Deploying your instance

defguard comes with four main components:

  • Core service - main web UI and database

  • Proxy service - used to safely expose a subset of public functionalities

  • VPN gateway server - retrieves configuration from core and configures VPN interfaces on the gateway server

  • Provisioning station - client application which can be started on any pc to auto generate PGP keys for YubiKey

There is one external component required: PostgreSQL database.

Hardware requirements

All defguard components are very low resource-consuming. All of them are written in Rust and are single binaries. As minimum setup as follows should be more then enough:

ResourceMinimum requirements


1 GHz


2 GB (mostly for PostgreSQL)


2 GB


x86_64, ARM64

Quick start

The easiest way to run your own defguard instance is to use Docker and our one-line install script.

Just run the command below in your shell and follow the prompts:

curl --proto '=https' --tlsv1.2 -sSf -L -O && bash

To learn more about the script and available options please see the documentation.

Manual deployment

If you prefer to configure and deploy defguard manually see the examples below:

Client services

On initial startup a new admin user will be created with a password which can be configured by the DEFGUARD_DEFAULT_ADMIN_PASSWORD environment variable (by default it's pass123). Use those credentials to log in and start exploring the system.


See our Configuration document to check all configurable things before you start. And learn about our Architecture here to see how it works.


All services within the Defguard architecture can be updated independently although it's recommended to always use newest version of services and update them all together to avoid situtations like Core expecting some not existing feature in Gateway. Check the GitHub repositories for each service to find their newest releases and release notes.

  • Docker - For Docker and Kubernetes based setup just change docker image version for service you want to update.

  • Packages(DEB, RPM, etc.) - Currently we don't have any package repository so if you want to update your service installed as package you have to download new version from service repository.

GitHub Repositories:


Core service is the only service which uses persistent data storage which is PostgreSQL database. Every SQL migration is applied automatically while bringing up core server and we try our best not to break anything in the process. It's recommended to do database, configuration and Settings(SMTP, Branding) backup before every update in case of some unexpected failure.

Example database backup:

docker exec {container_name} pg_dump -U {user_name} > {backup_file_name}


For now the Gateway can be deployed on multiple servers/firewall/routers for failover and HA - even if the connection to the Core will be lost, gateways will operate with their local cache/data and the VPN will be working. Same works the other way around if gateway don't work or is not available other features from Core like OpenID will be working.

Last updated