diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 907141d1..0294bb8c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -193,14 +193,15 @@ jobs: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway freebsd/defguard_gateway=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml" + example-config.toml=/etc/defguard/gateway.toml.sample" fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' - --depends openssl" + --depends openssl + --after-install freebsd/post-install.sh" - name: Build OPNsense package uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main @@ -208,7 +209,7 @@ jobs: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway freebsd/defguard_gateway=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml + example-config.toml=/etc/defguard/gateway.toml.sample freebsd/defguard-rc.conf=/etc/rc.conf.d/defguard_gateway opnsense/src/etc/=/usr/local/etc/ opnsense/src/opnsense/=/usr/local/opnsense/" @@ -218,7 +219,8 @@ jobs: --version ${{ env.VERSION }} --package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*' - --depends openssl" + --depends openssl + --after-install freebsd/post-install.sh" - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 diff --git a/README.md b/README.md index dfca4e14..48f01bfc 100644 --- a/README.md +++ b/README.md @@ -1,55 +1,91 @@ -

- defguard -

+

+ defguard +

-**defguard gateway** is a client service for [defguard](https://github.com/DefGuard/defguard) which can be used to create your own [WireGuard:tm:](https://www.wireguard.com/) VPN servers for secure and private networking. +# Defguard Gateway -To learn more about the system see our [documentation](https://defguard.gitbook.io). +**Defguard Gateway** is a service component of [Defguard](https://github.com/DefGuard/defguard) that enables you to create and manage your own [WireGuard](https://www.wireguard.com/) VPN servers for secure and private networking. -## Quick start +Defguard is a self-hosted secure remote access platform that combines WireGuard VPN, identity and access management, multi-factor authentication, and network access control in a single solution. -If you already have your defguard instance running you can set up a gateway by following our [deployment guide](https://defguard.gitbook.io/defguard/features/setting-up-your-instance/gateway). +Built with a security-first architecture, Defguard helps organizations securely manage access to infrastructure, applications, and private networks while maintaining full control over their environment. -## Documentation +## Why Defguard? + +Modern organizations often rely on multiple disconnected tools to manage identity, VPN access, authentication, and network permissions. Defguard brings these capabilities together into a unified platform designed for security, transparency, and operational simplicity. + +Key principles behind Defguard: + +- ๐Ÿ“– Open-source core (AGPL), open-code Enterprise components +- ๐Ÿ  Fully self-hosted โ€” no external dependencies or data leaving your infrastructure +- ๐Ÿ”’ Security-first: [Zero-Trust VPN](https://docs.defguard.net/features/wireguard) with connection-level MFA, [architecture](https://docs.defguard.net/in-depth/architecture) designed to minimize attack surface +- ๐Ÿ” Transparency: [published SBOMs](https://defguard.net/sbom/), [penetration test reports](https://defguard.net/pentesting/), [architecture decision records](https://docs.defguard.net/in-depth/architecture-decision-records) + +For detailed security information see the [secure-by-design documentation](https://docs.defguard.net/in-depth/secure-by-design). + +## Core Capabilities + +- ๐ŸŒ **WireGuard VPN** โ€” multiple locations with per-location access control, MFA per connection, self-service device setup, kernel and userspace support +- ๐Ÿ‘ฅ **Identity & Access Management** โ€” internal OIDC provider for SSO, external OIDC (Google, Microsoft, custom), LDAP/AD sync, remote enrollment, user self-service +- ๐Ÿ”‘ **Multi-Factor Authentication** โ€” TOTP, WebAuthn/FIDO2, email tokens, biometric via mobile app +- ๐Ÿ›ก๏ธ **Firewall** โ€” allow/deny rules per VPN location by user or group, applied in real time +- ๐Ÿ“‹ **Activity Log** โ€” audit log with filtering and search; real-time SIEM streaming (Enterprise) +- ๐Ÿ”— **Integrations** โ€” webhooks and REST API + +## Clients -See the [documentation](https://docs.defguard.net) for more information. +- ๐Ÿ–ฅ๏ธ **Desktop** (Linux, macOS, Windows) โ€” VPN management with MFA, multi-instance and multi-location support, and real-time connection statistics. [Download](https://defguard.net/download/) +- ๐Ÿ“ฑ **Mobile** (Android, iOS) โ€” VPN management with MFA, QR code onboarding. [Android](https://play.google.com/store/apps/details?id=net.defguard.mobile) ยท [iOS](https://apps.apple.com/us/app/defguard-vpn-client/id6748068630) -## Community and Support +## Architecture -Find us on Matrix: [#defguard:teonite.com](https://matrix.to/#/#defguard:teonite.com) +Defguard follows a component-based architecture designed to reduce attack surface and support secure deployments. -## Contribution +

