DefGuard/defguard v1.5.0

on GitHub

This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.

Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.

📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!

💫Desktop Client now supports External SSO/IdP MFA

🫆 Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!

🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).

🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.

Migration guide

Before updating please make sure to read the migration guide

What's Changed

Other Changes

• Pass admin device management flag in enrollment start response by @wojcik91 in #1235
• Implement remaining activity-log event types by @j-chmielewski in #1243
• Use configured external OIDC Provider for 2FA in client by @t-aleksander in #1264
• Allow binding to a specific address by @t-aleksander in #1287
• Merge main -> dev post 1.4 release by @wojcik91 in #1292
• Add user SNAT bindings by @wojcik91 in #1273
• Allow admins to disable users' MFA by @wojcik91 in #1281
• Fix auth key delete endpoint by @j-chmielewski in #1299
• Enable Rust 2024 edition by @wojcik91 in #1280
• move migrations directory to workspace root by @wojcik91 in #1249
• fix SNAT API 404 errors by @wojcik91 in #1304
• Register mobile client by @filipslezaklab in #1306
• Add activity log event description by @wojcik91 in #1289
• Add device redesign by @filipslezaklab in #1311
• User groups events by @jakub-tldr in #1307
• Fix add network device modal by @filipslezaklab in #1313
• fix logout when disabled e2e test by @filipslezaklab in #1314
• OpenID external MFA e2e tests by @t-aleksander in #1315
• Fix TS type checking by @filipslezaklab in #1317
• Add location column in activity log by @wojcik91 in #1318
• Fix translation network device modal by @filipslezaklab in #1322
• Add per-location MFA settings by @wojcik91 in #1323
• Add per-location MFA settings pt2 by @wojcik91 in #1330
• Adjust network form MFA config layout by @wojcik91 in #1334
• network edit form fixes by @wojcik91 in #1336
• merge biome rules with proxy by @filipslezaklab in #1338
• update desktop client link style by @filipslezaklab in #1339
• fix VPN client name in MFA events by @wojcik91 in #1346
• Add AMI building to the release pipeline by @t-aleksander in #1343
• fix consent page style on desktop by @filipslezaklab in #1350
• add mobile links by @filipslezaklab in #1352
• fix error propagarion from axios provider by @filipslezaklab in #1355
• change default peer disconnect threshold to 300 by @t-aleksander in #1360
• biometric mfa poc by @filipslezaklab in #1368
• fix workflow permissions by @t-aleksander in #1379
• Change "Gateway address" field in VPN configuration by @moubctez in #1381
• add biometry enabled indicator in profile devices list by @filipslezaklab in #1383
• Avoid HTTP return code: 204 No Content by @moubctez in #1384
• fix overview stats period labels by @wojcik91 in #1393
• add tests for biometric auth by @filipslezaklab in #1392
• enrollment qr in enroll by admin modal by @filipslezaklab in #1397
• fix reserved ip form error not showing by @filipslezaklab in #1398
• sign Docker images using Cosign by @wojcik91 in #1373
• fix buttons clicks by @filipslezaklab in #1401
• fix external MFA select by @wojcik91 in #1408
• squash fixes by @filipslezaklab in #1411
• fix external OpenID status refresh by @wojcik91 in #1416
• Enterprise link is 404 by @SalehBorhani in #1337
• chore: backport security hotfix from main by @wojcik91 in #1421
• Tonic 14 by @moubctez in #1422
• Fix deny.toml by @moubctez in #1425
• Jumpcloud directory synchronization by @t-aleksander in #1426
• Desktop mfa via mobile device by @filipslezaklab in #1429
• Switch to newer Rust by @moubctez in #1431
• Version exchange and logging by @j-chmielewski in #1361
• Use Debian 13 and update depenedencies by @moubctez in #1432
• Drop handling of service reload; switch to std OnceLock by @moubctez in #1434
• Scan images with Trivy by @moubctez in #1435
• implement integration tests for gRPC server by @wojcik91 in #1437
• Speed up e2e by @jakub-tldr in #1439
• Fix available device IP validation by @wojcik91 in #1446
• Register mfa during enrollment by @filipslezaklab in #1436
• validate enrollment token & user device compatibility in instance info endpoint by @wojcik91 in #1447
• End-to-end tests: take 2 by @moubctez in #1448
• E2e fix take 3 by @jakub-tldr in #1450
• Implement network device license limits, always prompt for account selection on openid login by @t-aleksander in #1449
• Fix some providers not respecting OpenID parameters by @t-aleksander in #1458
• Version check by @j-chmielewski in #1441
• Switch AMI base image to debian by @t-aleksander in #1460
• update enrollment configuration response by @filipslezaklab in #1463
• Fix version comparison by @j-chmielewski in #1464
• Fix ldap attribute names case sensitive comparison by @t-aleksander in #1454
• Trim dependencies; update user agent regexes by @moubctez in #1471
• add desktop deep link into add device flow by @filipslezaklab in #1474
• Update tracing_subscriber by @moubctez in #1477
• add desktop deep links in emails by @filipslezaklab in #1476
• Return core version in http headers by @t-aleksander in #1479
• Fix ami building by @t-aleksander in #1481
• Swagger docs by @jakub-tldr in #1485
• Version mismatch report by @moubctez in #1483
• Prevent pre-shared keys from being sent when mfa is disabled by @t-aleksander in #1493
• add outdated components modal by @filipslezaklab in #1494
• Typos fix by @jakub-tldr in #1496
• Remove system header from HTTP by @t-aleksander in #1507
• Disable exaggerate tracing span; Fix proxy version info; Box::pin large futures by @moubctez in #1498
• Fixes pentest issue DG25-3 from 2025-09-02 by @wojcik91 in #1510
• Fixes pentest issue DG25-8: Server-Side Template Injection (SSTI) from 2025-09-02 by @moubctez in #1511
• Fixes pentest issue DG25-19: Clickjacking vulnerability from 2025-09-02 by @t-aleksander in #1514
• Add test for dg25-19 vulnerability by @t-aleksander in #1517
• Fix UUID being nil by @moubctez in #1521
• Fixes pentest issue DG25-9 from 2025-09-02 by @filipslezaklab in #1518
• Fixes pentest issue DG25-27 from 2025-09-02 by @wojcik91 in #1524
• Fixes pentest issue DG25-12 from 2025-09-02 by @wojcik91 in #1527
• add trim to string fields in zod schemas by @filipslezaklab in #1528
• Fixes pentest issue DG25-13 from 2025-09-02 by @wojcik91 in #1530
• fix network device edit form by @filipslezaklab in #1537
• Fixes pentest issue DG25-22 from 2025-09-02 by @t-aleksander in #1535
• Fixes pentest issue DG25-23 from 2025-09-02 by @t-aleksander in #1538
• Version notifications by @j-chmielewski in #1531
• Ignore pre-release in version comparison by @j-chmielewski in #1561
• update apple store link by @filipslezaklab in #1563
• Clear outdated components once they do connect by @j-chmielewski in #1566
• Use location id to identify gateways instead of hostnames by @j-chmielewski in #1570
• Migrate docker builds to AWS by @wojcik91 in #1568
• chore(CI): update node version in release workflow by @wojcik91 in #1575
• chore(CI): use AWS images in Dockerfile by @wojcik91 in #1576

New Contributors

• @jakub-tldr made their first contribution in #1307
• @SalehBorhani made their first contribution in #1337

Full Changelog: v1.4.1...v1.5.0