Comment on page
Roadmap
This is a high-level project roadmap of planned features.
A detailed Roadmap with all functionalities is on GitHub - here is a high level roadmap with major features planed.
Right now we require the user to download the configuration and configure their VPN client manually. That needs to be automatic without user interaction/configuration.
Our gateway is already a Wireguard client that automatically based on GRPC configuration from our Core Server configures the gateway to accept user/client connections/peers.
- 1.Allow the user to authenticate with their user/pass and Multi-factor method
- 2.Automatically add/configure a device
- 3.Provide a list of locations to which the client can connect
- 4.Display statistics of the connection
Currently, defguard has only two groups: All users and admins that have limited Access Control:
- admins can manage defguard/users
We need to implement a proper group and ACL management functionality, that will allow:
- fine-grained control over VPN/Location network management
- fine-grained control of defguard functionalities based on ACLs
- add a Groups claim to OpenID tokens for any combination of groups/ACLs
Currently, defguard has MFA configuration per user, there is no way to globally define by admin if MFA is required for users.
Enable global MFA requirement.
- Site-to-Site Wireguard VPN - a uniqe way to configure a site-to-site VPN setup using defguard gateways with amazing UI and statistics for the s2s tunnel
- Passkey support
- Command line client that will have functionalities:
- Import & creat users in bulk from JSON/CSV
- Show VPN status for all locations in human-readable way (person-device and not public keys like Wireguard/wg does)
- Password reset
Currently deploying defguard requires to a) have a public IP address and b) open a Wireguard VPN port on your firewall server (for our gateway microservice).
A lot of people/companies do not have the luxury of a Public IP or do not want to open any ports on their firewalls/routers.
The most popular service implementing this type of solution is Talescale - the goal of this milestone is to implement an open-source Tailescale and provide relays to ensure client connectivity in adverse network conditions, such as networks with blocked UDP, NAT, etc.
We already have a PoC (proof of concept) of secure peer-to-peer communication without the central gateway. In order to provide this functionality we need first to implement our own desktop clients in order to incorporate this feature.
- Events history for users and admins (as dedicated module) with ability to end/close selected or all current login sessions
- SAML SSO - most Old School enterprise systems implement SSO based on SAML v2 - so to provide our users with a full range of features this should be implemented.
- Prometheus exporter - all activities handled by defguard will be exported to Prometheus so that you can create custom analytics and dashboards in your favorite tool from the Prometheus ecosystem
- Secure SSH authentication based on OpenID Connect & Multi-Factor Authentication with Defguard
- 2FA/MFA functionality with phone/SMS codes
- Password reset secured by MFA (SMS/TOTP/Webauthn/...)
- Mobile clients
- Simple DNS provider
Last modified 7d ago