github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
383a67ef094d8028f01b7ecd443c409b7adfb243
firezone/rust/gateway
History
Thomas Eizinger 3978661fbc feat(gateway): run a DNS resolver on $tun_ip:53535 (#8285) 
To support resolving SRV and TXT records for DNS-resources, we host a
DNS server on UDP/53535 and TCP/53535 on the IPv4 and IPv6 IP of the
Gateway's TUN device. This will later be used by connlib to send DNS
queries of particular types (concretely SRV and TXT) to the Gateway
itself.

With this PR, this DNS server is already functional and reachable but it
will answer all queries with SERVFAIL. Actual handling of these queries
is left to a future PR.

We listen on port 53535 because:

- Port 53 may be taken by another DNS server running on the customer's
machine where they deploy the Gateway
- Port 5353 is the standard port for mDNS
- I could not find anything on the Internet about it being used by a
specific application

In theory, we could also bind to a random port but then we'd have to
communicate this port somehow to the client. This could be done using a
control protocol message but it just makes things more complicated. For
example, there would be additional buffering needed on the Client side
for the time-period where we've established a connection to the Gateway
already but haven't received the control protocol message yet, at which
port the Gateway is hosting the DNS server.

If one knows the Gateway's IP (and has a connection to it already), this
DNS server will be usable by users with standard DNS tools such as
`dig`:

```sh
dig @100.76.212.99 -p 53535 example.com
```

Related: #8221
2025-03-03 12:26:32 +00:00
..
src
feat(gateway): run a DNS resolver on $tun_ip:53535 (#8285)
2025-03-03 12:26:32 +00:00
Cargo.toml
feat(gateway): cache DNS queries for resources (#8225)
2025-02-23 04:27:09 +00:00
README.md
Allow data plane configuration at runtime (#2477)
2023-10-30 23:46:53 -07:00

README.md

gateway

This crate houses the Firezone gateway.

Building

You can build the gateway using: cargo build --release --bin firezone-gateway

You should then find a binary in target/release/firezone-gateway.

Running

The Firezone Gateway supports Linux only. To run the Gateway binary on your Linux host:

  1. Generate a new Gateway token from the "Gateways" section of the admin portal and save it in your secrets manager.
  2. Ensure the FIREZONE_TOKEN=<gateway_token> environment variable is set securely in your Gateway's shell environment. The Gateway requires this variable at startup.
  3. Set FIREZONE_ID to a unique string to identify this gateway in the portal, e.g. export FIREZONE_ID=$(uuidgen). The Gateway requires this variable at startup.
  4. Now, you can start the Gateway with:
firezone-gateway

If you're running as a non-root user, you'll need the CAP_NET_ADMIN capability to open /dev/net/tun. You can add this to the gateway binary with:

sudo setcap 'cap_net_admin+eip' /path/to/firezone-gateway

Ports

The gateway requires no open ports. Connections automatically traverse NAT with STUN/TURN via the relay.

Reference in New Issue View Git Blame Copy Permalink