Defguard is an open-source VPN server built on the WireGuard protocol that implements multi-factor authentication and zero-trust network access principles. The platform enables organizations to deploy and manage multiple isolated VPN instances through a unified interface, with each connection requiring 2FA/MFA verification before establishing WireGuard peer configurations. The system uses session-based, randomly generated WireGuard pre-shared keys and supports authentication through its built-in OpenID Connect identity provider or external SSO providers. User and group synchronization is available with directory services, including two-way sync capabilities with Active Directory and LDAP. Access control is implemented at multiple levels, including user and group-based VPN access rules and low-level ACLs through firewall management using NFTables on Linux and Packet Filter on FreeBSD/OPNSense. The platform provides real-time configuration synchronization to client applications, with immediate updates when VPN settings or access permissions change. Defguard includes comprehensive audit logging with detailed user activity tracking, search and filtering capabilities, and export functionality for SIEM integration. The architecture supports deployment across network segments, including DMZ configurations, with a stateless public proxy component that does not store user or device information. Additional capabilities include YubiKey provisioning for hardware security keys, SSH and GPG key management, forward-auth for legacy systems, and a REST API with webhook support. The platform is written in Rust and offers deployment options including Docker, Kubernetes, Terraform, and system packages.