{"id":13353353,"url":"https://github.com/defguard/defguard","last_synced_at":"2026-04-27T23:01:57.562Z","repository":{"id":164699510,"uuid":"554110348","full_name":"DefGuard/defguard","owner":"DefGuard","description":"Zero-Trust access management with true WireGuard® 2FA/MFA","archived":false,"fork":false,"pushed_at":"2026-04-22T12:49:23.000Z","size":30377,"stargazers_count":2677,"open_issues_count":293,"forks_count":93,"subscribers_count":17,"default_branch":"main","last_synced_at":"2026-04-22T13:20:19.628Z","etag":null,"topics":["authentication","forwardauth","keycloak","multifactor-authentication","oauth","oauth-provider","oauth2-server","oidc","oidc-provider","openid","openid-connect","openid-connect-provider","openvpn","pritunl","security","vpn","vpn-server","wireguard","wireguard-ui","yubikey"],"latest_commit_sha":null,"homepage":"https://defguard.net","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DefGuard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://defguard.net/pricing/"]}},"created_at":"2022-10-19T09:09:46.000Z","updated_at":"2026-04-22T09:37:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"587f6719-f427-49a4-ab4e-381d54124ce0","html_url":"https://github.com/DefGuard/defguard","commit_stats":null,"previous_names":[],"tags_count":116,"template":false,"template_full_name":null,"purl":"pkg:github/DefGuard/defguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DefGuard","download_url":"https://codeload.github.com/DefGuard/defguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DefGuard%2Fdefguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32358509,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T20:07:02.737Z","status":"ssl_error","status_checked_at":"2026-04-27T20:07:00.910Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","forwardauth","keycloak","multifactor-authentication","oauth","oauth-provider","oauth2-server","oidc","oidc-provider","openid","openid-connect","openid-connect-provider","openvpn","pritunl","security","vpn","vpn-server","wireguard","wireguard-ui","yubikey"],"created_at":"2024-07-29T21:01:38.934Z","updated_at":"2026-04-27T23:01:57.520Z","avatar_url":"https://github.com/DefGuard.png","language":"Rust","funding_links":["https://defguard.net/pricing/"],"categories":["Applications"],"sub_categories":[],"readme":" \u003cp align=\"center\"\u003e\n    \u003cimg src=\"docs/header.png\" alt=\"defguard\"\u003e\n \u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  Defguard is an enterprise-grade open-source VPN solution built with the highest security standards in mind. It provides the world’s only multi-factor authentication (MFA) for WireGuard VPN connections, using either its built-in SSO (with TOTP, biometrics, etc.) or external SSO providers such as Google, Microsoft, Active Directory/LDAP, Okta, JumpCloud or any other OpenID Connect Provider.\n \u003c/p\u003e\n\n[Website](https://defguard.net) | [Getting Started](https://docs.defguard.net/#what-is-defguard) | [Features](https://github.com/defguard/defguard#features) | [Roadmap](https://github.com/orgs/defguard/projects/5) | [Support ❤](https://github.com/defguard/defguard#support)\n\u003c/div\u003e\n\n### Open, transparent, verifiable and inspectable \n\n- Our security approach: https://defguard.net/security/\n- Our public penetration tests reports: https://defguard.net/pentesting/\n- Daily SBOM CVE scan: https://defguard.net/sbom/ \n- Our detailed roadmap: https://github.com/orgs/DefGuard/projects/5\n- Our Architecture Decision Records: https://app.gitbook.com/o/Z3mGSAbEj9iLdZ7cNFlL/s/kHPDOBrb5X1TB8O3GsjW/~/changes/86/in-depth/architecture-decision-records\n\n### Defguard provides Comprehensive Access Control (a complete security platform):\n\n- **[WireGuard® VPN with 2FA/MFA](https://docs.defguard.net/in-depth/architecture/architecture)** - not 2FA to \"access application\" like most solutions\n    - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n    - Control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)\n- [ACLs/Firewall Management](https://docs.defguard.net/features/access-control-list) for Linux and FreeBSD/OPNSense\n- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/features/openid-connect): \n    - significant cost saving, simplifying deployment and maintenance\n    - enabling features unavailable to VPN platforms relying upon 3rd party SSO integration\n- Already using Google/Microsoft or other OpenID Provider? - [external OpenID provider support](https://docs.defguard.net/features/external-openid-providers)\n- [Two way Active Directory/LDAP synchronization](https://docs.defguard.net/features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization)\n- Only solution with [secure remote user Enrollment \u0026 Onboarding](https://docs.defguard.net/using-defguard-for-end-users/enrollment)\n- Yubico YubiKey Hardware [security key management and provisioning](https://docs.defguard.net/features/yubikey-provisioning)\n- Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.