Comment on page
Configuration
Here you can find a list of all configurable things through environmental variables in Defguard core server, YubiBridge client and Gateway client.
Environment variables that are not already set are loaded from .env files by
dotenvy crate. Default .env file can be overwritten by creating .env.local which is not tracked by git.You can generate random strings for secrets with e.g.:
openssl rand -base64 55 | tr -d "=+/" | tr -d '\n' | cut -c1-64DEFGUARD_DATABASE_URL: Your database URL, default:sqlite::memoryDEFGUARD_HTTP_PORT: Core server port, default:8000DEFGUARD_AUTH_SECRET: JWT secret key for encrypting user tokens, default:DEFGUARD_AUTH_SECRETDEFGUARD_YUBIBRIDGE_SECRET: JWT secret key for encrypting YubiBridge tokens, default:DEFGUARD_YUBIBRIDGE_SECRETDEFGUARD_GATEWAY_SECRET: JWT secret key for encrypting Gateway tokens, default:DEFGUARD_GATEWAY_SECRET- DEFGUARD_SECRET_KEY: JWT secret key for encrypting private cookies; must be at least 64 characters long
DEFGUARD_WG_SERVICE_URL: WireGuard service instance to connect to, default:http://wireguard:50051DEFGUARD_URL: URL of your server instance, defaultlocalhost:8000, Needed for OpenID discovery endpoint to work correctly.DEFGUARD_WEBAUTHN_RP_ID(optional): Relying on party ID and relying on party origin for WebAuthn used for MFA. By default, it's generated by using a base domain ofDEFGUARD_URL(for example https://defguard.example.com is converted to defguard.example.com).
DEFGUARD_WEBAUTHN_RP_IDmust be an effective domain of DEFGUARD_URL (for example if hosting at https://idm.example.com, rp_id must be idm.example.com, example.com or com). Changing DEFGUARD_WEBAUTHN_RP_ID will potentially break all your existing Webauthn credentials.DEFGUARD_ADMIN_GROUPNAME: Name of the administrator group, default:adminDEFGUARD_DEFAULT_ADMIN_PASSWORD: Password for the defaultadminuser, default:pass123
DEFGUARD_COOKIE_INSECURE: set cookies without theSecureflag; use only in dev environments when serving defguard without HTTPSDEFGUARD_COOKIE_DOMAIN(optional): set the domain for auth cookies. By default it's the domain fromDEFGUARD_URL. Must be changed to base URL if you want to use forward auth.
DEFGUARD_DISABLE_STATS_PURGE: disable periodic cleanup of old Wireguard statsDEFGUARD_STATS_PURGE_FREQUENCY: how often should the cleanup process be performed, default24hDEFGUARD_STATS_PURGE_THRESHOLD: age treshold for stats removal, default30d
DEFGUARD_ENROLLMENT_URL: external URL of the enrollment proxy server, defaulthttp://localhost:8080DEFGUARD_ENROLLMENT_TOKEN_TIMEOUT: how long is the enrollment token valid for use, default:24hDEFGUARD_ENROLLMENT_SESSION_TIMEOUT: how long in the enrollment session valid after user uses the token to start the enrollment process, default:10m
DEFGUARD_GRPC_PORT: gRPC server port, default50055DEFGUARD_GRPC_CERT(optional): path to TLS certificate fileDEFGUARD_GRPC_KEY(optional): path to TLS key fileDEFGUARD_GRPC_URL: external URL of your instance's gRPC server, defaulthttp://localhost:50055; used for generating example VPN gateway startup command in Web UI.
