firezone

mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Go to file

Thomas Eizinger 55eaa7cdc7 test(connlib): establish real TCP connections in proptests (#9814 )

With this patch, we sample a list of DNS resources on each test run and
create a "TCP service" for each of their addresses. Using this list of
resources, we then change the `SendTcpPayload` transition to
`ConnectTcp` and establish TCP connections using `smoltcp` to these
services.

For now, we don't send any data on these connections but we do set the
keep-alive interval to 5s, meaning `smoltcp` itself will keep these
connections alive. We also set the timeout to 30s and after each
transition in a test-run, we assert that all TCP sockets are still in
their expected state:

- `ESTABLISHED` for most of them.
- `CLOSED` for all sockets where we ended up sampling an IPv4 address
but the DNS resource only supports IPv6 addresses (or vice-versa). In
these cases, we use the ICMP error to sent by the Gateway to assert that
the socket is `CLOSED`. Unfortunately, `smoltcp` currently does not
handle ICMP messages for its sockets, so we have to call `abort`
ourselves.

Overall, this should assert that regardless of whether we roam networks,
switch relays or do other kind of stuff with the underlying connection,
the tunneled TCP connection stays alive.

In order to make this work, I had to tweak the timeouts when we are
on-demand refreshing allocations. This only happens in one particular
case: When we are being given new relays by the portal, we refresh all
_other_ relays to make sure they are still present. In other words, all
relays that we didn't remove and didn't just add but still had in-memory
are refreshed. This is important for cases where we are
network-partitioned from the portal whilst relays are deployed or reset
their state otherwise. Instead of the previous 8s max elapsed time of
the exponential backoff like we have it for other requests, we now only
use a single message with a 1s timeout there. With the increased ICE
timeout of 15s, a TCP connection with a 30s timeout would otherwise not
survive such an event. This is because it takes the above mentioned 8s
for us to remove a non-functioning relay, all whilst trying to establish
a new connection (which also incurs its own ICE timeout then).

With the reduced timeout on the on-demand refresh of 1s, we detect the
disappeared relay much quicker and can immediately establish a new
connection via one of the new ones. As always with reduced timeouts,
this can create false-positives if the relay doesn't reply within 1s for
some reason.

Resolves: #9531

2025-07-11 15:10:22 +00:00

.github

test(connlib): establish real TCP connections in proptests (#9814 )

2025-07-11 15:10:22 +00:00

docs

chore: move terraform/ to private repo (#9421 )

2025-06-05 19:24:06 +00:00

elixir

fix(portal): reply to all wal keepalives with ack (#9828 )

2025-07-11 14:32:56 +00:00

kotlin/android

build(deps): bump com.google.firebase:firebase-bom from 33.15.0 to 33.16.0 in /kotlin/android (#9756 )

2025-07-01 15:09:32 +00:00

rust

test(connlib): establish real TCP connections in proptests (#9814 )

2025-07-11 15:10:22 +00:00

scripts

chore: publish gui-client 1.5.5 (#9811 )

2025-07-09 12:44:38 +00:00

swift/apple

feat(apple): use .zip for logs (#9536 )

2025-06-23 22:25:57 +00:00

website

feat(gateway): respond with ICMP error for filtered packets (#9816 )

2025-07-11 13:54:41 +00:00

.dockerignore

chore: move terraform/ to private repo (#9421 )

2025-06-05 19:24:06 +00:00

.gitattributes

chore: set same eol for all platforms (#4316 )

2024-03-25 23:05:23 +00:00

.gitignore

chore: add nix scripts (#3771 )

2024-02-27 23:56:46 +00:00

.prettierignore

ci: properly ignore generated TS directory (#9383 )

2025-06-04 05:49:05 +00:00

.prettierrc.json

docs: update Apple docs for standalone guidance (#7589 )

2024-12-29 21:36:30 +00:00

.tool-versions

chore(portal): bump elixir 1.18.4, otp 27.3.4.1 (#9673 )

2025-06-25 18:39:20 +00:00

docker-compose.yml

refactor(portal): remove flow_activities (#9693 )

2025-06-27 20:40:25 +00:00

LICENSE

Update LICENSE to include component license clarification for subcomponents (#1806 )

2023-07-20 21:14:38 +00:00

docs/README.md

A modern alternative to legacy VPNs.

Overview

Firezone is an open source platform to securely manage remote access for any-sized organization. Unlike most VPNs, Firezone takes a granular, least-privileged approach to access management with group-based policies that control access to individual applications, entire subnets, and everything in between.

