Guardian is an enterprise-grade zero-trust network and content security access control system based on the WireGuard protocol and application layer gateway.
Guardian is a next-generation enterprise zero trust access platform that combines:
- WireGuard mesh networking
- Application-layer secure gateway
- Identity-aware access control
- Content security inspection
- Enterprise audit & governance
- Secure AI infrastructure access
Unlike traditional VPN solutions, Guardian does not only provide connectivity.
It provides:
- Secure infrastructure access
- Secure internal application publishing
- Fine-grained security policies
- Content-aware protection
- Full auditability
- Unified identity & security governance
Traditional VPNs only solve network connectivity.
Modern enterprises additionally need:
- SSO + MFA
- Secure Git access
- Kubernetes access governance
- API security
- Content filtering
- Security auditing
- AI infrastructure protection
- Internal application publishing
- Zero trust access policies
βββββββββββββββββββββββ
β Identity Provider β
β SSO / OAuth / MFA β
βββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Guardian Control Plane β
βββββββββββββββββββββββββββββββββββ
β β’ Identity & Access Control β
β β’ Policy Engine β
β β’ Device Management β
β β’ Audit & Compliance β
β β’ Security Analytics β
β β’ Content Security Policies β
βββββββββββββββ¬ββββββββββββββββββββ
β
ββββββββββββββββββββββββ΄βββββββββββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββ
β WireGuard Mesh Network β β Secure Application Gateway β
ββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββ
β β’ P2P Connectivity β β β’ Reverse Proxy β
β β’ NAT Traversal β β β’ SSO Authentication β
β β’ Route Management β β β’ MFA Enforcement β
β β’ Encrypted Overlay β β β’ Access Policies β
β β’ Multi-network Support β β β’ Secure Publishing β
ββββββββββββββββ¬ββββββββββββββ ββββββββββββββββ¬ββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β Infrastructure Layer β β Content Security Engine β
ββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β β’ SSH Servers β β β’ DLP Inspection β
β β’ Kubernetes β β β’ API Security β
β β’ Databases β β β’ AI/LLM Protection β
β β’ Cloud VPCs β β β’ Sensitive Data Scan β
β β’ Internal Services β β β’ Audit Logging β
ββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
Guardian builds an encrypted private mesh network using WireGuard.
Features include:
- Peer-to-peer encrypted connectivity
- NAT traversal
- Multi-platform support
- Route management
- Private DNS
- Site-to-site networking
- Multi-network segmentation
- Kubernetes integration
Guardian securely exposes internal applications through:
- Identity-aware reverse proxy
- SSO integration
- MFA enforcement
- Access policy evaluation
- Secure browser access
- Public/private application publishing
Supported applications:
- GitLab
- Jenkins
- Grafana
- Kibana
- Kubernetes Dashboard
- Internal APIs
- Admin systems
Guardian adds content-aware security capabilities beyond traditional VPN solutions.
Prevent:
- Secret leakage
- Credential commits
- Sensitive repository cloning
- Unauthorized Git operations
Inspect and control:
- Sensitive API requests
- Dangerous payloads
- Internal token leakage
- Data exfiltration attempts
Protect:
- Internal prompts
- Enterprise knowledge
- MCP servers
- AI agents
- Vector databases
Support:
- URL filtering
- Header inspection
- Request body inspection
- Response filtering
- DLP policies
- Sensitive keyword detection
Guardian provides enterprise-grade security auditing capabilities.
Track:
- User login activity
- Device access
- SSH sessions
- Application access
- Policy decisions
- Security events
- Content filtering actions
Designed for:
- SOC2
- ISO27001
- Internal governance
- Security operation teams
Every operation becomes:
- Traceable
- Searchable
- Auditable
- Exportable
| Capability | Traditional VPN | Guardian |
|---|---|---|
| WireGuard Networking | Partial | β |
| Zero Trust Access | β | β |
| SSO + MFA | Limited | β |
| Application Gateway | β | β |
| Content Security Policies | β | β |
| Security Auditing | Weak | β |
| AI/LLM Access Security | β | β |
| Enterprise Governance | Weak | β |
| Kubernetes Access Control | Limited | β |
Securely access:
- GitLab
- Kubernetes
- SSH servers
- Databases
- Internal APIs
without exposing infrastructure to the public internet.
Protect:
- LLM gateways
- MCP servers
- AI agents
- Vector databases
- Internal knowledge systems
through identity-aware security policies.
Securely connect:
- AWS
- Azure
- GCP
- Kubernetes clusters
- On-premise datacenters
- Remote developers
through a unified encrypted mesh network.
Guardian clients require elevated privileges to configure networking and WireGuard interfaces.
- Go version 1.25.5+
- Available Guardian Management / Signal endpoints
- Setup Key or existing network access
cd guardian
go mod tidy
CGO_ENABLED=0 go build -o guardian ./clientGuardian requires root / Administrator privileges.
Install and start the Guardian service:
sudo ./guardian service install
sudo ./guardian service start
sudo ./guardian up --log-level debug --log-file consoleRun without daemon:
sudo ./guardian up --foreground-mode --log-level debug --log-file consoleShortcut:
sudo ./guardian up -FThis mode is recommended for:
- Development
- Debugging
- Local testing
Build the UI client:
go build -o guardian-ui ./client/uiRun UI:
sudo ./guardian-uiThe UI still relies on Guardian backend networking capabilities.
sudo ./guardian service install
sudo ./guardian service start
sudo ./guardian-uiCheck whether:
- foreground mode is enabled
guardian serviceis running
Run with:
sudoor Administrator privileges on Windows.
Check:
- Management / Signal endpoint connectivity
- System time synchronization
- Proxy settings