DEFGUARD_PROXY_HTTP_PORT: port the API server will listen on, default8080DEFGUARD_PROXY_UPSTREAM_GRPC_URL: core server gRPC endpoint URL, defaulthttp://localhost:50055/DEFGUARD_PROXY_GRPC_CA(optional): path to TLS certificate file, required if connecting to core gRPC service with HTTPS
LOG_LEVEL: Log messages level, default:INFO, available levels:CRITICAL,ERROR,WARNIG,INFO,DEBUGWORKER_ID: Name of your YubiBridge displayed on Defguard website, default:YubiBridgeDEFGUARD_TOKEN: - Secret worker token to secure gRPC communication, available on provisioners pageSMARTCARD_RETRIES: Number of retries in case provisioning failed, default:1JOB_INTERVAL: Defines how often(seconds) YubiBridge checks Defguard for new jobs, default:2SMARTCARD_RETRY_INTERVAL: Defines the number of seconds between trying to provision YubiKey again, default15
-h,--help: Display help message-g <URL>,--grpc <URL>: Connect to gRPC server at the given URL-i <ID>,--id <ID>: WorkerID, defaultYubiBridge-d,--debug: Enable debug mode-t <TMPDIR>,--tmpdir <TMPDIR>: GnuPG home directory, default:tmp-p <first_name> <last_name> <email>,--provision <first_name> <last_name> <email>: Provision YubiKey with the following data-w <token>,--worker-token <token>: Secret worker token to secure gRPC communication, available on provisioners page-c <command>,--command <command>: Run command after provisioning and pass created keys as arguments
If you're using docker image you can pass this value as environmental variables or on binary you can pass them as arguments
DEFGUARD_USERSPACE , -u - Use userspace wireguard implementation, useful on systems without native wireguard supportDEFGUARD_GRPC_URL , -g <URL> - Defguard server gRPC endpoint URL default is https://localhost:50055DEFGUARD_STATS_PERIOD ,-p <SECONDS> - Defines how often (seconds) should interface statistics be sent to the Defguard serverDEFGUARD_TOKEN ,-t <TOKEN> - Token received on Defguard after completing network wizardDEFGUARD_GATEWAY_NAME, --name <NAME> - (optional) human-readable gateway name that will be displayed in Defguard webapp-s, --use-syslog - enable logging to syslogPRE_UP , --pre-up, - Command to run before bringing up the interface. If you want to run a shell script, you should pass it's path to your shell, for example: /bin/sh -c /path/to/scriptPOST_UP , --post-up, - Command to run after bringing up the interface.PRE_DOWN , --pre-down, - Command to run before bringing down the interface.POST_DOWN , --post-down, - Command to run after bringing down the interface. If logging to syslog please remember to configure your syslog deamon accordingly, so that a dedicated logfile is created or the messages are included in the main system log.
Gateway configuration can also be read from a file by using a
--config CLI option. Example file contents:# This is an example config file for Defguard VPN gateway
# To use it fill in actual values for your deployment below
# Required: secret token generated by Defguard
# NOTE: must replace default with actual value
token = "<your_gateway_token>"
# Required: Defguard server gRPC endpoint URL
# NOTE: must replace default with actual value
grpc_url = "<defguard_grpc_url>"
# Optional: gateway name which will be displayed in Defguard web UI
name = "Gateway on server X"
# Required: use userspace Wireguard implementation (e.g. wireguard-go)
userspace = false
# Optional: path to TLS cert file
# grpc_ca = cert.pem
# Required: how often should interface stat updates be sent to Defguard server (in seconds)
stats_period = 60
# Required: name of Wireguard interface
ifname = "wg0"
# Optional: write PID to this file
# pidfile = defguard-gateway.pid
# Required: enable logging to syslog
use_syslog = false
# Required: which syslog facility to use
syslog_facility = "LOG_USER"
# Required: which socket to use for logging
syslog_socket = "/var/run/log"
# Optional: Command which will be run before bringing interface up
# Example: Allow all traffic through WireGuard interface:
#pre_up = "iptables -A INPUT -i wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A OUTPUT -o wg0 -j ACCEPT"
# Optional: Command which will be run after bringing interface up
# Example: Add a default route after WireGuard interface is up:
#post_up = "ip route add default via 192.168.1.1 dev wg0
# Optional: Command which will be run before bringing interface down
# Example: Remove WireGuard-related firewall rules before interface is taken down:
#pre_down = "iptables -D INPUT -i wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D OUTPUT -o wg0 -j ACCEPT"
# Optional: Command which will be run after bringing interface down
# Example: Remove the default route after WireGuard interface is down:
#post_down = "ip route del default via 192.168.1.1 dev wg0"
Last modified 17h ago