diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 907141d1..0294bb8c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -193,14 +193,15 @@ jobs:
fpm_args:
"defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
freebsd/defguard_gateway=/usr/local/etc/rc.d/defguard_gateway
- example-config.toml=/etc/defguard/gateway.toml"
+ example-config.toml=/etc/defguard/gateway.toml.sample"
fpm_opts:
"--architecture amd64
--output-type freebsd
--version ${{ env.VERSION }}
--package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
--freebsd-osversion '*'
- --depends openssl"
+ --depends openssl
+ --after-install freebsd/post-install.sh"
- name: Build OPNsense package
uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main
@@ -208,7 +209,7 @@ jobs:
fpm_args:
"defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway
freebsd/defguard_gateway=/usr/local/etc/rc.d/defguard_gateway
- example-config.toml=/etc/defguard/gateway.toml
+ example-config.toml=/etc/defguard/gateway.toml.sample
freebsd/defguard-rc.conf=/etc/rc.conf.d/defguard_gateway
opnsense/src/etc/=/usr/local/etc/
opnsense/src/opnsense/=/usr/local/opnsense/"
@@ -218,7 +219,8 @@ jobs:
--version ${{ env.VERSION }}
--package defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg
--freebsd-osversion '*'
- --depends openssl"
+ --depends openssl
+ --after-install freebsd/post-install.sh"
- name: Upload Linux x86_64 archive
uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1
diff --git a/README.md b/README.md
index dfca4e14..48f01bfc 100644
--- a/README.md
+++ b/README.md
@@ -1,55 +1,91 @@
-
- 
-
+
+ 
+
-**defguard gateway** is a client service for [defguard](https://github.com/DefGuard/defguard) which can be used to create your own [WireGuard:tm:](https://www.wireguard.com/) VPN servers for secure and private networking.
+# Defguard Gateway
-To learn more about the system see our [documentation](https://defguard.gitbook.io).
+**Defguard Gateway** is a service component of [Defguard](https://github.com/DefGuard/defguard) that enables you to create and manage your own [WireGuard](https://www.wireguard.com/) VPN servers for secure and private networking.
-## Quick start
+Defguard is a self-hosted secure remote access platform that combines WireGuard VPN, identity and access management, multi-factor authentication, and network access control in a single solution.
-If you already have your defguard instance running you can set up a gateway by following our [deployment guide](https://defguard.gitbook.io/defguard/features/setting-up-your-instance/gateway).
+Built with a security-first architecture, Defguard helps organizations securely manage access to infrastructure, applications, and private networks while maintaining full control over their environment.
-## Documentation
+## Why Defguard?
+
+Modern organizations often rely on multiple disconnected tools to manage identity, VPN access, authentication, and network permissions. Defguard brings these capabilities together into a unified platform designed for security, transparency, and operational simplicity.
+
+Key principles behind Defguard:
+
+- ๐ Open-source core (AGPL), open-code Enterprise components
+- ๐ Fully self-hosted โ no external dependencies or data leaving your infrastructure
+- ๐ Security-first: [Zero-Trust VPN](https://docs.defguard.net/features/wireguard) with connection-level MFA, [architecture](https://docs.defguard.net/in-depth/architecture) designed to minimize attack surface
+- ๐ Transparency: [published SBOMs](https://defguard.net/sbom/), [penetration test reports](https://defguard.net/pentesting/), [architecture decision records](https://docs.defguard.net/in-depth/architecture-decision-records)
+
+For detailed security information see the [secure-by-design documentation](https://docs.defguard.net/in-depth/secure-by-design).
+
+## Core Capabilities
+
+- ๐ **WireGuard VPN** โ multiple locations with per-location access control, MFA per connection, self-service device setup, kernel and userspace support
+- ๐ฅ **Identity & Access Management** โ internal OIDC provider for SSO, external OIDC (Google, Microsoft, custom), LDAP/AD sync, remote enrollment, user self-service
+- ๐ **Multi-Factor Authentication** โ TOTP, WebAuthn/FIDO2, email tokens, biometric via mobile app
+- ๐ก๏ธ **Firewall** โ allow/deny rules per VPN location by user or group, applied in real time
+- ๐ **Activity Log** โ audit log with filtering and search; real-time SIEM streaming (Enterprise)
+- ๐ **Integrations** โ webhooks and REST API
+
+## Clients
-See the [documentation](https://docs.defguard.net) for more information.
