mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
82d097baa0
Bumps [domain](https://github.com/nlnetlabs/domain) from 0.10.4 to 0.11.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nlnetlabs/domain/releases">domain's releases</a>.</em></p> <blockquote> <h2>Release 0.11.0</h2> <p>Breaking changes</p> <ul> <li>FIX: Use base 16 per RFC 4034 for the DS digest, not base 64. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/423">#423</a>)</li> <li>FIX: NSEC3 salt strings should only be accepted if within the salt size limit. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/431">#431</a>)</li> <li>Stricter RFC 1035 compliance by default in the <code>Zonefile</code> parser. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/477">#477</a>)</li> <li>Rename {DigestAlg, Nsec3HashAlg, SecAlg, ZonemdAlg} to {DigestAlgorithm, Nsec3HashAlgorithm, SecurityAlgorithm, ZonemdAlgorithm}</li> </ul> <p>New</p> <ul> <li>Added <code>HashCompressor</code>, an unlimited name compressor that uses a hash map rather than a tree. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/396">#396</a>)</li> <li>Changed <code>fmt::Display</code> for <code>HINFO</code> records to a show a quoted string. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/421">#421</a>)</li> <li>Added support for <code>NAPTR</code> record type. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/427">#427</a> by [<a href="https://github.com/weilence"><code>@weilence</code></a>])</li> <li>Added initial fuzz testing support for some types via a new <code>arbitrary</code> feature (not enabled by default). (<a href="https://redirect.github.com/nlnetlabs/domain/issues/441">#441</a>)</li> <li>Added <code>StubResolver::add_connection()</code> to allow adding a connection to the running resolver. In combination with <code>ResolvConf::new()</code> this can also be used to control the connections made when testing code that uses the stub resolver. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/440">#440</a>)</li> <li>Added <code>ZonefileFmt</code> trait for printing records as zonefiles. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/379">#379</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/446">#446</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/463">#463</a>)</li> </ul> <p>Bug fixes</p> <ul> <li>NSEC records should include themselves in the generated bitmap. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/417">#417</a>)</li> <li>Trailing double quote wrongly preserved when parsing record data. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/470">#470</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/472">#472</a>)</li> <li>Don't error with unexpected end of entry for RFC 3597 RDATA of length zero. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/475">#475</a>)</li> </ul> <p>Unstable features</p> <ul> <li> <p>New unstable feature <code>unstable-crypto</code> that enable cryptography support for features that do not rely on secret keys. This feature needs either or both of the features <code>ring</code> and <code>openssl</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/416">#416</a>)</p> </li> <li> <p>New unstable feature <code>unstable-crypto-sign</code> that enable cryptography support including features that rely on secret keys. This feature needs either or both of the features <code>ring</code> and <code>openssl</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/416">#416</a>)</p> </li> <li> <p>New unstable feature <code>unstable-client-cache</code> that enable the client transport cache. The reason is that the client cache uses the <code>moka</code> crate.</p> </li> <li> <p>New unstable feature <code>unstable-new</code> that introduces a new API for all of domain (currently only with <code>base</code>, <code>rdata</code>, and <code>edns</code> modules). Also see the [associated blog post][new-base-post].</p> </li> <li> <p><code>unstable-server-transport</code></p> <ul> <li>The trait <code>SingleService</code> which is a simplified service trait for requests that should generate a single response (<a href="https://redirect.github.com/nlnetlabs/domain/issues/353">#353</a>).</li> <li>The trait <code>ComposeReply</code> and an implementation of the trait (<code>ReplyMessage</code>) to assist in capturing EDNS(0) options that should be included in a response message (<a href="https://redirect.github.com/nlnetlabs/domain/issues/353">#353</a>).</li> <li>Adapters to implement <code>Service</code> for <code>SingleService</code> and to implement <code>SingleService</code> for <code>SendRequest</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/353">#353</a>).</li> <li>Conversion of a <code>Request</code> to a <code>RequestMessage</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/353">#353</a>).</li> <li>A sample query router, called <code>QnameRouter</code>, that routes requests based on the QNAME field in the request (<a href="https://redirect.github.com/nlnetlabs/domain/issues/353">#353</a>).</li> </ul> </li> <li> <p><code>unstable-client-transport</code></p> <ul> <li>introduce timeout option in multi_stream (<a href="https://redirect.github.com/nlnetlabs/domain/issues/424">#424</a>).</li> <li>improve probing in redundant (<a href="https://redirect.github.com/nlnetlabs/domain/issues/424">#424</a>).</li> <li>restructure configuration for multi_stream and redundant (<a href="https://redirect.github.com/nlnetlabs/domain/issues/424">#424</a>).</li> <li>introduce a load balancer client transport. This transport tries to distribute requests equally over upstream transports (<a href="https://redirect.github.com/nlnetlabs/domain/issues/425">#425</a>).</li> <li>the client cache now has it's own feature <code>unstable-client-cache</code>.</li> </ul> </li> <li> <p><code>unstable-sign</code></p> <ul> <li>add key lifecycle management (<a href="https://redirect.github.com/nlnetlabs/domain/issues/459">#459</a>).