GITBOOK-108: APT repository defguard

defguard-community · gitbook-bot · commit 387628312b00 · 2025-10-21T08:56:51.000Z
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -75,7 +75,8 @@
 
 * [Overview](deployment-strategies/setting-up-your-instance.md)
 * [Hardware, OS, network and firewall recommendations](deployment-strategies/hardware-os-network-and-firewall-recommendations.md)
-* [Standalone package based installation](deployment-strategies/standalone-package-based-installation.md)
+* [Standalone package based installation](deployment-strategies/standalone-package-based-installation/README.md)
+  * [Defguard APT repository](deployment-strategies/standalone-package-based-installation/defguard-apt-repository.md)
 * [Docker Compose](deployment-strategies/docker-compose.md)
 * [Kubernetes](deployment-strategies/kubernetes.md)
 * [Terraform](deployment-strategies/terraform.md)
diff --git a/deployment-strategies/gateway.md b/deployment-strategies/gateway.md
@@ -44,7 +44,7 @@ Also, if core has a custom SSL CA to secure gRPC communication, [you need the CA
 
 Proceed with deploying your Gateway service using the selected [deployment strategy](setting-up-your-instance.md#choose-your-deployment-strategy):
 
-* [package based](standalone-package-based-installation.md#gateway-1)
+* [package based](standalone-package-based-installation/#gateway-1)
 * [Docker Compose](docker-compose.md#deploying-gateway-service)
 * [Kubernetes](kubernetes.md#vpn-gateway-service)
 * [Terraform](terraform.md#gateway-module)
diff --git a/deployment-strategies/setting-up-your-instance.md b/deployment-strategies/setting-up-your-instance.md
@@ -26,8 +26,6 @@ After obtaining the token, proceed with deploying the Gateway service. During it
 {% stepper %}
 {% step %}
 #### Deploy Defguard Core service.
-
-
 {% endstep %}
 
 {% step %}
@@ -38,21 +36,19 @@ More on that [here](gateway.md).
 
 {% step %}
 #### Deploy Gateway configured with the token.
-
-
 {% endstep %}
 {% endstepper %}
 
 ## Choose your deployment strategy
 
-| Strategy name                                                   | Difficulty                                                       | Production readiness                                                                                            | Purpose                         |
-| --------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------- |
-| [One-line script](../getting-started/one-line-install.md)       | :green\_circle: Easy, single command installation                | :x: Doesn't follow the [recommendations](hardware-os-network-and-firewall-recommendations.md)                   | For testing purposes only       |
-| [Standalone packages](standalone-package-based-installation.md) | :green\_circle: Easy, using apt and dpkg                         | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Small to medium deployment      |
-| [Docker Compose](docker-compose.md)                             | :yellow\_circle: Medium, Docker knowledge required               | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Small to medium deployment      |
-| [Kubernetes](kubernetes.md)                                     | :red\_circle: Advanced, requires a k8s cluster and administrator | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Large or enterprise deployments |
-| [Terraform](terraform.md)                                       | :red\_circle: Advanced, requires an AWS account and knowledge    | :white\_check\_mark:                                                                                            | Large or enterprise deployments |
-| [AMI and AWS CloudFormation](amis-and-aws-cloudformation.md)    | :red\_circle: Advanced, requires an AWS account and knowledge    | :white\_check\_mark:                                                                                            | Large or enterprise deployments |
+| Strategy name                                                 | Difficulty                                                       | Production readiness                                                                                            | Purpose                         |
+| ------------------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------- |
+| [One-line script](../getting-started/one-line-install.md)     | :green\_circle: Easy, single command installation                | :x: Doesn't follow the [recommendations](hardware-os-network-and-firewall-recommendations.md)                   | For testing purposes only       |
+| [Standalone packages](standalone-package-based-installation/) | :green\_circle: Easy, using apt and dpkg                         | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Small to medium deployment      |
+| [Docker Compose](docker-compose.md)                           | :yellow\_circle: Medium, Docker knowledge required               | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Small to medium deployment      |
+| [Kubernetes](kubernetes.md)                                   | :red\_circle: Advanced, requires a k8s cluster and administrator | :white\_check\_mark: If you followed the [recommendations](hardware-os-network-and-firewall-recommendations.md) | Large or enterprise deployments |
+| [Terraform](terraform.md)                                     | :red\_circle: Advanced, requires an AWS account and knowledge    | :white\_check\_mark:                                                                                            | Large or enterprise deployments |
+| [AMI and AWS CloudFormation](amis-and-aws-cloudformation.md)  | :red\_circle: Advanced, requires an AWS account and knowledge    | :white\_check\_mark:                                                                                            | Large or enterprise deployments |
 
 ## Configure to your needs
 
diff --git a/deployment-strategies/standalone-package-based-installation/README.md b/deployment-strategies/standalone-package-based-installation/README.md
@@ -7,11 +7,11 @@ This guide will walk you through the process of installing and running Defguard
 We will cover system requirements, additional dependencies, installation steps, and examples of configuration files and step by step running all services. In this example we will use NGINX for a web server (proxy) exposing and securing web based services.
 
