Enterprise VPN and identity management, honestly reviewed. No vendor copy-paste, just what you actually get when you run it.

TL;DR

What it is: A self-hosted enterprise VPN platform built on WireGuard® with protocol-level multi-factor authentication — the only open-source solution claiming to do MFA at the actual connection level, not just the login portal [4][6].
Who it’s for: IT leads, security-conscious founders, and ops teams tired of paying for closed-source VPN appliances (Cisco, Palo Alto, Fortinet) or trusting cloud-only VPN services (Tailscale, Netbird) with their connection metadata [4][6].
Cost savings: Paid plans start at €129/year; a fully functional free tier covers up to 5 users including enterprise features [5]. Commercial VPN appliances run thousands per year. The self-hosted path means you own the infrastructure.
Key strength: True WireGuard protocol-level 2FA/MFA — the functionality that Tailscale, Netbird, and Firezone explicitly don’t offer at the connection level [4]. Plus built-in SSO (OpenID Connect), LDAP sync, and a desktop client that auto-syncs config changes in real time [README][2].
Key weakness: The “open source” label is contested — the codebase mixes AGPLv3 code with a non-FOSS enterprise layer, and the company has acknowledged it doesn’t ship a pure AGPL build [3]. The deployment process is genuinely complex and the team has said v2.0 (not yet released) will finally make it easier [2].

What is Defguard

Defguard is a self-hosted platform that combines three things that enterprise security teams usually buy separately: a WireGuard VPN gateway, an identity and access management system (SSO via OpenID Connect), and an access lifecycle manager. It’s built in Rust, deployed via Docker or Kubernetes, and marketed squarely at organizations that want the control of on-premise infrastructure without the opacity of legacy appliances [4][6].

The project was started around 2008–2009 under the name OMNI by Robert Olejnik, who was handling IT security and infrastructure at Polish software house Teonite. It eventually became Defguard, and in April 2025 Teonite pivoted entirely to focus on it. The company has since raised €1.2M in Pre-Seed funding from Hard2beat, SMOK Ventures, S20 Team, and several angels including security firm ISEC [6].

The core technical claim is specific and verifiable: Defguard implements MFA at the WireGuard protocol level, using PSK (Pre-Shared Key) rotation as the second factor. When a user connects, the WireGuard PSK changes dynamically after successful MFA — TOTP, email token, WebAuthn/FIDO2, or biometric — meaning an attacker who steals VPN credentials still can’t connect without the second factor, because the PSK they captured is already stale [4][README]. This is different from what most “WireGuard + MFA” marketing actually delivers: an MFA gate on the web dashboard that configures WireGuard, with the WireGuard connection itself requiring no additional factor.

As of this review, the GitHub repository sits at 2,651 stars.

Why people choose it over Tailscale, Netbird, and legacy VPN appliances

Versus cloud-managed WireGuard (Tailscale, Netbird, Firezone). Defguard’s own security page [4] names these directly: they don’t implement MFA at the connection level; they implement it to access the control plane. If you value privacy, cloud VPN providers also store your connection metadata — which is the exact thing Defguard is designed to eliminate. The self-hosted architecture means no metadata leaves your infrastructure [4][website]. For European companies specifically, the EU legal exposure angle matters: Defguard is based in Poland, operates under EU law, and holds ISO 27001 certification — a concrete compliance argument when customers or auditors ask [website][6].

Versus legacy hardware appliances. The ITKeyMedia profile [6] articulates the problem these tools create clearly: organizations end up with a patchwork of disconnected systems, orphaned accounts after employees leave, and shadow IT growing under the radar. Legacy vendors like Cisco and Palo Alto build “all-in-one/inline” appliances that are internet-facing — and those SSL VPN portals are exactly where the most CVEs appear [4]. The contrast Defguard draws is architectural: its control plane can live inside an intranet segment with no external exposure; only the proxy (stateless, no user data) and the WireGuard gateway port need to be reachable from outside [4].

Versus rolling your own WireGuard. WireGuard itself is just a kernel module with a config file. It doesn’t have user management, MFA, auto-enrollment, device provisioning, or a UI. Defguard wraps all of that around it without replacing it — you keep WireGuard’s speed (up to 3x faster than OpenVPN) and small attack surface (~4,000 lines of code) and get everything on top [website].

