diff --git a/README.md b/README.md index 49d52c8..20b2b68 100644 --- a/README.md +++ b/README.md @@ -1,81 +1,91 @@ -

- defguard -

+

+ defguard +

-This service is meant to serve as a proxy for a subset of functionalities of [defguard](https://github.com/DefGuard/defguard) core which require public access. -It provides a public REST API and communicates with core over [gRPC](https://github.com/DefGuard/proto). +# Defguard Edge (formerly Proxy) -To learn more about the system see our [documentation](https://defguard.gitbook.io). +**Defguard Edge** serves as a proxy for a subset of functionalities provided by [Defguard](https://github.com/DefGuard/defguard) which require public access. It exposes a public REST API and communicates with Defguard over [gRPC](https://github.com/DefGuard/proto). -## Quick start +Defguard is a self-hosted secure remote access platform that combines WireGuard VPN, identity and access management, multi-factor authentication, and network access control in a single solution. -If you already have your defguard instance running you can set up a proxy by following our [deployment guide](https://defguard.gitbook.io/defguard/features/setting-up-your-instance/docker-compose). +Built with a security-first architecture, Defguard helps organizations securely manage access to infrastructure, applications, and private networks while maintaining full control over their environment. -## Documentation +## Why Defguard? -See the [documentation](https://defguard.gitbook.io) for more information. +Modern organizations often rely on multiple disconnected tools to manage identity, VPN access, authentication, and network permissions. Defguard brings these capabilities together into a unified platform designed for security, transparency, and operational simplicity. -## Community and Support +Key principles behind Defguard: -Find us on Matrix: [#defguard:teonite.com](https://matrix.to/#/#defguard:teonite.com) +- ๐Ÿ“– Open-source core (AGPL), open-code Enterprise components +- ๐Ÿ  Fully self-hosted โ€” no external dependencies or data leaving your infrastructure +- ๐Ÿ”’ Security-first: [Zero-Trust VPN](https://docs.defguard.net/features/wireguard) with connection-level MFA, [architecture](https://docs.defguard.net/in-depth/architecture) designed to minimize attack surface +- ๐Ÿ” Transparency: [published SBOMs](https://defguard.net/sbom/), [penetration test reports](https://defguard.net/pentesting/), [architecture decision records](https://docs.defguard.net/in-depth/architecture-decision-records) -## Contribution +For detailed security information see the [secure-by-design documentation](https://docs.defguard.net/in-depth/secure-by-design). -Please review the [Contributing guide](https://defguard.gitbook.io/defguard/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://defguard.gitbook.io/defguard/for-developers/dev-env-setup) handy. +## Core Capabilities -## Development +- ๐ŸŒ **WireGuard VPN** โ€” multiple locations with per-location access control, MFA per connection, self-service device setup, kernel and userspace support +- ๐Ÿ‘ฅ **Identity & Access Management** โ€” internal OIDC provider for SSO, external OIDC (Google, Microsoft, custom), LDAP/AD sync, remote enrollment, user self-service +- ๐Ÿ”‘ **Multi-Factor Authentication** โ€” TOTP, WebAuthn/FIDO2, email tokens, biometric via mobile app +- ๐Ÿ›ก๏ธ **Firewall** โ€” allow/deny rules per VPN location by user or group, applied in real time +- ๐Ÿ“‹ **Activity Log** โ€” audit log with filtering and search; real-time SIEM streaming (Enterprise) +- ๐Ÿ”— **Integrations** โ€” webhooks and REST API -Clone repository: +## Clients -```bash -git@github.com:DefGuard/client.git -``` +- ๐Ÿ–ฅ๏ธ **Desktop** (Linux, macOS, Windows) โ€” VPN management with MFA, multi-instance and multi-location support, and real-time connection statistics. [Download](https://defguard.net/download/) +- ๐Ÿ“ฑ **Mobile** (Android, iOS) โ€” VPN management with MFA, QR code onboarding. [Android](https://play.google.com/store/apps/details?id=net.defguard.mobile) ยท [iOS](https://apps.apple.com/us/app/defguard-vpn-client/id6748068630) -Initialize `proto` submodule: +## Architecture -```bash -git submodule update --init --recursive -``` +Defguard follows a component-based architecture designed to reduce attack surface and support secure deployments. -To run API server: +

+ architecture +

-```bash -cargo run -``` +Strict division of responsibilities and network segmentation: +- **Core** โ€” central management plane: identity, authentication, authorization, and policy +- **Edge** โ€” public-facing entry point, exposes selected Defguard services [GitHub repo](https://github.com/DefGuard/proxy) +- **Gateway** - WireGuard tunnel manager, routes secure VPN traffic between users and your protected networks [GitHub repo](https://github.com/DefGuard/gateway) -To run webapp dev server: +For details refer to the [architecture documentation](https://docs.defguard.net/in-depth/architecture). + +## Quick Start + +The fastest way to evaluate Defguard is with the [one-line installer](https://docs.defguard.net/getting-started/one-line-install): ```bash -cd web/ -pnpm install -pnpm run dev +bash <(curl -sSL https://raw.githubusercontent.com/defguard/deployment/main/docker-compose2.0/setup.sh) ``` -## Verifiability of releases +โš ๏ธ Warning! This installation method is intended for testing, demonstrations, and evaluation purposes only. It is not recommended for production deployments. See the [deployment documentation](https://docs.defguard.net/deployment-strategies/overview) for production deployment guidance, architecture recommendations, and high-availability configurations. + +## Documentation + +Comprehensive documentation is available at: https://docs.defguard.net + +## Video guides -We provide following ways to verify the authenticity and integrity of official releases: +Visit out YouTube channel to see our [video guides](https://www.youtube.com/playlist?list=PLVR33X0CUHUcoyLshs9S8VbsGgggouCAW). -### Docker Image Verification with Cosign +## Community -All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image: +We want to get as much feedback as possible, so we encourage you to: -1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI +- ๐Ÿ’ฌ open a [GitHub discussion](https://github.com/DefGuard/defguard/discussions/new/choose) +- ๐Ÿชฒ report any missing [features](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=feature&projects=&template=feature_request.md&title=) or [bugs](https://github.com/DefGuard/defguard/issues/new?assignees=&labels=bug&projects=&template=bug_report.md&title=) as issues -2. Verify the image signature (replace with the tag you want to verify): - ```bash - cosign verify --certificate-identity-regexp="https://github.com/DefGuard/proxy" \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - ghcr.io/defguard/defguard: - ``` +## Contributions -### Release Asset Verification +Please review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy. -All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release: +## License +The code in this repository is available under a dual licensing model: -1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/proxy/releases) +- Open Source License: The code, except for the contents of the "src/enterprise" directory, is licensed under the AGPL license (see file LICENSE.md in this repository). This applies to the open core components of the software. +- Enterprise License: All code in this repository (including within the "src/enterprise" directory) is licensed under a separate Enterprise License (see file src/enterprise/LICENSE.md). -2. Verify the checksum: - ```bash - # Linux/macOS - echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check - ``` +## Legal +WireGuardยฎ is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld. \ No newline at end of file diff --git a/docs/cover-image_smaller-logo.png b/docs/cover-image_smaller-logo.png new file mode 100644 index 0000000..83ee1e2 Binary files /dev/null and b/docs/cover-image_smaller-logo.png differ