+- ๐ฅ๏ธ **Desktop** (Linux, macOS, Windows) โ VPN management with MFA, multi-instance and multi-location support, and real-time connection statistics. [Download](https://defguard.net/download/)
+- ๐ฑ **Mobile** (Android, iOS) โ VPN management with MFA, QR code onboarding. [Android](https://play.google.com/store/apps/details?id=net.defguard.mobile) ยท [iOS](https://apps.apple.com/us/app/defguard-vpn-client/id6748068630)
-## Community and Support
+## Architecture
-Find us on Matrix: [#defguard:teonite.com](https://matrix.to/#/#defguard:teonite.com)
+Defguard follows a component-based architecture designed to reduce attack surface and support secure deployments.
-## Contribution
+
+ 
+
-Please review the [Contributing guide](https://defguard.gitbook.io/defguard/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://defguard.gitbook.io/defguard/for-developers/dev-env-setup) handy.
+Strict division of responsibilities and network segmentation:
+- **Core** - central management plane: identity, authentication, authorization, and policy
+- **Edge** - public-facing entry point, exposes selected Defguard services [GitHub repo](https://github.com/DefGuard/proxy)
+- **Gateway** - WireGuard tunnel manager, routes secure VPN traffic between users and your protected networks [GitHub repo](https://github.com/DefGuard/gateway)
+
+For details refer to the [architecture documentation](https://docs.defguard.net/in-depth/architecture).
+
+## Quick Start
+
+The fastest way to evaluate Defguard is with the [one-line installer](https://docs.defguard.net/getting-started/one-line-install):
+
+```bash
+bash <(curl -sSL https://raw.githubusercontent.com/defguard/deployment/main/docker-compose2.0/setup.sh)
+```
+
+โ ๏ธ Warning! This installation method is intended for testing, demonstrations, and evaluation purposes only. It is not recommended for production deployments. See the [deployment documentation](https://docs.defguard.net/deployment-strategies/overview) for production deployment guidance, architecture recommendations, and high-availability configurations.
+
+## Documentation
-## Verifiability of releases
+Comprehensive documentation is available at: https://docs.defguard.net
-We provide following ways to verify the authenticity and integrity of official releases:
+## Video guides
-### Docker Image Verification with Cosign
+Visit out YouTube channel to see our [video guides](https://www.youtube.com/playlist?list=PLVR33X0CUHUcoyLshs9S8VbsGgggouCAW).
-All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image:
+## Community
-1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI
+We want to get as much feedback as possible, so we encourage you to:
-2. Verify the image signature (replace with the tag you want to verify):
- ```bash
- cosign verify --certificate-identity-regexp="https://github.com/DefGuard/gateway" \
- --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
- ghcr.io/defguard/defguard:
- ```
+- ๐ฌ open a [GitHub discussion](https://github.com/DefGuard/defguard/discussions/new/choose)
+- ๐ชฒ report any missing [features](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=feature&projects=&template=feature_request.md&title=) or [bugs](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title=) as issues
-### Release Asset Verification
+## Contributions
-All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release:
+Please review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy.
-1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/gateway/releases)
+## License
+The code in this repository is available under a dual licensing model:
-2. Verify the checksum:
- ```bash
- # Linux/macOS
- echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check
- ```
+- Open Source License: The code, except for the contents of the "src/enterprise" directory, is licensed under the AGPL license (see file LICENSE.md in this repository). This applies to the open core components of the software.
+- Enterprise License: All code in this repository (including within the "src/enterprise" directory) is licensed under a separate Enterprise License (see file src/enterprise/LICENSE.md).
-# Legal
-WireGuard is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
+## Legal
+WireGuardยฎ is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
\ No newline at end of file
diff --git a/docs/cover-image_smaller-logo.png b/docs/cover-image_smaller-logo.png
new file mode 100644
index 00000000..7cf13943
Binary files /dev/null and b/docs/cover-image_smaller-logo.png differ
diff --git a/freebsd/post-install.sh b/freebsd/post-install.sh
new file mode 100644
index 00000000..863b135b
--- /dev/null
+++ b/freebsd/post-install.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+CONFIG=/etc/defguard/gateway.toml
+
+if [ ! -f "${CONFIG}" ]; then
+ cp "${CONFIG}.sample" "${CONFIG}"
+fi