A real-world migration data point from SoftwareAdvice [5]: one IT company with 300–400 employees (predominantly macOS, some Linux and Windows) migrated from FortiGate to Defguard. The review is 5/5 across the board: “Speed, security and UX improved, costs were even lower.” The reviewer specifically called out one-click enrollment via SSO: users click a link, authenticate with their Google account, and the VPN connects — no manual config file distribution.

Features

VPN and network access:

WireGuard VPN with protocol-level 2FA/MFA using PSK rotation [README][4]
Multiple VPN locations and gateways with real-time config updates — change groups, routes, or policies and clients sync automatically [README][website]
ACL/Firewall management for Linux and FreeBSD/OPNSense [README][2]
Desktop client for macOS, Windows, and Linux with automatic configuration sync [README][2]
Desktop client rewrites in 2025: Windows uses wireguardNT; macOS uses native system VPN extensions [2]

Identity and SSO:

Built-in OpenID Connect SSO — no third-party IdP required [README]
External OIDC providers: Google, Microsoft, Zitadel, Keycloak, Okta, JumpCloud, Authentik, Authelia, and any OIDC-compliant provider [README][1]
Two-way Active Directory and LDAP synchronization [README][2]
YubiKey hardware security key management and provisioning [README]

Authentication methods:

TOTP (time-based one-time passwords)
Email tokens
WebAuthn/FIDO2 hardware keys
Biometric authentication on mobile and desktop clients [website][5]

Enrollment and onboarding:

Desktop client zero-touch provisioning — configuration auto-deploys via enrollment link [2][website]
Mobile apps for iOS and Android with biometric MFA [website]
QR code configuration for mobile devices [website]
Secure web enrollment portal [website]

Observability and compliance:

Activity stream and SIEM integration [2]
Audit logs [README]
REST API [README]
Webhooks [README]
Published penetration testing reports from ISEC [4]
Daily SBOM CVE scans with public results [4]
ISO 27001:2023 certified [website]

Pricing: self-hosted math

Defguard’s tiers:

Free: Available, covers up to 5 users with enterprise features included (SSO, external OIDC, etc.) [1][5]
Paid plans: Start at €129/year [5]. Exact per-seat or per-gateway pricing isn’t published on the main website; you contact sales past the free tier.
Self-hosted community edition: Free to run on your own infrastructure, within the licensing caveats discussed below.

Enterprise license context: In November 2024, version 1.1 released all enterprise features free with usage limits [1]. The Reddit announcement specifically cited “overwhelming response from the homelab/selfhosted community” as the reason. The limits are described as “more than sufficient for home, small business, and student use.”

Versus commercial alternatives:

Cisco AnyConnect / Secure Client: pricing is not public, but enterprise VPN licensing from Cisco runs thousands of dollars per year at any meaningful scale — data not publicly available, but consistent with typical enterprise network security pricing.
Tailscale: free for personal use (up to 3 users), paid plans from $6/user/month ($72/user/year). For a 50-person team that’s $3,600/year minimum.
Defguard self-hosted: infrastructure costs only (a VPS or on-premise hardware). For a 50-person team, you’re looking at VPS costs plus your ops time — not per-seat licensing.

The math is compelling if you’re already past the threshold where per-seat VPN licensing starts to hurt. The free 5-user tier lets you test thoroughly before committing.

Deployment reality check

This is where Defguard’s own team admits the product has rough edges — and has been explicit about it in public [2]. The 2025 roadmap post states plainly: “while Defguard performs exceptionally well once deployed, the deployment process itself can be overwhelming.” The stated reason is the secure-by-design multi-component architecture: control plane, proxy, gateway, and optional additional components that need to be configured for your network topology (DMZ segments, intranet-only control plane, etc.) [4].