 {% hint style="info" %}
-Make sure you understand [Defguard's architecture](../in-depth/architecture/), especially the division into the main components: Core, Proxy, Gateway.
+Make sure you understand [Defguard's architecture](../../in-depth/architecture/), especially the division into the main components: Core, Proxy, Gateway.
 {% endhint %}
 
 {% hint style="warning" %}
-This is a simple guide installing all components on a single server. For production make sure your infrastructure is prepared by following our [recommendations](hardware-os-network-and-firewall-recommendations.md).
+This is a simple guide installing all components on a single server. For production make sure your infrastructure is prepared by following our [recommendations](../hardware-os-network-and-firewall-recommendations.md).
 {% endhint %}
 
 ## System Requirements
@@ -25,7 +25,7 @@ Before proceeding with the installation, ensure your system meets the following
 * Administrative (sudo) privileges.
 * A server with a public IP address (and you know what that IP address is and to which interface it's assigned) - in this example we use: 185.33.37.51.
 * You have a domain name and know how to assign IP and manage subdomains, in our example: Defguard main url will be _my-server.defguard.net_ (and the subdomain is pointed to 185.33.37.51).
-* Defguard [enrollment service](https://defguard.gitbook.io/defguard/help/enrollment) (run by proxy) that will enable [remote onboarding, enrollment](https://defguard.gitbook.io/defguard/help/enrollment) and [easy configuration for our Desktop Clients (by adding Defguard instances)](../using-defguard-for-end-users/desktop-client/instance-configuration.md#adding-instance) with instance URL and one simple token - in this tutorial we use: _enroll.defguard.net_ (this subdomain also points to 185.33.37.51).
+* Defguard [enrollment service](https://defguard.gitbook.io/defguard/help/enrollment) (run by proxy) that will enable [remote onboarding, enrollment](https://defguard.gitbook.io/defguard/help/enrollment) and [easy configuration for our Desktop Clients (by adding Defguard instances)](../../using-defguard-for-end-users/desktop-client/instance-configuration.md#adding-instance) with instance URL and one simple token - in this tutorial we use: _enroll.defguard.net_ (this subdomain also points to 185.33.37.51).
 * If you have a **firewall**, we assume you have **open port 443** in order to expose both Defguard and enrollment service, but also to automatically issue for these domains SSL Certificates. Port 444 (used for internal GRPC communication) **should not be exposed public.**
 * System clock is synchronized using Network Time Protocol (NTP). This is important for time-based one-time password (TOTP) codes.
 
@@ -61,6 +61,10 @@ defguard=# exit
 
 ## Installing packages
 
+{% hint style="info" %}
+Defguard also have public APT repository, if you want know how to set it up, follow [this guide](defguard-apt-repository.md).
+{% endhint %}
+
 ### Core
 
 You can find the URL to your package from the releases of the Core component on [GitHub](https://github.com/DefGuard/defguard/releases).
@@ -183,6 +187,8 @@ Example:
 ```
 # on Debian/Ubuntu
 sudo dpkg -i <path_to_package>/defguard-proxy-X.Y.Z-x86_64-unknown-linux-gnu.deb
+# if you added apt repository
+sudo apt install defguard-proxy
 
 # on Fedora/Red Hat Linux/SUSE
 sudo rpm -i <path_to_rpm_package>/defguard-proxy-X.Y.Z-x86_64-unknown-linux-gnu.rpm
@@ -264,9 +270,9 @@ DEFGUARD_DB_PASSWORD="defguard"
 DATABASE_URL="postgresql://defguard:defguard@localhost/defguard"
 ```
 
-**If you have configured your postgres with different names than in** [**PostgreSQL guide**](standalone-package-based-installation.md#postgresql)**, you can change it in DB configuration part. LDAP configuration is not part of this tutorial, you can also commented those lines.**
+**If you have configured your postgres with different names than in** [**PostgreSQL guide**](./#postgresql)**, you can change it in DB configuration part. LDAP configuration is not part of this tutorial, you can also commented those lines.**
 
-**We will back to this configuration to connect Defguard core with proxy in the** [**Run proxy**](standalone-package-based-installation.md#run-proxy) **section. For now `DEFGUARD_PROXY_URL` is commented.**
+**We will back to this configuration to connect Defguard core with proxy in the** [**Run proxy**](./#run-proxy) **section. For now `DEFGUARD_PROXY_URL` is commented.**
 
 After changes, you can simply enable and start your Defguard core service:
 
@@ -302,7 +308,7 @@ To run gateway, we should do two things:
 
 #### Setup location for gateway
 
-Follow [this guide](gateway.md) for setting up the location in Defguard Core web interface. You should leave the guide with a token for your new Gateway instance and use it in the following configuration.
+Follow [this guide](../gateway.md) for setting up the location in Defguard Core web interface. You should leave the guide with a token for your new Gateway instance and use it in the following configuration.
 
