Very Confused ....

[ghbevans]

So on my core server i get the following error..
WARN run_grpc_bidi_stream: defguard_version: message=Missing version header
Feb 16 19:53:52 dfcore defguard[37133]: 2026-02-16T19:53:52.098104Z ERROR run_grpc_bidi_stream: defguard_core::version: message=Proxy version 0.0.0 is not supported. Minimal supported proxy version is 1.6.0.

But on the defguard-proxy server i an using 1.6.2
defguard-proxy -V
defguard-proxy 1.6.2

I have the following
Proxy server running Caddy and Defguard-proxy
Core running Defguard Core
Gateway running Gateway
(I think this is correct way it should be deployed !!)

[jakub-tldr]

Hi @ghbevans,

Can you please share more details about your configuration?

Is there any reverse proxy between Core and Proxy which could delete or modify request headers? If it's possible, please share your configuration.

[ghbevans]

DG-gateway config*
*gateway server - ubuntu 24 - ip 192.168.1.20

less gateway.toml
*## Required: secret token generated by defguard
*## NOTE: must replace default with actual value
token = "Token_From_Core"
*# Required: defguard server gRPC endpoint URL
*# NOTE: must replace default with actual value
grpc_url = "https://defguard.***********.net:50055"
*# Optional: gateway name which will be displayed in defguard web UI
name = "Home"
*# Required: use userspace WireGuard implementation (e.g. wireguard-go)
userspace = false
*# Optional: path to TLS cert file
*# grpc_ca = cert.pem
*# Required: how often should interface stat updates be sent to defguard server (in seconds)
stats_period = 60
*# Required: name of WireGuard interface
ifname = "wg0"
*# Optional: write PID to this file
*# pidfile = defguard-gateway.pid
*# Required: enable logging to syslog
use_syslog = false
*# Required: which syslog facility to use
syslog_facility = "LOG_USER"
*# Required: which socket to use for logging
syslog_socket = "/var/run/log"

*# Optional: Command which will be run before bringing interface up
*# Example: Allow all traffic through WireGuard interface:
*#pre_up = "/path/to/iptables -A INPUT -i wg0 -j ACCEPT
*# example with multiple commands - add them to a shell script
*#pre_up = "/path/to/shell /path/to/script"

*# Optional: Command which will be run after bringing interface up
*# Example: Add a default route after WireGuard interface is up:
*#post_up = "/path/to/ip route add default via 192.168.1.1 dev wg0"

*# Optional: Command which will be run before bringing interface down
*# Example: Remove WireGuard-related firewall rules before interface is taken down:
*#pre_down = "/path/to/iptables -D INPUT -i wg0 -j ACCEPT"

*# Optional: Command which will be run after bringing interface down
**# Example: Remove the default route after WireGuard interface is down:
*#post_down = "/pat/to/ip route del default via 192.168.1.1 dev wg0"

*# A HTTP port that will expose the REST HTTP gateway health status
*# STATUS CODES:
*# 200 - Gateway is working and is connected to CORE
*# 503 - gateway works but is not connected to CORE
*#health_port = 55003

*# Optional: Enable automatic masquerading of traffic by the firewall
*#masquerade = true

*# Optional: Set the priority of the Defguard forward chain
*#fw_priority = 0

DG-proxy config*
*Proxy server - ubuntu 24 - ip 192.168.1.228

/etc/defguard/proxy.toml
[server]
port = 9090
url = "https://defguard.**********.net"
auth_secret = "auth secret"
yubibridge_secret = "yubi secret"

[backend.dashboard]
url = "http://192.168.25.81:8000"
health = "/api/v1/info"

[backend.enrollment]
url = "http://192.168.25.228:8080"
health = "/"

[logging]
level = "info"
file = "/var/log/defguard-proxy.log"

**** Caddyfile Config ****

https://defguard.**************.net {

# Enrollment FIRST
handle_path /enroll* {
    reverse_proxy 192.168.25.228:8080 {
        header_up X-Forwarded-Host {host}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote_host}
    }
}
# Everything else → Core / Proxy
handle {
    reverse_proxy 192.168.25.81:8000 {
        header_up X-Forwarded-Host {host}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote_host}
    }
}

}

********Core server - Ubuntu 24 - 192.168.25.81 *******

Core configuration

*#
*# Generate secrets
*#
DEFGUARD_AUTH_SECRET=DFAuth Secret
DEFGUARD_GATEWAY_SECRET=DFGateway Secret
DEFGUARD_YUBIBRIDGE_SECRET=DFYubi Secret
DEFGUARD_SECRET_KEY=DFSecret Key

