DefGuard · j-chmielewski · Nov 20, 2025 · Nov 17, 2025 · Nov 17, 2025 · Nov 18, 2025
diff --git a/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json b/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json
diff --git a/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json b/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json
diff --git a/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json b/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json
diff --git a/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json b/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json
diff --git a/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs b/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs
@@ -1,16 +1,16 @@
-use sqlx::{PgExecutor, query, query_as};
+use sqlx::{PgExecutor, Type, query, query_as};
 use struct_patch::Patch;
 
 use crate::enterprise::is_enterprise_enabled;
 
 #[derive(Debug, Deserialize, Patch, Serialize)]
 #[patch(attribute(derive(Deserialize, Serialize)))]
 pub struct EnterpriseSettings {
-    // If true, only admins can manage devices
+    /// If true, only admins can manage devices
     pub admin_device_management: bool,
-    // If true, the option to route all traffic through the vpn is disabled in the client
-    pub disable_all_traffic: bool,
-    // If true, manual WireGuard setup is disabled
+    /// Describes allowed routing options for clients connecting to the instance.
+    pub client_traffic_policy: ClientTrafficPolicy,
+    /// If true, manual WireGuard setup is disabled
     pub only_client_activation: bool,
 }
 
@@ -20,8 +20,8 @@ impl Default for EnterpriseSettings {
     fn default() -> Self {
         Self {
             admin_device_management: false,
-            disable_all_traffic: false,
             only_client_activation: false,
+            client_traffic_policy: ClientTrafficPolicy::default(),
         }
     }
 }
@@ -39,7 +39,8 @@ impl EnterpriseSettings {
             let settings = query_as!(
                 Self,
                 "SELECT admin_device_management, \
-                disable_all_traffic, only_client_activation \
+				client_traffic_policy \"client_traffic_policy: ClientTrafficPolicy\", \
+				only_client_activation \
                 FROM \"enterprisesettings\" WHERE id = 1",
             )
             .fetch_optional(executor)
@@ -57,11 +58,11 @@ impl EnterpriseSettings {
         query!(
             "UPDATE \"enterprisesettings\" SET \
             admin_device_management = $1, \
-            disable_all_traffic = $2, \
+			client_traffic_policy = $2, \
             only_client_activation = $3 \
             WHERE id = 1",
             self.admin_device_management,
-            self.disable_all_traffic,
+            self.client_traffic_policy as ClientTrafficPolicy,
             self.only_client_activation,
         )
         .execute(executor)
@@ -70,3 +71,17 @@ impl EnterpriseSettings {
         Ok(())
     }
 }
+
+/// Describes allowed traffic options for clients connecting to the instance.
+#[derive(Clone, Deserialize, Serialize, PartialEq, Eq, Type, Debug, Default, Copy)]
+#[sqlx(type_name = "client_traffic_policy", rename_all = "snake_case")]
+#[serde(rename_all = "snake_case")]
+pub enum ClientTrafficPolicy {
+    /// No restrictions
+    #[default]
+    None,
+    /// Clients are not allowed to route all traffic through the VPN.
+    DisableAllTraffic,
+    /// Clients are forced to route all traffic through the VPN.
+    ForceAllTraffic,
+}
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
@@ -50,7 +50,10 @@ use crate::{
         models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
     },
     enterprise::{
-        db::models::{enterprise_settings::EnterpriseSettings, openid_provider::OpenIdProvider},
+        db::models::{
+            enterprise_settings::{ClientTrafficPolicy, EnterpriseSettings},
+            openid_provider::OpenIdProvider,
+        },
         directory_sync::sync_user_groups_if_configured,
         grpc::polling::PollingServer,
         handlers::openid_login::{
@@ -806,7 +809,7 @@ pub struct InstanceInfo {
     url: Url,
     proxy_url: Url,
     username: String,
-    disable_all_traffic: bool,
+    client_traffic_policy: ClientTrafficPolicy,
     enterprise_enabled: bool,
     openid_display_name: Option<String>,
 }
@@ -829,7 +832,7 @@ impl InstanceInfo {
             url: config.url.clone(),
             proxy_url: config.enrollment_url.clone(),
             username: username.into(),
-            disable_all_traffic: enterprise_settings.disable_all_traffic,
+            client_traffic_policy: enterprise_settings.client_traffic_policy,
             enterprise_enabled: is_enterprise_enabled(),
             openid_display_name,
         }
@@ -844,7 +847,11 @@ impl From<InstanceInfo> for defguard_proto::proxy::InstanceInfo {
             url: instance.url.to_string(),
             proxy_url: instance.proxy_url.to_string(),
             username: instance.username,
-            disable_all_traffic: instance.disable_all_traffic,
+            // Ensure backwards compatibility.
+            #[allow(deprecated)]
+            disable_all_traffic: instance.client_traffic_policy
+                == ClientTrafficPolicy::DisableAllTraffic,
+            client_traffic_policy: Some(instance.client_traffic_policy as i32),
             enterprise_enabled: instance.enterprise_enabled,
             openid_display_name: instance.openid_display_name,
         }