What you need:

A Linux server or VPS (Docker Compose for straightforward setups, Helm for Kubernetes)
A network topology decision: where does the control plane live (intranet), where does the proxy live (DMZ), where does the gateway live
A domain and reverse proxy for HTTPS
PostgreSQL and Redis (bundled in docker-compose or external)
SMTP if you use email-based MFA tokens

What can go sideways:

The architecture is genuinely secure-by-design, which means more components to configure than a single-binary VPN server. If you’re used to deploying WireGuard with a shell script, this is a meaningful step up in complexity.
The SoftwareAdvice reviewer [5] flagged rough UX edges specifically around initial enrollment/onboarding in earlier versions — though noted the team rapidly addressed these in subsequent releases.
Version 2.0 (not yet released as of this writing) promises significantly easier deployment with automated configuration and a redesigned UI [2]. Until that ships, you’re working with the current setup flow.

Time estimate: A technically experienced sysadmin following the documentation: 2–4 hours to a working instance. A non-technical founder: not recommended without a technical partner or deployment help. This is not a one-click install.

Pros and cons

Pros

Real protocol-level WireGuard MFA. Not marketing fluff — the PSK rotation mechanism is technically distinct from application-layer MFA gates that Tailscale, Netbird, and Firezone use [4]. If your threat model includes stolen VPN credentials, this matters.
Written in Rust. Memory safety by design, not by convention. The security page [4] details the comparison: Rust prevents null pointer dereferences, buffer overflows, and use-after-free at compile time — meaningful for a security-critical networking component.
Built-in SSO removes a dependency. Most WireGuard management UIs require you to bring your own IdP. Defguard ships one, which reduces the number of moving parts in your infrastructure [README][6].
Genuine transparency signals. Published pen test reports from ISEC, daily SBOM CVE scans with public results, public Architecture Decision Records, public roadmap [4]. Rare in the security vendor space.
ISO 27001:2023 certified — covers organizations in regulated industries where auditors ask for vendor certifications [website].
EU-based, EU-law governed. A concrete advantage for European companies with data residency requirements [6][website].
Free tier is genuinely functional. 5 users with enterprise features including external OIDC is more than enough for testing a migration [1][5].
20x client growth in 2025 and 2000% revenue increase [2] — signals a product that organizations are actually betting on, not just experimenting with.

Cons

License is not cleanly open source. The isitreallyfoss.com review [3] documents this clearly: the codebase mixes AGPLv3 with a non-FOSS enterprise license, and the company has confirmed it doesn’t provide a “pure” AGPL build. A project author stated: “Our current priority is to build the most useful and most secure security system — unfortunately, this requires a compromise between open source and enterprise.” [3] The project markets itself as open source, which is technically contestable. If you need a clean FOSS license for compliance or embedding purposes, verify current status before committing.
Deployment is complex. The team’s own 2026 roadmap post says so directly [2]. Multi-component setup with network topology decisions is not beginner territory.
v2.0 is the “real” easy deployment release — and it hasn’t shipped yet [2]. You’re deploying the current version, which requires more manual work.
Limited public reviews. One verified user review on SoftwareAdvice [5], a handful of Reddit threads. The product is young and the review corpus is thin compared to established vendors. You’re making a bet with less third-party validation than alternatives.
2,651 stars is modest. Tailscale alternatives like Netbird (12K+ stars) or Headscale (20K+ stars) have larger communities, more tutorials, and more community-contributed troubleshooting.
Mesh networking and site-to-site VPN not yet available. The 2026 roadmap acknowledges these as promised-but-not-yet-delivered features [2]. If you need site-to-site, check current status before committing.

Who should use this / who shouldn’t

Use Defguard if:

You’re a security-conscious org that has specifically evaluated WireGuard MFA and found that Tailscale/Netbird don’t deliver it at the connection level — and that distinction matters to your threat model.
You’re a European company that needs EU-law governance, ISO 27001 certification from your vendor, and zero metadata leaving your infrastructure.
You’re migrating off a legacy hardware VPN appliance (Fortinet, Cisco) and want a modern replacement that doesn’t require paying per-seat enterprise licensing.
You have a technical ops person who can handle a multi-component Docker deployment and network topology configuration.
Your team is 5 people or fewer and you want enterprise VPN features without any licensing cost.

Skip it (and use Tailscale or Netbird) if:

You need a self-hosted WireGuard mesh in an afternoon. Headscale (the open-source Tailscale control plane) or Netbird are faster to deploy and have larger communities.
You don’t need protocol-level MFA and the application-layer MFA that Tailscale/Netbird offer is sufficient.
You need mature site-to-site VPN or mesh networking today, not on the v2.0 roadmap.

