Create your VPN network

Before we start

  • Make sure your Defguard instance is deployed and running

  • Make sure you downloaded our Wireguard Gateway

  • Make sure you know what Wireguard is and have basic understanding of how it works

Network creation wizard

After successful deployment of your Defguard instance first screen you'll see will look like this

Network name and type

Nothing fancy in this step just pick your network name and type

Currently only supported network type is regular but we hope it'll change in a short future

Network configuration

After choosing a name for your network you"ll be on to the next step which is network configuration this is where things might feel a little bit complicated but no worries it be as painless as possible.

Let's briefly discuss all of these weird inputs


It’s the IP address of the network interface that Wireguard sets up for the peer.

The IP address for a WireGuard interface is defined with a network prefix, which tells the local host what other IP addresses are available on the same virtual subnet as the interface. In the above placeholder, this prefix is /24. That indicate to the localhost that other addresses in the same /24 block as the address itself ( to are routable through the interface.

Network port

Port on which Wireguard listens on the gateway

Gateway endpoint

It's IP address of your gateway in Wireguard words Endpoint is the remote peer's "real" IP address and port, outside of the WireGuard VPN. This setting tells the localhost how to connect to the remote peer in order to set up a WireGuard tunnel.

Network port and gateway endpoint port can be different if Wireguard server is behind NAT/Firewall

Optional settings:

Allowed IPs

is the set of IP addresses the localhost should route to the remote peer through the WireGuard tunnel. This setting tells the localhost what goes in a tunnel.


DNS specifies DNS resolver to query when the WireGuard interface is up.

For now defguard (and defguard client) only supports a single DNS server (single IP) and doesn't support DNS search domains.

So dns server should be one IP, like:

What to do after wizard completion?

After completing all steps from above you will be redirected to Network overview page which detect if your gateway is connected or not if your gateway never connected to Defguard you'll see modal looking like this

Wireguard Gateway setup

Wireguard Gateway is a client program which connects to Defguard in order to setup your network and send all information about your network and it's users. You can think about it like waiter which delivers food(data eg. stats, configuration) between client(Defguard server) and server(wireguard server) and takes orders from Defguard server to setup your network.

First run

After creating your network on Defguard you'll see modal pop-up as in picture above with docker run command to start your gateway server but there are other options to start your server.

If you want to use above command make sure you have docker installed.

Second option is downloading source code from this repository and building it using cargo build --release command then you'll find binary file named gateway at target/release directory

Or if you don't want to build it yourself, you can find prebuild binaries here.

Environmental variables / Arguments

If you're using docker image you can pass this value as environmental variables on binary you can pass them as arguments

DEFGUARD_USERSPACE , -u - Use userspace wireguard implementation, useful on systems without native wireguard support

DEFGUARD_GRPC_URL , -g - Defguard server gRPC endpoint URL default is https://localhost:50055

DEFGUARD_STATS_PERIOD ,-p - Defines how often (seconds) should interface statistics be sent to Defguard server

DEFGUARD_TOKEN ,-t - Token received on Defguard after completing network wizard

VPN feature in depth

If you think something above is complicated or unclear you might want to take a look at our in depth Wireguard VPN explanation.

Last updated