FireZone is a simple WireGuard based VPN server and firewall for Linux designed to be secure, easy to manage, and quick to set up.
What is Firezone?
Firezone can be set up in minutes to manage your WireGuard VPN through a simple web interface.
Features
- Fast: 3-4 times faster than OpenVPN.
- Firewall built in: Uses nftables to block unwanted egress traffic.
- No dependencies: All dependencies are bundled thanks to Chef Omnibus.
- Secure: Runs unprivileged. HTTPS enforced. Encrypted cookies.
Deploying and Configuring
Requirements
FireZone currently supports the following operating systems:
| Name | Status |
|---|---|
| CentOS 7 | Fully-supported |
| CentOS 8 | Fully-supported |
| Ubuntu 18.04 | Fully-supported |
| Ubuntu 20.04 | Fully-supported |
| Debian 10 | Fully-supported |
| Debian 11 | Fully-supported |
| Fedora 33 | Fully-supported |
| Fedora 34 | Fully-supported |
| macOS | Unsupported at this time |
| Windows | Unsupported at this time |
If your distro isn't listed here please open an issue and we'll look into adding it.
FireZone requires a valid SSL certificate and a matching DNS record to run in production. We recommend using Let's Encrypt to generate a free SSL cert for your domain.
Installation Instructions
- Download the relevant package for your distribution from the releases page
- Install with
sudo rpm -i firezone-<version>.rpmorsudo dpkg -i firezone-<version>.debdepending on your distribution. This will unpack the application and set up necessary directory structure. - Bootstrap the application with
sudo firezone-ctl reconfigure. This will initialize config files, set up needed services and generate the default configuration. - Edit the default configuration at
/etc/firezone/firezone.rb. You'll want to make suredefault['firezone']['fqdn'],default['firezone']['url_host'],default['firezone']['ssl']['certificate'], anddefault['firezone']['ssl']['certificate']are set properly. - Reconfigure the application to pick up the new changes:
sudo firezone-ctl reconfigure. - Finally, create an admin user with
sudo firezone-ctl create_admin. Check the console for the login credentials. - Now you should be able to log into the web UI at
https://<your-server-fqdn>
Using Firezone
Your FireZone installation can be managed via the firezone-ctl command, as shown below. Most subcommands require prefixing with sudo.
root@demo:~# firezone-ctl
I don't know that command.
omnibus-ctl: command (subcommand)
create_admin
Create an Admin user
General Commands:
cleanse
Delete *all* firezone data, and start from scratch.
help
Print this help message.
reconfigure
Reconfigure the application.
show-config
Show the configuration that would be generated by reconfigure.
uninstall
Kill all processes and uninstall the process supervisor (data will be preserved).
version
Display current version of Firezone
Service Management Commands:
graceful-kill
Attempt a graceful stop, then SIGKILL the entire process group.
hup
Send the services a HUP.
int
Send the services an INT.
kill
Send the services a KILL.
once
Start the services if they are down. Do not restart them if they stop.
restart
Stop the services if they are running, then start them again.
service-list
List all the services (enabled services appear with a *.)
start
Start services if they are down, and restart them if they stop.
status
Show the status of all the services.
stop
Stop the services, and do not restart them.
tail
Watch the service logs of all enabled services.
term
Send the services a TERM.
usr1
Send the services a USR1.
usr2
Send the services a USR2.
Architecture
FireZone is written in the Elixir programming language and composed as an Umbrella project consisting of three independent applications:
- apps/fz_http: The Web Application
- apps/fz_wall: Firewall Management Process
- apps/fz_vpn: WireGuard™ Management Process
For now, FireZone assumes these apps are all running on the same host.
Chef Omnibus is used to bundle all FireZone dependencies into a single distributable Linux package.
Getting Support
For help, feedback or contributions please join our Slack group. We're actively working to improve Firezone, and the Slack group is the best way to coordinate our efforts.
Developing and Contributing
- See CONTRIBUTING.md.
- Report issues and bugs in this Github project.
License
WireGuard™ is a registered trademark of Jason A. Donenfeld.