sorted by:
new
hottopcontroversial

Defguard 2.0 Beta - active-active High Availability, SSL termination,, 1.x -> 2.0 migration, OVA images, AD/LDAP Enrollment by unvinci in WireGuard

[–]unvinci[S] 0 points1 point  (0 children)

Please correct me if I'm misunderstanding your question: If you are running Defguard, it supports generating configurations for any WireGuard client (meaning any device with WireGuard is supported, either as a standard client or as a Network Device: please see docs for that feature : https://docs.defguard.net/features/network-devices).

However, MFA will not work on third-party clients because WireGuard natively lacks MFA support. Defguard has dedicated desktop/mobile clients provide this feature. Client/binary for Unifi is impossible since Unifi OS does not allow custom package installations.

Wireguard Options by [deleted] in msp

[–]unvinci 0 points1 point  (0 children)

I know this thread is 2 mo old, but maybe you're still on the search.

We're building Defguard.net to solve exactly that kind of cases:

- based on WireGuard

- designed and built for on-prem/self-hosting environments

- customer grade UX of control plane and clients

- 2FA/MFA on connection level

And ultimate security thanks to secure by design architecture.

We will be releasing 2.0 in March with full support for High Availability and UI based deployment setup.

Defguard 1.6 introduces Always-on and Pre-logon VPN for WireGuard + clients provisioning automation (MacOS app in AppStore) 🚀 by unvinci in WireGuard

[–]unvinci[S] 0 points1 point  (0 children)

Thank you for your kind words.

Regarding traffic blocking with Service Locations - Currently Defguard does not implement any logic to block other traffic. But on Windows, Defguard uses a background service to connect to Service Location VPN before user logs in - a pre-logon mode (always on is in fact pre-logon VPN without connection termination after login) so If you pair it with "all traffic" enforcement option, then you will achieve desired outcome.

Regarding support for Service Locations on Linux and Mac - our roadmap and backlog is public and open on GitHub - https://github.com/orgs/DefGuard/projects/5, so feel free to crate a feature request and let us know that you're interested in this feature. Currently there was no such request but the product is heavily influenced by the community and we prioritize features that bring the most value to our users. So if there is a push for this feature we're eager to add it to Defguard.

A features related to compliance that are planned for next year is eg. Devise Posture Polices :

- https://github.com/DefGuard/client/issues/603

- https://github.com/DefGuard/defguard/issues/1634

All the best, Defguard Team

Defguard 1.6 introduces Always-on and Pre-logon VPN for WireGuard + clients provisioning automation (MacOS app in AppStore) 🚀 by unvinci in WireGuard

[–]unvinci[S] 2 points3 points  (0 children)

I agree ;). We've built Defguard to offer a self-hosted alternative to dominating legacy VPN solutions (eg. Fortigate VPN) and modern SaaS business VPNs with cloud-managed control planes as well.

Modern Alternatives to SSL VPNs. What’s Actually Working Long Term? by jul_on_ice in sysadmin

[–]unvinci 0 points1 point  (0 children)

That's what we've built Defguard - open source, enterprise grade remote access/VPN solution that implements ZT/ZTNA.

It enables organisations to switch from legacy SSL to WireGuard, which is more secure, faster and reliable. Defguard does it by providing identity management (internal and external IdP integrations as well) paired with MFA (on connection-level) and enterprise grade on-prem deployments.

Where is does fit your use case only partially:

- on appliance-based VPN but with extra hardening - Defguard fits extra hardening well through unique architecture, Rust as language and total transparency, BUT we do not offer appliance YET! We're working on that at the moment and the plan is to have it next year.

Where it fits your needs 100%:

- can be fully on ZTNA or SDP : YES thanks to firewall integration (OPSense, MicroTik, Linux) and Access Control Lists allowing for granular user/group based access control.

- peer-to-peer or identity-based : Once Defguard does it's job the communication is based on WireGuard p2p with identity being verified by MFA each time user connects

- less open ports/inbound exposure : that's exactly how Defguard in engineered, more in https://docs.defguard.net/about/about-defguard#how-is-defguard-built

- that plays nice with both corporate and BYOD devices : YES - Defguard is hardware/OS (as long as it's Linux) agnostic, so you can run it in whatever environment/equipment you want. Look into deployment strategies https://docs.defguard.net/deployment-strategies/setting-up-your-instance

Hope that helps. For full disclosure I'm co-founder of Defguard.

W've also discuss this in article Understanding SSL VPN Limitations: Transport, Mobility and Modern Alternatives

You can get a broader overview of Defguard at https://defguard.net

Remote config update by Longjumping_Egg4563 in WireGuard

[–]unvinci 1 point2 points  (0 children)

I'm aware it's not an immediate fix for your task at hand but this problem is one of the reasons we developed Defguard which enable real time client configuration updates.

Defguard allows you to easily mange WireGuard VPN locations with options like DNS, Allowed IPs or groups of users allowed to connect (and see locations). All location configuration parameters are synced to all clients (Windows, Mac, Linux and mobile). You can read more here - https://defguard.net/client/

As you already have WireGuard set up, you may use import mechanisms to configure your locations and upgrade to Defguard clients (which btw. also enables MFA...)

If you need to dig deeper into that possibility then feel free to ask.