Features

Firezone is:

Fast: Built on WireGuard® to be 3-4 times faster than OpenVPN.
Scalable: Deploy two or more gateways for automatic load balancing and failover.
Private: Peer-to-peer, end-to-end encrypted tunnels prevent packets from routing through our infrastructure.
Secure: Zero attack surface thanks to Firezone's holepunching tech which establishes tunnels on-the-fly at the time of access.
Open: Our entire product is open-source, allowing anyone to audit the codebase.
Flexible: Authenticate users via email, Google Workspace, Okta, Entra ID, or OIDC and sync users and groups automatically.
Simple: Deploy gateways and configure access in minutes with a snappy admin UI.

Firezone is not:

A tool for creating bi-directional mesh networks
A full-featured router or firewall
An IPSec or OpenVPN server

Contents of this repository

This is a monorepo containing the full Firezone product, marketing website, and product documentation, organized as follows:

elixir: Control plane and internal Elixir libraries:
- elixir/apps/web: Admin UI
- elixir/apps/api: API for Clients, Relays and Gateways.
rust/: Data plane and internal Rust libraries:
- rust/gateway: Gateway - Tunnel server based on WireGuard and deployed to your infrastructure.
- rust/relay: Relay - STUN/TURN server to facilitate holepunching.
- rust/headless-client: Cross-platform CLI client.
- rust/gui-client: Cross-platform GUI client.
swift/: macOS / iOS clients.
kotlin/: Android / ChromeOS clients.
website/: Marketing website and product documentation.

Quickstart

The quickest way to get started with Firezone is to sign up for an account at https://app.firezone.dev/sign_up.

Once you've signed up, follow the instructions in the welcome email to get started.

Frequently asked questions (FAQ)

Can I self-host Firezone?

Our license won't stop you from self-hosting the entire Firezone product top to bottom, but our internal APIs are changing rapidly so we can't meaningfully support self-hosting Firezone in production at this time.

If you're feeling especially adventurous and want to self-host Firezone for educational or hobby purposes, follow the instructions to spin up a local development environment in CONTRIBUTING.md.

The latest published clients (on App Stores and on releases) are only guaranteed to work with the managed version of Firezone and may not work with a self-hosted portal built from this repository. This is because Apple and Google can sometimes delay updates to their app stores, and so the latest published version may not be compatible with the tip of main from this repository.

Therefore, if you're experimenting with self-hosting Firezone, you will probably want to use clients you build and distribute yourself as well.

See the READMEs in the following directories for more information on building each client:

macOS / iOS: swift/apple
Android / ChromeOS: kotlin/android
Windows / Linux: rust/gui-client

How long will 0.7 be supported until?

Firezone 0.7 is currently end-of-life and has stopped receiving updates as of January 31st, 2024. It will continue to be available indefinitely from the legacy branch of this repo under the Apache 2.0 license.

How much does it cost?

We offer flexible per-seat monthly and annual plans for the cloud-managed version of Firezone, with optional invoicing for larger organizations. See our pricing page for more details.

Those experimenting with self-hosting can use Firezone for free without feature or seat limitations, but we can't provide support for self-hosted installations at this time.

Documentation

Additional documentation on general usage, troubleshooting, and configuration can be found at https://www.firezone.dev/kb.

Get Help

If you're looking for help installing, configuring, or using Firezone, check our community support options:

Discussion Forums: Ask questions, report bugs, and suggest features.
Join our Discord Server: Join live discussions, meet other users, and chat with the Firezone team.
Open a PR: Contribute a bugfix or make a contribution to Firezone.

If you need help deploying or maintaining Firezone for your business, consider contacting our sales team to speak with a Firezone expert.

See all support options on our main support page.

Star History

Developing and Contributing

See CONTRIBUTING.md.

Security

See SECURITY.md.

License

Portions of this software are licensed as follows:

All content residing under the "elixir/" directory of this repository, if that directory exists, is licensed under the "Elastic License 2.0" license defined in "elixir/LICENSE".
All third party components incorporated into the Firezone Software are licensed under the original license provided by the owner of the applicable component.
Content outside of the above mentioned directories or restrictions above is available under the "Apache 2.0 License" license as defined in "LICENSE".

WireGuard® is a registered trademark of Jason A. Donenfeld.

Languages

Elixir 57.1%

Rust 29.2%

TypeScript 5.9%

Swift 3.3%

Kotlin 1.8%

Other 2.5%