\n- Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)\n- Built on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN\n- Built with Rust for speed and security\n\nSee:\n- [full list of features](https://github.com/defguard/defguard#features)\n- [enterprise only features](https://docs.defguard.net/enterprise/enterprise-features)\n\n### Defguard makes it easy to manage complex VPN networks in a secure way\n\n\u003cimg width=\"1564\" alt=\"locations-connections\" src=\"https://github.com/user-attachments/assets/f886750b-1d4e-467e-917d-bc19a86e275c\" /\u003e\n\n#### Video introduction\n\nBear in in mind we are no youtubers - just engineers - here is a video introduction to defguard:\n\n\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  \n[![Introduction to defguard](https://img.youtube.com/vi/4PF7edMGBwk/hqdefault.jpg)](https://www.youtube.com/watch?v=4PF7edMGBwk)\n\n\u003c/p\u003e\n\u003c/div\u003e\n\n### Control plane management (this video is few versions behind... - a lot has changed!)\n\n![](https://defguard.net/images/product/core/hero-image.png)\n\n![](https://github.com/DefGuard/docs/blob/docs/screencasts/defguard.gif?raw=true)\n\nBetter quality video can [be viewed here](https://github.com/DefGuard/docs/raw/docs/screencasts/defguard-screencast.mkv)\n\n### Desktop Client with 2FA / MFA (Multi-Factor Authentication)\n\n#### Light\n\n![defguard desktop client](https://defguard.net/images/product/client/main-screen.png)\n\n#### Dark\n\n![defguard WireGuard MFA](https://github.com/DefGuard/docs/blob/docs/releases/0.9/mfa.png?raw=true)\n\n[Desktop client](https://github.com/DefGuard/client):\n\n- **2FA / Multi-Factor Authentication** with TOTP or email based tokens \u0026 WireGuard PSK\n- [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n- Control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)\n- Defguard instances as well as **any WireGuard tunnel** - just import your tunnels - one client for all WireGuard connections\n- Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks\n- Onboarding - displaying custom onboarding messages, with templates, links ...\n- Ability to route predefined VPN traffic or all traffic (server needs to have NAT configured - in gateway example)\n- Live \u0026 real-time network charts\n- live VPN logs\n- light/dark theme\n\n## Quick start\n\nThe easiest way to run your own defguard instance is to use Docker and our [one-line install script](https://docs.defguard.net/getting-started/one-line-install).\nJust run the command below in your shell and follow the prompts:\n\n```bash\ncurl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O \u0026\u0026 bash setup.sh\n```\n\nHere is a step-by-step video about this process:\n\n\u003cdiv align=\"center\"\u003e\n \u003cp align=\"center\"\u003e\n  \n[![Quickly deploy defguard](https://img.youtube.com/vi/MqlE6ZTn0bg/hqdefault.jpg)](https://www.youtube.com/watch?v=MqlE6ZTn0bg)\n\n\u003c/p\u003e\n\u003c/div\u003e\n\nTo learn more about the script and available options please see the [documentation](https://docs.defguard.net/getting-started/one-line-install).\n\n### Setup a VPN server in under 5 minutes !?\n\nJust follow [this tutorial](http://bit.ly/defguard-setup)\n\n## Manual deployment examples\n\n- [Standalone system package based install](https://docs.defguard.net/deployment-strategies/standalone-package-based-installation)\n- Using [Docker Compose](https://docs.defguard.net/deployment-strategies/docker-compose)\n- Using [Kubernetes](https://docs.defguard.net/deployment-strategies/kubernetes)\n\n## Roadmap \u0026 Development backlog\n\n[A detailed product roadmap and development status can be found here](https://github.com/orgs/DefGuard/projects/5/views/1)\n\n### ⛑️ Want to help? ⛑️\n\nHere is a [dedicated view for **good first bugs**](https://github.com/orgs/DefGuard/projects/5/views/5)\n\n## Features\n\n* Remote Access: [WireGuard® VPN](https://www.wireguard.com/) server with:\n  - [Multi-Factor Authentication](https://docs.defguard.net/features/wireguard/multi-factor-authentication-mfa-2fa) with TOTP/Email \u0026 Pre-Shared Session Keys\n  - multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)\n  - multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location (**high availability/failover**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense\n  - **import your current WireGuard® server configuration (with a wizard!)