diff --git a/crates/defguard_core/tests/integration/api/enterprise_settings.rs b/crates/defguard_core/tests/integration/api/enterprise_settings.rs
@@ -1,6 +1,6 @@
 use defguard_core::{
     enterprise::{
-        db::models::enterprise_settings::EnterpriseSettings,
+        db::models::enterprise_settings::{ClientTrafficPolicy, EnterpriseSettings},
         license::{get_cached_license, set_cached_license},
     },
     handlers::Auth,
@@ -33,7 +33,7 @@ async fn test_only_enterprise_can_modify_enterpise_settings(
     // try to patch enterprise settings
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
 
@@ -81,7 +81,7 @@ async fn test_admin_devices_management_is_enforced(_: PgPoolOptions, options: Pg
     // setup admin devices management
     let settings = EnterpriseSettings {
         admin_device_management: true,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
     let response = client
@@ -177,7 +177,7 @@ async fn test_regular_user_device_management(_: PgPoolOptions, options: PgConnec
     // setup admin devices management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
     let response = client
@@ -265,7 +265,7 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options:
     // disable manual device management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: true,
     };
     let response = client
@@ -346,7 +346,7 @@ async fn dg25_13_test_disable_device_config(_: PgPoolOptions, options: PgConnect
     // disable manual device management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: true,
     };
     let response = client

diff --git a/migrations/20251119122424_client_traffic_policy.down.sql b/migrations/20251119122424_client_traffic_policy.down.sql
@@ -0,0 +1,13 @@
+-- restore boolean `mfa_enabled` column
+ALTER TABLE enterprisesettings ADD COLUMN "disable_all_traffic" BOOLEAN NOT NULL DEFAULT false;
+
+-- populate based on client traffic policy
+UPDATE enterprisesettings
+SET disable_all_traffic = CASE
+    WHEN client_traffic_policy = 'disable_all_traffic'::client_traffic_policy THEN true
+    ELSE false
+END;
+
+-- drop new column and type
+ALTER TABLE enterprisesettings DROP COLUMN "client_traffic_policy";
+DROP TYPE client_traffic_policy;
diff --git a/migrations/20251119122424_client_traffic_policy.up.sql b/migrations/20251119122424_client_traffic_policy.up.sql
@@ -0,0 +1,19 @@
+-- add enum representing client traffic policy
+CREATE TYPE client_traffic_policy AS ENUM (
+    'none',
+    'disable_all_traffic',
+    'force_all_traffic'
+);
+
+-- add column to `enterprisesettings` table
+ALTER TABLE enterprisesettings ADD COLUMN "client_traffic_policy" client_traffic_policy NOT NULL DEFAULT 'none';
+
+-- populate new column based on value in `disable_all_traffic` column
+UPDATE enterprisesettings
+SET client_traffic_policy = CASE
+    WHEN disable_all_traffic = true THEN 'disable_all_traffic'::client_traffic_policy
+    ELSE 'none'::client_traffic_policy
+END;
+
+-- drop the `disable_all_traffic` column since it's no longer needed
+ALTER TABLE enterprisesettings DROP COLUMN "disable_all_traffic";
diff --git a/proto b/proto
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
@@ -1708,16 +1708,29 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
           helper:
             "When this option is enabled, only users in the Admin group can manage devices in user profile (it's disabled for all other users)",
         },
-        disableAllTraffic: {
-          label: 'Disable the option to route all traffic through VPN',
-          helper:
-            'When this option is enabled, users will not be able to route all traffic through the VPN using the defguard client.',
-        },
         manualConfig: {
           label: "Disable users' ability to manually configure WireGuard client",
           helper:
             "When this option is enabled, users won't be able to view or download configuration for the manual WireGuard client setup. Only the Defguard desktop client configuration will be available.",
         },
+        clientTrafficPolicy: {
+          header: 'Client traffic policy',
+          none: {
+            label: 'None',
+            helper:
+              'When this option is enabled, users will be able to select all routing options.',
+          },
+          disableAllTraffic: {
+            label: 'Disable the option to route all traffic through VPN',
+            helper:
+              'When this option is enabled, users will not be able to route all traffic through the VPN.',
+          },
+          forceAllTraffic: {
+            label: 'Force the clients to route all traffic through VPN',
+            helper:
+              'When this option is enabled, the users will always route all traffic through the VPN.',
+          },
+        },
       },
     },
     gatewayNotifications: {