</li> <li>add support for adding NSEC3 records when signing.</li> <li>add support for ZONEMD.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NLnetLabs/domain/blob/main/Changelog.md">domain's changelog</a>.</em></p> <blockquote> <h2>0.11.0</h2> <p>Released 2025-05-21.</p> <p>Breaking changes</p> <ul> <li>FIX: Use base 16 per RFC 4034 for the DS digest, not base 64. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/423">#423</a>)</li> <li>FIX: NSEC3 salt strings should only be accepted if within the salt size limit. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/431">#431</a>)</li> <li>Stricter RFC 1035 compliance by default in the <code>Zonefile</code> parser. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/477">#477</a>)</li> <li>Rename {DigestAlg, Nsec3HashAlg, SecAlg, ZonemdAlg} to {DigestAlgorithm, Nsec3HashAlgorithm, SecurityAlgorithm, ZonemdAlgorithm}</li> </ul> <p>New</p> <ul> <li>Added <code>HashCompressor</code>, an unlimited name compressor that uses a hash map rather than a tree. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/396">#396</a>)</li> <li>Changed <code>fmt::Display</code> for <code>HINFO</code> records to a show a quoted string. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/421">#421</a>)</li> <li>Added support for <code>NAPTR</code> record type. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/427">#427</a> by [<a href="https://github.com/weilence"><code>@weilence</code></a>])</li> <li>Added initial fuzz testing support for some types via a new <code>arbitrary</code> feature (not enabled by default). (<a href="https://redirect.github.com/nlnetlabs/domain/issues/441">#441</a>)</li> <li>Added <code>StubResolver::add_connection()</code> to allow adding a connection to the running resolver. In combination with <code>ResolvConf::new()</code> this can also be used to control the connections made when testing code that uses the stub resolver. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/440">#440</a>)</li> <li>Added <code>ZonefileFmt</code> trait for printing records as zonefiles. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/379">#379</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/446">#446</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/463">#463</a>)</li> </ul> <p>Bug fixes</p> <ul> <li>NSEC records should include themselves in the generated bitmap. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/417">#417</a>)</li> <li>Trailing double quote wrongly preserved when parsing record data. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/470">#470</a>, <a href="https://redirect.github.com/nlnetlabs/domain/issues/472">#472</a>)</li> <li>Don't error with unexpected end of entry for RFC 3597 RDATA of length zero. ([475])</li> </ul> <p>Unstable features</p> <ul> <li> <p>New unstable feature <code>unstable-crypto</code> that enable cryptography support for features that do not rely on secret keys. This feature needs either or both of the features <code>ring</code> and <code>openssl</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/416">#416</a>)</p> </li> <li> <p>New unstable feature <code>unstable-crypto-sign</code> that enable cryptography support including features that rely on secret keys. This feature needs either or both of the features <code>ring</code> and <code>openssl</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/416">#416</a>)</p> </li> <li> <p>New unstable feature <code>unstable-client-cache</code> that enable the client transport cache. The reason is that the client cache uses the <code>moka</code> crate.</p> </li> <li> <p>New unstable feature <code>unstable-new</code> that introduces a new API for all of domain (currently only with <code>base</code>, <code>rdata</code>, and <code>edns</code> modules). Also see the [associated blog post][new-base-post].</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="84152353c9"><code>8415235</code></a> Release 0.11.0 (<a href="https://redirect.github.com/nlnetlabs/domain/issues/533">#533</a>)</li> <li><a href="16d7f364ce"><code>16d7f36</code></a> Revert boxing 'ring::sign::KeyPair' (<a href="https://redirect.github.com/nlnetlabs/domain/issues/532">#532</a>)</li> <li><a href="51a8360649"><code>51a8360</code></a> Bump openssl from 0.10.71 to 0.10.72 (<a href="https://redirect.github.com/nlnetlabs/domain/issues/512">#512</a>)</li> <li><a href="1f9de15431"><code>1f9de15</code></a> Introduce <code>domain::new</code> (<a href="https://redirect.github.com/nlnetlabs/domain/issues/474">#474</a>)</li> <li><a href="72b42a3991"><code>72b42a3</code></a> Adjust for Clippy 1.87 lints (<a href="https://redirect.github.com/nlnetlabs/domain/issues/530">#530</a>)</li> <li><a href="a0bf99c922"><code>a0bf99c</code></a> Merge pull request <a href="https://redirect.github.com/nlnetlabs/domain/issues/515">#515</a> from NLnetLabs/ends-to-edns</li> <li><a href="8e4280af39"><code>8e4280a</code></a> Don't panic on mismatched private and public keys. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/528">#528</a>)</li> <li><a href="473f871036"><code>473f871</code></a> Pass &N instead of N and also remove thereby an unnecessary clone(). (<a href="https://redirect.github.com/nlnetlabs/domain/issues/526">#526</a>)</li> <li><a href="2a390420af"><code>2a39042</code></a> Remove incorrect logic for determining the apex from signing function. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/521">#521</a>)</li> <li><a href="f43d53d010"><code>f43d53d</code></a> Remove no longer needed mut on GenerateNsec3Config and SigningConfig which ha...</li> <li>Additional commits viewable in <a href="https://github.com/nlnetlabs/domain/compare/v0.10.4...v0.11.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
A modern alternative to legacy VPNs.
