// the find
DefGuard/defguard
Zero-Trust access management with true WireGuard® 2FA/MFA
DefGuard is a self-hosted platform that combines WireGuard VPN, an OIDC/OAuth2 provider, MFA, and per-user firewall rules into one system. It fills a real gap: most WireGuard UIs are just config generators, but DefGuard actually enforces MFA at the connection level. Target audience is small-to-medium teams that want to ditch Tailscale or a commercial VPN without stitching together five separate tools.
The component split between Core, Edge, and Gateway is architecturally sound — the management plane never touches the public internet directly, which is the right call for a security product. The hundreds of `.sqlx/query-*.json` files mean every SQL query is verified at compile time against the actual schema, so you won't get runtime SQL errors in production. Published SBOMs and penetration test reports are rare for an open-source security tool and signal the team takes supply-chain transparency seriously. WireGuard MFA at the connection level — not just at login — is the standout feature; most competitors fake this.
The quick-start installer is `bash <(curl ...)`, which is a terrible signal for a security-first project to put front and center in the README. The split between AGPL core and Enterprise license is vague about exactly what lands behind the paywall — real-time SIEM streaming is called out, but the line between community and paid features isn't clearly documented in the repo itself, which will bite you during evaluation. The architecture spans at least three separate repos (core, proxy, gateway), so version compatibility across components is entirely your problem; there's no monorepo lock or compatibility matrix. Onboarding for non-Docker deployments is thin — the docs lean heavily on the Docker Compose path, and bare-metal or systemd deployment is left mostly as an exercise.