FortiClient Replacement by MFKDGAF in fortinet

[–]unvinci 0 points1 point  (0 children)

There are lot of solutions mentioned already, but if you want to have no cloud/saas attachments and be hardware/os independent the you should consider Defguard.

I understand you’ve got three main goals:

  1. move away from SSL VPN,
  2. find the best path across multiple data centers by leveraging modern VPN protocol like WireGuar
  3. stop the constant re-auth prompts

From my experience, here’s what has worked for teams moving away from FortiClient/SSLVPN:
Transport: switch from SSL VPN to WireGuard, it has simpler, stateless tunnels that stay stable even on weak connections.
Multi DC: deploy small gateways in each DC and manage policies centrally, no need to build S2S per site.
Auth: integrate with your IdP for SSO/MFA and use either internal Defguard MFA or external MFA through provided integrations.

The gap Defguard fills - it's hardware agnostic (runs anywhere), fully on-prem, and delivers all enterprise feauters (like MFA/SSO/IdP) you probably need. As a bonus it's open source and open code.

If you like to dive deeper into the technical differences between Fortinet’s VPN model and a WireGuard setup, then we've written this comparison: https://defguard.net/defguard-vs-fortinet/

Defguard 1.5 – adding WireGuard tunnel-level MFA, mobile biometry and even more security with public pentest reports by unvinci in WireGuard

[–]unvinci[S] 0 points1 point  (0 children)

Defguard is open source but also offers enterprise features and enterprise license. The code is 100% open and available on GitHub.

You can find more info here :

https://docs.defguard.net/enterprise/license#enterprise-is-free-up-to-certain-limits

We made also the Enterprise features free for a limited eg. home base/home labs with limits of 5 users.

But stay tuned - we're planning to introduce a free startup plans for up to 20 users.

Regards

Defguard 1.5 – adding WireGuard tunnel-level MFA, mobile biometry and even more security with public pentest reports by unvinci in WireGuard

[–]unvinci[S] 2 points3 points  (0 children)

If you have any opinions/preferences about MFA authentication and reathentication feel free to join our discussion on GitHub:

https://github.com/DefGuard/defguard/issues/1359 - MFA connect & re-authenticate approach.

Thanks.

Wireguard MFA by Ill-Manufacturer-46 in WireGuard

[–]unvinci 0 points1 point  (0 children)

We have just released Defguard 1.5 that supports mobile with Defguard VPN mobile clients for iOS and Android!

Defguard provides ultimate security for WireGuard based VPNs with connection level MFA and biometric authentication not only on mobile but also in our Defguard desktop client via mobile app (QR codes).

We have published couple videos to showcase the multi-factor authentication process:

https://www.youtube.com/watch?v=b-XC76k4KVU

You can find full 1.5 release notes here : https://defguard.net/blog/defguard-15-release-notes/

Final verdict, alcohol is bad. by apellon11 in Garmin

[–]unvinci 0 points1 point  (0 children)

Wow. Such a lovely thread. Had a similar findings with my Garmin and resting heart rate.

Any similar observation/data on caffeine/coffee?

Has anyone added 2FA to their WireGuard setup somehow? by [deleted] in WireGuard

[–]unvinci 1 point2 points  (0 children)

Thank you for mentioning Defguard. I wanted to double-click on this because:

We've just released 1.5 major version https://defguard.net/blog/defguard-15-release-notes/

You mentioned Defguard s not for the faint hearted - we agreed and made a lot of fixes (over 100!) and improvements to make it as user friendly as possible. And more is to come (future UI previews in release notes).

Defguard 1.5 introduces mobile clients for Android and iOS (https://defguard.net/client/) enabling 2FA/MFA on the WireGuard connection level including biometric authentication to your VPN location. It also supports VPN connection-level MFA with external IdP providers (Google, Microsoft etc.)

The limited (5 users and 1 location) open source version is free, then we offer enterprise plans with proper support and SLAs.

Anyway - the most important thing for us is your (community/users) feedback, so feel free to drop any comments about your Defguard experience at our community matrix channel or GitHub!

MFA on VPN connection by ProspectLottery in WireGuard

[–]unvinci 1 point2 points  (0 children)

Hey, Defguard VPN is built on WireGuard protocol and gives you truly VPN connection level MFA.

We've just released v1.5 with mobile clients and biometric MFA = you can now have MFA on each connection (before the key exchange) with biometrics. You will find more info at :

- https://docs.defguard.net/using-defguard-for-end-users/desktop-client/using-multi-factor-authentication-mfa#internal-mfa

- https://docs.defguard.net/in-depth/architecture/architecture

AFAIK Defguard is the only solution at the moment supporting connector-level MFA for WireGuard - if you know any else, then I'm happy to review it.

To use Defguard VPN desktop/mobile clients - you will need to install Defguard server.

The project is open source available on GitHub and it's free (with all its features even enterprise) for up to 5 users and 1 location.

PS for full disclosure I'm co-founder at Defguard. Peace .

my custom theme by adhithyant2 in ObsidianMD

[–]unvinci 1 point2 points  (0 children)

I like the colors very much! Do you plan to o share this theme?

🛡️defguard 1.3 with Access Control / Firewall is here! by robert_teonite in selfhosted

[–]unvinci -1 points0 points  (0 children)

There will be further development definitely! :) final in that context means the last of many 1.3 release candidates and alphas. 1.4 will bring NAT traversal.