Overview
Firezone is an open source platform to securely manage remote access for any-sized organization. Unlike most VPNs, Firezone takes a granular, least-privileged approach to access management with group-based policies that control access to individual applications, entire subnets, and everything in between.
Features
Firezone is:
- Fast: Built on WireGuard® to be 3-4 times faster than OpenVPN.
- Scalable: Deploy two or more gateways for automatic load balancing and failover.
- Private: Peer-to-peer, end-to-end encrypted tunnels prevent packets from routing through our infrastructure.
- Secure: Zero attack surface thanks to Firezone's holepunching tech which establishes tunnels on-the-fly at the time of access.
- Open: Our entire product is open-source, allowing anyone to audit the codebase.
- Flexible: Authenticate users via email, Google Workspace, Okta, Entra ID, or OIDC and sync users and groups automatically.
- Simple: Deploy gateways and configure access in minutes with a snappy admin UI.
Firezone is not:
- A tool for creating bi-directional mesh networks
- A full-featured router or firewall
- An IPSec or OpenVPN server
Contents of this repository
This is a monorepo containing the full Firezone product, marketing website, and product documentation, organized as follows:
- elixir: Control plane and internal Elixir libraries:
- elixir/apps/web: Admin UI
- elixir/apps/api: API for Clients, Relays and Gateways.
- rust/: Data plane and internal Rust libraries:
- rust/gateway: Gateway - Tunnel server based on WireGuard and deployed to your infrastructure.
- rust/relay: Relay - STUN/TURN server to facilitate holepunching.
- rust/headless-client: Cross-platform CLI client.
- rust/gui-client: Cross-platform GUI client.
- swift/: macOS / iOS clients.
- kotlin/: Android / ChromeOS clients.
- website/: Marketing website and product documentation.
- terraform/: Terraform files for various example deployments.
- terraform/examples/google-cloud/nat-gateway: Example Terraform configuration for deploying a cluster of Firezone Gateways behind a NAT gateway on GCP with a single egress IP.
- terraform/modules/google-cloud/apps/gateway-region-instance-group: Production-ready Terraform module for deploying regional Firezone Gateways to Google Cloud Compute using Regional Instance Groups.
Quickstart
The quickest way to get started with Firezone is to sign up for an account at https://app.firezone.dev/sign_up.
Once you've signed up, follow the instructions in the welcome email to get started.
Frequently asked questions (FAQ)
Can I self-host Firezone?
Our license won't stop you from self-hosting the entire Firezone product top to bottom, but our internal APIs are changing rapidly so we can't meaningfully support self-hosting Firezone in production at this time.
If you're feeling especially adventurous and want to self-host Firezone for educational or hobby purposes, follow the instructions to spin up a local development environment in CONTRIBUTING.md.
The latest published clients (on App Stores and on
releases) are only guaranteed
to work with the managed version of Firezone and may not work with a self-hosted
portal built from this repository. This is because Apple and Google can
sometimes delay updates to their app stores, and so the latest published version
may not be compatible with the tip of main from this repository.
Therefore, if you're experimenting with self-hosting Firezone, you will probably want to use clients you build and distribute yourself as well.
See the READMEs in the following directories for more information on building each client:
- macOS / iOS: swift/apple
- Android / ChromeOS: kotlin/android
- Windows / Linux: rust/gui-client
How long will 0.7 be supported until?
Firezone 0.7 is currently end-of-life and has stopped receiving updates as of
January 31st, 2024. It will continue to be available indefinitely from the
legacy branch of this repo under the Apache 2.0 license.
How much does it cost?
We offer flexible per-seat monthly and annual plans for the cloud-managed version of Firezone, with optional invoicing for larger organizations. See our pricing page for more details.
Those experimenting with self-hosting can use Firezone for free without feature or seat limitations, but we can't provide support for self-hosted installations at this time.
Documentation
Additional documentation on general usage, troubleshooting, and configuration can be found at https://www.firezone.dev/kb.
Get Help
If you're looking for help installing, configuring, or using Firezone, check our community support options:
- Discussion Forums: Ask questions, report bugs, and suggest features.
- Join our Discord Server: Join live discussions, meet other users, and chat with the Firezone team.
- Open a PR: Contribute a bugfix or make a contribution to Firezone.
If you need help deploying or maintaining Firezone for your business, consider contacting our sales team to speak with a Firezone expert.
See all support options on our main support page.
Star History
Developing and Contributing
See CONTRIBUTING.md.
Security
See SECURITY.md.
License
Portions of this software are licensed as follows:
- All content residing under the "elixir/" directory of this repository, if that directory exists, is licensed under the "Elastic License 2.0" license defined in "elixir/LICENSE".
- All third party components incorporated into the Firezone Software are licensed under the original license provided by the owner of the applicable component.
- Content outside of the above mentioned directories or restrictions above is available under the "Apache 2.0 License" license as defined in "LICENSE".
WireGuard® is a registered trademark of Jason A. Donenfeld.