Comment on page


This is a high-level project roadmap of planned features.
A detailed Roadmap with all functionalities is on GitHub - here is a high level roadmap with major features planed.
For already implemented features go to Changelog (or GitHub release page for more details).

v0.8.0 - Desktop clients ~end of November 2023

Problem: desktop clients (linux/mac/windows)

Right now we require the user to download the configuration and configure their VPN client manually. That needs to be automatic without user interaction/configuration.


Our gateway is already a Wireguard client that automatically based on GRPC configuration from our Core Server configures the gateway to accept user/client connections/peers.
We need to implement a Tauri-based desktop app (for all platforms: win/mac/linux) that will:
  1. 1.
    Allow the user to authenticate with their user/pass and Multi-factor method
  2. 2.
    Automatically add/configure a device
  3. 3.
    Provide a list of locations to which the client can connect
  4. 4.
    Display statistics of the connection

v0.9.0 - groups & ACLs, Site-to-Site Wireguard VPN - ~Jan 2024

Problem: Groups & ACLs

Currently, defguard has only two groups: All users and admins that have limited Access Control:
  • admins can manage defguard/users
  • from v0.6.0 a VPN Location can be configured to allow access restriction based on this two groups


We need to implement a proper group and ACL management functionality, that will allow:
  • fine-grained control over VPN/Location network management
  • fine-grained control of defguard functionalities based on ACLs
  • add a Groups claim to OpenID tokens for any combination of groups/ACLs

Problem: Global MFA

Currently, defguard has MFA configuration per user, there is no way to globally define by admin if MFA is required for users.


Enable global MFA requirement.

Other features planned

  • Site-to-Site Wireguard VPN - a uniqe way to configure a site-to-site VPN setup using defguard gateways with amazing UI and statistics for the s2s tunnel
  • Passkey support
  • Command line client that will have functionalities:
    • Import & creat users in bulk from JSON/CSV
    • Show VPN status for all locations in human-readable way (person-device and not public keys like Wireguard/wg does)
  • Password reset

v1.0.0 - Wireguard mesh, on-demand NAT traversal, SAML SSO ~Feb 2024

Problem: on-demand NAT traversal/mesh networks

Currently deploying defguard requires to a) have a public IP address and b) open a Wireguard VPN port on your firewall server (for our gateway microservice).
A lot of people/companies do not have the luxury of a Public IP or do not want to open any ports on their firewalls/routers.
The most popular service implementing this type of solution is Talescale - the goal of this milestone is to implement an open-source Tailescale and provide relays to ensure client connectivity in adverse network conditions, such as networks with blocked UDP, NAT, etc.


We already have a PoC (proof of concept) of secure peer-to-peer communication without the central gateway. In order to provide this functionality we need first to implement our own desktop clients in order to incorporate this feature.

Other features planned

  • Events history for users and admins (as dedicated module) with ability to end/close selected or all current login sessions
  • SAML SSO - most Old School enterprise systems implement SSO based on SAML v2 - so to provide our users with a full range of features this should be implemented.
  • Prometheus exporter - all activities handled by defguard will be exported to Prometheus so that you can create custom analytics and dashboards in your favorite tool from the Prometheus ecosystem
  • Secure SSH authentication based on OpenID Connect & Multi-Factor Authentication with Defguard

Further functionalities planned

  • 2FA/MFA functionality with phone/SMS codes
  • Password reset secured by MFA (SMS/TOTP/Webauthn/...)
  • Mobile clients
  • Simple DNS provider