+ architecture +

-Please review the [Contributing guide](https://defguard.gitbook.io/defguard/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://defguard.gitbook.io/defguard/for-developers/dev-env-setup) handy. +Strict division of responsibilities and network segmentation: +- **Core** - central management plane: identity, authentication, authorization, and policy +- **Edge** - public-facing entry point, exposes selected Defguard services [GitHub repo](https://github.com/DefGuard/proxy) +- **Gateway** - WireGuard tunnel manager, routes secure VPN traffic between users and your protected networks [GitHub repo](https://github.com/DefGuard/gateway) + +For details refer to the [architecture documentation](https://docs.defguard.net/in-depth/architecture). + +## Quick Start + +The fastest way to evaluate Defguard is with the [one-line installer](https://docs.defguard.net/getting-started/one-line-install): + +```bash +bash <(curl -sSL https://raw.githubusercontent.com/defguard/deployment/main/docker-compose2.0/setup.sh) +``` + +โš ๏ธ Warning! This installation method is intended for testing, demonstrations, and evaluation purposes only. It is not recommended for production deployments. See the [deployment documentation](https://docs.defguard.net/deployment-strategies/overview) for production deployment guidance, architecture recommendations, and high-availability configurations. + +## Documentation -## Verifiability of releases +Comprehensive documentation is available at: https://docs.defguard.net -We provide following ways to verify the authenticity and integrity of official releases: +## Video guides -### Docker Image Verification with Cosign +Visit out YouTube channel to see our [video guides](https://www.youtube.com/playlist?list=PLVR33X0CUHUcoyLshs9S8VbsGgggouCAW). -All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image: +## Community -1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI +We want to get as much feedback as possible, so we encourage you to: -2. Verify the image signature (replace with the tag you want to verify): - ```bash - cosign verify --certificate-identity-regexp="https://github.com/DefGuard/gateway" \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - ghcr.io/defguard/defguard: - ``` +- ๐Ÿ’ฌ open a [GitHub discussion](https://github.com/DefGuard/defguard/discussions/new/choose) +- ๐Ÿชฒ report any missing [features](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=feature&projects=&template=feature_request.md&title=) or [bugs](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title=) as issues -### Release Asset Verification +## Contributions -All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release: +Please review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy. -1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/gateway/releases) +## License +The code in this repository is available under a dual licensing model: -2. Verify the checksum: - ```bash - # Linux/macOS - echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check - ``` +- Open Source License: The code, except for the contents of the "src/enterprise" directory, is licensed under the AGPL license (see file LICENSE.md in this repository). This applies to the open core components of the software. +- Enterprise License: All code in this repository (including within the "src/enterprise" directory) is licensed under a separate Enterprise License (see file src/enterprise/LICENSE.md). -# Legal -WireGuard is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld. +## Legal +WireGuardยฎ is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld. \ No newline at end of file diff --git a/docs/cover-image_smaller-logo.png b/docs/cover-image_smaller-logo.png new file mode 100644 index 00000000..7cf13943 Binary files /dev/null and b/docs/cover-image_smaller-logo.png differ diff --git a/freebsd/post-install.sh b/freebsd/post-install.sh new file mode 100644 index 00000000..863b135b --- /dev/null +++ b/freebsd/post-install.sh @@ -0,0 +1,6 @@ +#!/bin/sh +CONFIG=/etc/defguard/gateway.toml + +if [ ! -f "${CONFIG}" ]; then + cp "${CONFIG}.sample" "${CONFIG}" +fi