defguard desktop client](https://defguard.net/images/product/client/main-screen.png)\n\n#### Dark\n\n![defguard WireGuard MFA](https://github.com/DefGuard/docs/blob/docs/releases/0.9/mfa.png?raw=true)\n\n[Desktop client](https://github.com/DefGuard/client):\n\n- **2FA / Multi-Factor Authentication** with TOTP or email based tokens \u0026 WireGuard PSK\n- [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n- Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)\n- Defguard instances as well as **any WireGuard tunnel** - just import your tunnels - one client for all WireGuard connections\n- Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks\n- Onboarding - displaying custom onboarding messages, with templates, links ...\n- Ability to route predefined VPN traffic or all traffic (server needs to have NAT configured - in gateway example)\n- Live \u0026 real-time network charts\n- live VPN logs\n- light/dark theme\n\n## Quick start\n\nThe easiest way to run your own defguard instance is to use Docker and our [one-line install script](https://docs.defguard.net/features/setting-up-your-instance/one-line-install).\nJust run the command below in your shell and follow the prompts:\n\n```bash\ncurl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O \u0026\u0026 bash setup.sh\n```\n\nHere is a step-by-step video about this process:\n\n\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  \n[![Quickly deploy defguard](https://img.youtube.com/vi/MqlE6ZTn0bg/hqdefault.jpg)](https://www.youtube.com/watch?v=MqlE6ZTn0bg)\n\n\u003c/p\u003e\n\u003c/div\u003e\n\nTo learn more about the script and available options please see the [documentation](https://docs.defguard.net/features/setting-up-your-instance/one-line-install).\n\n### Setup a VPN server in under 5 minutes !?\n\nJust follow [this tutorial](http://bit.ly/defguard-setup)\n\n## Manual deployment examples\n\n- [Standalone system package based install](https://docs.defguard.net/admin-and-features/setting-up-your-instance/standalone-package-based-installation)\n- Using [Docker Compose](https://docs.defguard.net/features/setting-up-your-instance/docker-compose)\n- Using [Kubernetes](https://docs.defguard.net/features/setting-up-your-instance/kubernetes)\n\n## Roadmap \u0026 Development backlog\n\n[A detailed product roadmap and development status can be found here](https://github.com/orgs/DefGuard/projects/5/views/1)\n\n### ⛑️ Want to help? ⛑️\n\nHere is a [dedicated view for **good first bugs**](https://github.com/orgs/DefGuard/projects/5/views/5)\n\n## Why?\n\nThe story and motivation behind defguard [can be found here: https://teonite.com/blog/defguard/](https://teonite.com/blog/defguard/)\n\n## Features\n\n* Remote Access: [WireGuard® VPN](https://www.wireguard.com/) server with:\n  - [Multi-Factor Authentication](https://docs.defguard.net/help/desktop-client/multi-factor-authentication-mfa-2fa) with TOTP/Email \u0026 Pre-Shared Session Keys\n  - multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)\n  - multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location (**high availability/failover**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense\n  - **import your current WireGuard® server configuration (with a wizard!)**\n  - **most beautiful [Desktop Client!](https://github.com/defguard/client)** (in our opinion ;-))\n  - automatic IP allocation\n  - [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n  - control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)\n  - kernel (Linux, FreeBSD/OPNSense/PFSense) \u0026 userspace WireGuard® support with [our Rust library](https://github.com/defguard/wireguard-rs)\n  - dashboard and statistics overview of connected users/devices for admins\n  - *defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.*\n* Identity \u0026 Account Management:\n  - SSO based on OpenID Connect](https://openid.net/developers/how-connect-works/)\n  - External SSO: [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)\n  - [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication:\n   - [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator)\n   - WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)\n   - Email based TOTP\n  - LDAP (tested on [OpenLDAP](https://www.openldap.org/)) synchronization\n  - [forward auth](https://docs.defguard.net/features/forward-auth) for reverse proxies (tested with Traefik and Caddy)\n  - nice UI to manage users\n  - Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)\n* Account Lifecycle Management:\n  - Secure remote (over the Internet) [user enrollment](https://docs.defguard.net/help/remote-user-enrollment) - on public web / Desktop Client\n  - User [onboarding after enrollment](https://docs.defguard.net/help/remote-user-enrollment/user-onboarding-after-enrollment)\n* SSH \u0026 GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/admin-and-features/ssh-authentication)\n* [Yubikey hardware keys](https://www.yubico.com/) provisioning for users by *one click*\n* [Email/SMTP support](https://docs.defguard.net/help/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding\n* Easy support with [sending debug/support information](https://docs.defguard.net/help/sending-support-info)\n* Webhooks \u0026 REST API\n* Built with [Rust](https://www.rust-lang.org/) for portability, security, and speed\n* [UI Library](https://github.com/defguard/ui) - our beautiful React/TypeScript UI is a collection of React components:\n  - a set of custom and beautiful components for the layout\n  - Responsive Web Design (supporting mobile phones, tablets, etc..)\n  - [iOS Web App](https://www.macrumors.com/how-to/use-web-apps-iphone-ipad/)\n* **Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/pdf/isec-defguard.pdf))\n* End2End tests\n\n## Documentation\n\nSee the [documentation](https://docs.defguard.net/) for more information.\n\n## Community and Support\n\nFind us on Matrix: [#defguard:teonite.com](https://matrix.to/#/#defguard:teonite.com)\n\n## License\n\nThe code in this repository is available under a dual licensing model:\n\n1. Open Source License: The code, except for the contents of the \"src/enterprise\" directory, is licensed under the AGPL license (see file LICENSE.md in this repository). This applies to the open core components of the software.\n2. Enterprise License: All code in this repository (including within the \"src/enterprise\" directory) is licensed under a separate Enterprise License (see file src/enterprise/LICENSE.md).\n\n## Contributions\n\nPlease review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy.\n\n# Built and sponsored by\n\n\u003cp align=\"center\"\u003e\n      \u003ca href=\"https://teonite.com/services/rust/\" target=\"_blank\"\u003e\u003cimg src=\"https://drive.google.com/uc?export=view\u0026id=1z0fxSsZztoaeVWxHw2MbPbuOHMe3OsqN\" alt=\"built by teonite\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Legal\n\nWireGuard® is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDefGuard%2Fdefguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDefGuard%2Fdefguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDefGuard%2Fdefguard/lists"}