Defguard is a *Secure by Design* solution, which means security is important (if not more) then functionality.
Lower latency or peer-to-peer communication does not automatically mean better security often it means a larger attack surface.
Defguard is also *the only solution that enforces MFA on every connection*, aligning with true Zero Trust principles never trust a user or device by default.
Why Peer-to-Peer Is Not Safer?
Peer-to-peer and mesh solutions can be faster because traffic flows directly between peers, but they almost always expose all components publicly and make it easier to hijack the network or inject unauthorized peers.
So what does Defguard’s Secure-by-Design Architecture mean?
1. Minimal gateway exposure
The Defguard gateway exposes only a WireGuard port. Compromising it would require a Linux kernel or WireGuard zero-day at that point, no solution is safe.
2. Isolated, stateless proxy
The only Internet-facing "application" component is a stateless proxy, deployed in a separate network segment. It has no access to the gateway, core, or internal resources.
3. Protected control plane
The core (control plane) runs strictly inside the intranet (local network that should not be exposed anywhere). No user data are exposed to the Internet or DMZ/other network segments. Also the MFA validation process is done in secure network segments (for example when doing MFA with Desktop + Mobile client biometry/faceID combined).
Why This Is Different from Mesh Solutions?
Most mesh VPN solutions expose their control and peer-discovery components publicly by design. This significantly increases the risk of compromise and peer injection.
So would you say then that it’s perfectly safe to send plaintext traffic between services over Defguard instead of also using mTLS?
I still wish that Defguard had an option where peers only used the public gateway to retrieve their p2p ACLs from the control plane but otherwise traffic flowed directly.
Defguard is a *Secure by Design* solution, which means security is important (if not more) then functionality. Lower latency or peer-to-peer communication does not automatically mean better security often it means a larger attack surface.
Defguard is also *the only solution that enforces MFA on every connection*, aligning with true Zero Trust principles never trust a user or device by default.
Why Peer-to-Peer Is Not Safer?
Peer-to-peer and mesh solutions can be faster because traffic flows directly between peers, but they almost always expose all components publicly and make it easier to hijack the network or inject unauthorized peers.
So what does Defguard’s Secure-by-Design Architecture mean?
1. Minimal gateway exposure
The Defguard gateway exposes only a WireGuard port. Compromising it would require a Linux kernel or WireGuard zero-day at that point, no solution is safe.
2. Isolated, stateless proxy
The only Internet-facing "application" component is a stateless proxy, deployed in a separate network segment. It has no access to the gateway, core, or internal resources.
3. Protected control plane
The core (control plane) runs strictly inside the intranet (local network that should not be exposed anywhere). No user data are exposed to the Internet or DMZ/other network segments. Also the MFA validation process is done in secure network segments (for example when doing MFA with Desktop + Mobile client biometry/faceID combined).
Why This Is Different from Mesh Solutions?
Most mesh VPN solutions expose their control and peer-discovery components publicly by design. This significantly increases the risk of compromise and peer injection.
So that's about it.