**\n  - **most beautiful [Desktop Client!](https://github.com/defguard/client)** (in our opinion ;-))\n  - automatic IP allocation\n  - [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).\n  - control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)\n  - kernel (Linux, FreeBSD/OPNSense/PFSense) \u0026 userspace WireGuard® support with [our Rust library](https://github.com/defguard/wireguard-rs)\n  - dashboard and statistics overview of connected users/devices for admins\n  - *defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.*\n* Identity \u0026 Account Management:\n  - SSO based on OpenID Connect](https://openid.net/developers/how-connect-works/)\n  - External SSO: [external OpenID provider support](https://docs.defguard.net/features/external-openid-providers)\n  - [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication:\n   - [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator)\n   - WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)\n   - Email based TOTP\n  - LDAP (tested on [OpenLDAP](https://www.openldap.org/)) synchronization\n  - [forward auth](https://docs.defguard.net/features/forward-auth) for reverse proxies (tested with Traefik and Caddy)\n  - nice UI to manage users\n  - Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)\n* Account Lifecycle Management:\n  - Secure remote (over the Internet) [user enrollment](https://docs.defguard.net/features/remote-user-enrollment) - on public web / Desktop Client\n  - User [onboarding after enrollment](https://docs.defguard.net/features/remote-user-enrollment/user-onboarding-after-enrollment)\n* SSH \u0026 GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/features/ssh-authentication)\n* [Yubikey hardware keys](https://www.yubico.com/) provisioning for users by *one click*\n* [Email/SMTP support](https://docs.defguard.net/features/notifications/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding\n* Easy support with [sending debug/support information](https://docs.defguard.net/support-1/troubleshooting/sending-support-info)\n* Webhooks \u0026 REST API\n* Built with [Rust](https://www.rust-lang.org/) for portability, security, and speed\n* [UI Library](https://github.com/defguard/ui) - our beautiful React/TypeScript UI is a collection of React components:\n  - a set of custom and beautiful components for the layout\n  - Responsive Web Design (supporting mobile phones, tablets, etc..)\n  - [iOS Web App](https://www.macrumors.com/how-to/use-web-apps-iphone-ipad/)\n* **Checked by professional security researchers** (see [comprehensive security report](https://defguard.net/pdf/isec-defguard.pdf))\n* End2End tests\n\n## Documentation\n\nSee the [documentation](https://docs.defguard.net/) for more information.\n\n## Community and Support\n\nReach out to our community via [GitHub Discussions](https://github.com/DefGuard/defguard/discussions/new/choose)\n\n## License\n\nThe code in this repository is available under a dual licensing model:\n\n1. Open Source License: The code, except for the contents of the \"crates/defguard_core/src/enterprise\" directory, is licensed under the AGPL license (see file LICENSE.md in this repository). This applies to the open core components of the software.\n2. Enterprise License: All code in this repository (including within the \"crates/defguard_core/src/enterprise\" directory) is licensed under a separate Enterprise License (see file crates/defguard_core/src/enterprise/LICENSE.md).\n\n## Contributions\n\nPlease review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy.\n\n## Verifiability of releases\n\nWe provide following ways to verify the authenticity and integrity of official releases:\n\n### Docker Image Verification with Cosign\n\nAll official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image:\n\n1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI\n\n2. Verify the image signature (replace \u003cIMAGE_TAG\u003e with the tag you want to verify):\n   ```bash\n   cosign verify --certificate-identity-regexp=\"https://github.com/DefGuard/defguard\" \\\n     --certificate-oidc-issuer=\"https://token.actions.githubusercontent.com\" \\\n     ghcr.io/defguard/defguard:\u003cIMAGE_TAG\u003e\n   ```\n\n### Release Asset Verification\n\nAll release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release:\n\n1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/defguard/releases)\n\n2. Verify the checksum:\n   ```bash\n   # Linux/macOS\n   echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check\n   ```\n\n# Legal\n\nWireGuard® is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefguard%2Fdefguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdefguard%2Fdefguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefguard%2Fdefguard/lists"}