*# Define the URL under which Defguard is running:
*#DEFGUARD_URL=https://defguard.***************.net
*#HOST=0.0.0.0
*#PORT=8000
DEFGUARD_URL=https://defguard.***********.net
DEFGUARD_ENROLLMENT_URL=https://defguard.**********.net/enroll

*# How long auth session lives in seconds
DEFGUARD_AUTH_SESSION_LIFETIME=604800

*# Optional. Generated based on DEFGUARD_URL if not provided.
*# DEFGUARD_WEBAUTHN_RP_ID=localhost

DEFGUARD_ADMIN_GROUPNAME=admin
DEFGUARD_DEFAULT_ADMIN_PASSWORD=pass123

*# This will be displayed in the network settings when editing/adding a new location:
DEFGUARD_GRPC_URL=https://core.local:50055

Proxy configuration

*# Proxy is optional - if you would like to use the remote enrollment
*# and onboarding service, as well as easy desktop client configuration
*# proxy must be enabled.
*# For now we leave it uncofigured, will configure it in next step.
DEFGUARD_PROXY_URL=https://defguard.thegollum.net/enroll

LDAP configuration

*# DEFGUARD_LDAP_URL=ldap://localhost:389
*# DEFGUARD_LDAP_SERVICE_PASSWORD=adminpassword
*# DEFGUARD_LDAP_USER_SEARCH_BASE="ou=users,dc=example,dc=org"
*# DEFGUARD_LDAP_GROUP_SEARCH_BASE="ou=groups,dc=example,dc=org"
*# DEFGUARD_LDAP_DEVICE_SEARCH_BASE="ou=devices,dc=example,dc=org"

DB configuration

DEFGUARD_DB_HOST="localhost"
DEFGUARD_DB_PORT=5432
DEFGUARD_DB_NAME="defguard"
DEFGUARD_DB_USER="defguard"
DEFGUARD_DB_PASSWORD="DB Password"
*# for SQLX CLI
DATABASE_URL="postgresql://defguard:defguard@localhost/defguard"

********** Firewall port 80 + 443 FWD to Proxy 192168.25.228 ******
Hairpin NAT setup for internal BUT testing from external IP
Have not setup Port FWD for WG port as I can't get past enrollment (Screen is blank and error net::ERR_ABORTED 404 (Not Found)

[jakub-tldr]

Hello @ghbevans,

It looks like the issue comes from the DEFGUARD_PROXY_URL configuration in your Core .env file.

Currently, you have it set to:
DEFGUARD_PROXY_URL=https://defguard.thegollum.net/enroll

However, the communication between Core and Proxy relies on gRPC. This variable must point to the internal gRPC endpoint of your Proxy service, not your public domain or public reverse proxy URL.

You should use the internal IP address (or Docker service name / local hostname) of the Proxy server along with its gRPC port. By default, the Proxy runs its gRPC service on port 50051.

For example, based on the IP from your config, it should look something like this:
DEFGUARD_PROXY_URL=http://192.168.25.228:50051

(Just make sure to replace the IP with the correct internal address of your Proxy container/VM if it's different).

As a best practice, it is highly recommended to secure this internal gRPC communication. You can find a detailed guide on how to set up SSL/TLS for gRPC in our documentation here:
https://docs.defguard.net/deployment-strategies/grpc-ssl-communication

Let me know if this resolves the issue for you!

[ghbevans]

Hi, I made the changes and I see bidirectional comms BUT i still get a 404 error when I go to the enroll screen (And its blank ) Thanks On Monday, February 23, 2026 at 04:13:03 a.m. EST, jakub-tldr ***@***.***> wrote: Hello @ghbevans, It looks like the issue comes from the DEFGUARD_PROXY_URL configuration in your Core .env file. Currently, you have it set to: DEFGUARD_PROXY_URL=https://defguard.thegollum.net/enroll However, the communication between Core and Proxy relies on gRPC. This variable must point to the internal gRPC endpoint of your Proxy service, not your public domain or public reverse proxy URL. You should use the internal IP address (or Docker service name / local hostname) of the Proxy server along with its gRPC port. By default, the Proxy runs its gRPC service on port 50051. For example, based on the IP from your config, it should look something like this: DEFGUARD_PROXY_URL=http://192.168.25.228:50051 (Just make sure to replace the IP with the correct internal address of your Proxy container/VM if it's different). As a best practice, it is highly recommended to secure this internal gRPC communication. You can find a detailed guide on how to set up SSL/TLS for gRPC in our documentation here: https://docs.defguard.net/deployment-strategies/grpc-ssl-communication Let me know if this resolves the issue for you! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>