Skip it (stay with your current appliance) if:

Your compliance team requires a vendor with 10+ years of enterprise track record. Defguard got its first paying customers in 2024 [6].
Nobody on your team has Linux and Docker experience. This is not a managed SaaS.

Skip it if license purity matters:

If you need a clean FOSS license for embedding, redistribution, or legal/compliance reasons, read the isitreallyfoss.com analysis [3] carefully and verify current license status directly with the team.

Alternatives worth considering

Headscale — open-source re-implementation of the Tailscale control server. Simpler deployment, large community, no protocol-level MFA. Best for teams that want self-hosted Tailscale without Defguard’s complexity.
Netbird — WireGuard-based, self-hostable, good UI. No protocol-level MFA, mesh networking supported. More mature community (12K+ stars).
Firezone — WireGuard VPN management with a web UI. Simpler than Defguard, no built-in SSO or LDAP sync. Good for small teams.
Pritunl — OpenVPN/WireGuard management platform, longer track record, paid enterprise tier. Closed-source core.
OpenVPN Access Server — the incumbent open-source enterprise VPN. Slower than WireGuard, larger support ecosystem, well-understood by enterprise IT.
Tailscale (managed cloud) — easiest onboarding by far, largest ecosystem, no self-hosted control plane option without Headscale. Metadata lives on Tailscale’s infrastructure.

Bottom line

Defguard solves a real problem that the rest of the WireGuard management space mostly sidesteps: MFA that actually happens at the connection level, not at a web portal that hands you a config file. If your security model cares about the difference, Defguard is the only open-source option that delivers it. The Rust codebase, published pen tests, SBOM scans, and ISO certification are evidence of a team that takes security engineering seriously — not a project that bolted a VPN onto a web UI.

The tradeoffs are real and worth naming directly: the license situation is contested (AGPLv3 + non-FOSS enterprise parts, not a clean open-source distribution [3]), the deployment is complex enough that the team’s own 2026 priorities center on fixing it [2], and the community and review corpus are thin for a security-critical piece of infrastructure. The product is young — first paying customers in 2024 — and you’re making a longer-term bet than you would with Netbird or Headscale.

For the right buyer — a 20–200 person organization with a technical ops person, EU data requirements, and a concrete reason to care about VPN-level MFA — the math and the architecture both point here. For everyone else, Headscale or Netbird will get you self-hosted WireGuard faster with less complexity and more community resources to draw on.

Sources

r/selfhosted — “defguard 1.1 with All Enterprise features free!” (Reddit, posted by robert_teonite). https://www.reddit.com/r/selfhosted/comments/1gvpxte/defguard_11_with_all_enterprise_features_free/
Robert Olejnik — “2025 Summary & Future Plans for 2026 and beyond” (Defguard blog, January 9, 2026). https://defguard.net/blog/2025-summary-future-plans/
isitreallyfoss.com — “Defguard: Is it really foss?” (Reviewed 2025-06-17). https://isitreallyfoss.com/projects/defguard/
Defguard — Security Approach (official security page). https://defguard.net/security
SoftwareAdvice IE — “Defguard Reviews, Pricing & Demos” (includes user review from January 2026, IT & Services, 201–500 employees). https://www.softwareadvice.ie/software/534604/Defguard
ITKeyMedia — “Europe’s Future is Self-Hosted: Polish Defguard Redefines Enterprise VPN & IAM and Secures EUR 1.2M”. https://itkey.media/europes-future-is-self-hosted-polish-defguard-redefines-enterprise-vpn-iam-and-secures-eur-1-2m/

Primary sources:

GitHub repository: https://github.com/defguard/defguard (2,651 stars)
Official website: https://defguard.net
Documentation: https://docs.defguard.net

Features

Authentication & Access

LDAP / Active Directory
Single Sign-On (SSO)
Two-Factor Authentication

Integrations & APIs

REST API
SMTP Support
Webhooks

Analytics & Reporting

Dashboard

Security & Privacy

SSL / TLS / HTTPS

Mobile & Desktop

Desktop App
Mobile App

Replaces

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0