 #### Create config file
 
@@ -403,7 +409,7 @@ On the other side, core service should print those informations:
 
 ### Proxy
 
-To run proxy service (for [remote onboarding & enrollment](../using-defguard-for-end-users/enrollment/)), we can do it by:
+To run proxy service (for [remote onboarding & enrollment](../../using-defguard-for-end-users/enrollment/)), we can do it by:
 
 ```
 # on systems with systemd (like Debian, Ubuntu, Fedora/Red Hat Linux/SUSE)
@@ -430,7 +436,7 @@ Check the logs afterwards. Should look like this:
 
 The reverse proxy acts as an intermediary between users and Defguard services, handling HTTPS requests, routing internal gRPC communication, and ensuring encrypted connections between all components.
 
-Follow our additional guide on [configuring reverse proxy for for Core and Proxy service](reverse-proxy-configuration-using-nginx.md). After having the reverse proxy configured and running you can continue with this guide.
+Follow our additional guide on [configuring reverse proxy for for Core and Proxy service](../reverse-proxy-configuration-using-nginx.md). After having the reverse proxy configured and running you can continue with this guide.
 
 ### Enabling Proxy service in the Core
 
@@ -504,7 +510,7 @@ systemctl restart defguard.service
 Now you have full working Defguard services 🥳
 {% endhint %}
 
-You can [configure your desktop client using the enrollment](../using-defguard-for-end-users/desktop-client/instance-configuration.md#adding-instance) service and use your VPN.
+You can [configure your desktop client using the enrollment](../../using-defguard-for-end-users/desktop-client/instance-configuration.md#adding-instance) service and use your VPN.
 
 If you would like to use the feature in the desktop client to route **All traffic** through the VPN please configure your firewall to enable Internet access through your VPN - [here you can find exaples how to do it](https://defguard.gitbook.io/defguard/tutorials/step-by-step-setting-up-a-vpn-server#enabling-to-access-internet-through-your-vpn).
 
@@ -523,7 +529,7 @@ After the installation please make sure that **only the following ports are open
 * 50055
 {% endhint %}
 
-Also this setup provides only communication encryption between Defguard components, if you additionally like for core/proxy and gateway to have authorization - [please setup a custom SSL CA](grpc-ssl-communication.md#custom-ssl-ca-and-certificates).
+Also this setup provides only communication encryption between Defguard components, if you additionally like for core/proxy and gateway to have authorization - [please setup a custom SSL CA](../grpc-ssl-communication.md#custom-ssl-ca-and-certificates).
 
 ## Upgrading packages
 
@@ -541,7 +547,7 @@ Also this setup provides only communication encryption between Defguard componen
     # or Proxy package
     pkg delete defguard-proxy
     ```
-2. Install a newer version (as described [above](standalone-package-based-installation.md#installing-packages)).
+2. Install a newer version (as described [above](./#installing-packages)).
 3.  Restart the service.
 
     ```bash
diff --git a/deployment-strategies/standalone-package-based-installation/defguard-apt-repository.md b/deployment-strategies/standalone-package-based-installation/defguard-apt-repository.md
@@ -0,0 +1,64 @@
+# Defguard APT repository
+
+
+
+### Adding Defguard APT repository
+
+To add Defguard APT repository, run following commands in your terminal:
+
+```bash
+sudo apt update 
+sudo apt install -y ca-certificates curl 
+#Add official Defguard public GPG key
+sudo install -m 0755 -d /etc/apt/keyrings
+sudo curl -fsSL https://apt.defguard.net/defguard.asc -o /etc/apt/keyrings/defguard.asc
+sudo chmod a+r /etc/apt/keyrings/defguard
+
+#Add APT repository
+echo \ 
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ trixie release " | \
+   sudo tee /etc/apt/sources.list.d/defguard.list > /dev/null 
+
+sudo apt update
+```
+
+Afterward running these commands, you can install and update Defguard via APT.&#x20;
+
+After new release, simply use `sudo apt update` to update repository.
+
+### Using pre-release builds
+
+Defguard has two separate components on one APT repository, **release** and **pre-release.** If you want to install packages from pre-release, simply change `release` to `pre-release` in the installation steps described above, or run the following line.
+
+```sh
+echo \ 
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/defguard.asc] https://apt.defguard.net/ trixie pre-release " | \
+   sudo tee /etc/apt/sources.list.d/defguard.list > /dev/null 
+sudo apt update
+```
+
+### Installing packages
+
+Defguard Core:
+
+```sh
+sudo apt install defguard
+```
+
+Defguard Proxy:
+
+```sh
+sudo apt install defguard-proxy
+```
+
+Defguard Gateway:
+
+```sh
+sudo apt install defguard-gateway
+```
+
+Defguard Client:
+
+```sh
+sudo apt install defguard-client
+```
