Comment on page
This is a high-level project roadmap of planned features.
Right now we require the user to download the configuration and configure their VPN client manually. That needs to be automatic without user interaction/configuration.
- 1.Allow the user to authenticate with their user/pass and Multi-factor method
- 2.Automatically add/configure a device
- 3.Provide a list of locations to which the client can connect
- 4.Display statistics of the connection
Currently, defguard has only two groups: All users and admins that have limited Access Control:
We need to implement a proper group and ACL management functionality, that will allow:
- fine-grained control over VPN/Location network management
- fine-grained control of defguard functionalities based on ACLs
- add a Groups claim to OpenID tokens for any combination of groups/ACLs
Currently, defguard has MFA configuration per user, there is no way to globally define by admin if MFA is required for users.
Enable global MFA requirement.
- Site-to-Site Wireguard VPN - a uniqe way to configure a site-to-site VPN setup using defguard gateways with amazing UI and statistics for the s2s tunnel
- Passkey support
- Command line client that will have functionalities:
- Import & creat users in bulk from JSON/CSV
- Show VPN status for all locations in human-readable way (person-device and not public keys like Wireguard/wg does)
- Password reset
Currently deploying defguard requires to a) have a public IP address and b) open a Wireguard VPN port on your firewall server (for our gateway microservice).
A lot of people/companies do not have the luxury of a Public IP or do not want to open any ports on their firewalls/routers.
The most popular service implementing this type of solution is Talescale - the goal of this milestone is to implement an open-source Tailescale and provide relays to ensure client connectivity in adverse network conditions, such as networks with blocked UDP, NAT, etc.
We already have a PoC (proof of concept) of secure peer-to-peer communication without the central gateway. In order to provide this functionality we need first to implement our own desktop clients in order to incorporate this feature.
- Events history for users and admins (as dedicated module) with ability to end/close selected or all current login sessions
- SAML SSO - most Old School enterprise systems implement SSO based on SAML v2 - so to provide our users with a full range of features this should be implemented.
- Prometheus exporter - all activities handled by defguard will be exported to Prometheus so that you can create custom analytics and dashboards in your favorite tool from the Prometheus ecosystem
- Secure SSH authentication based on OpenID Connect & Multi-Factor Authentication with Defguard
- 2FA/MFA functionality with phone/SMS codes
- Password reset secured by MFA (SMS/TOTP/Webauthn/...)
- Mobile clients
- Simple DNS provider