mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Files

Thomas Eizinger a6ffdd2654 feat(snownet): reduce rekey-attempt-time to 15s (#9891 )

From Sentry reports and user-submitted logs, we know that it is possible
for Client and Gateway to de-sync in regards to what each other's public
key is. In such a scenario, ICE will succeed to make a connection but
`boringtun` will fail to handshake a tunnel. By default, `boringtun`
tries for 90s to handshake a session before it gives up and expires it.

In Firezone, the ICE agent takes care of establishing connectivity
whereas `boringtun` itself just encrypts and decrypts packets. As such,
if ICE is working, we know that packets aren't getting lost but instead,
there must be some other issue as to why we cannot establish a session.

To improve the UX in these error cases, we reduce the rekey-attempt-time
to 15s. This roughly matches our ICE timeout. Those 15s count from the
moment we send the first handshake which is just after ICE completes.
Thus we can be sure that after at most 15s, we either have a working
WireGuard session or the connection gets cleaned up.

Related: #9890
Related: #9850

2025-07-17 00:50:31 +00:00

.cargo

fix(rust): use rust-lld linker for MSVC (#9641 )

2025-06-24 01:55:36 +10:00

apple-client-ffi

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

bin-shared

chore(linux): add more error context to TUN device (#9853 )

2025-07-13 05:51:02 +00:00

client-ffi

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

client-shared

test(iperf): install iptables rule inside of container (#9880 )

2025-07-16 10:29:33 +00:00

connlib

feat(snownet): reduce rekey-attempt-time to 15s (#9891 )

2025-07-17 00:50:31 +00:00

gateway

chore: document metrics config switches as private API (#9865 )

2025-07-14 13:53:03 +00:00

gui-client

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

headless-client

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

logging

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

relay

refactor(relay): simplify auth module (#9873 )

2025-07-15 14:14:51 +00:00

telemetry

feat(snownet): reduce rekey-attempt-time to 15s (#9891 )

2025-07-17 00:50:31 +00:00

tests

chore(gui-smoke-test): wait for tunnel service to boot (#9766 )

2025-07-02 05:16:15 +00:00

tools/uniffi-bindgen

refactor: use UniFFI for Android FFI (#9415 )

2025-06-17 21:48:34 +00:00

.dockerignore

refactor(portal): Don't pin session token to user_agent or remote_ip (#2195 )

2023-09-30 07:40:57 -07:00

.gitignore

Implement basic STUN server (#1603 )

2023-05-10 07:58:32 -07:00

Cargo.lock

feat(snownet): reduce rekey-attempt-time to 15s (#9891 )

2025-07-17 00:50:31 +00:00

Cargo.toml

build(deps): bump rustls from 0.23.28 to 0.23.29 in /rust (#9860 )

2025-07-15 05:27:44 +00:00

clippy.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

deny.toml

build(deps): bump the tauri group in /rust with 6 updates (#9720 )

2025-06-30 13:25:20 +00:00

docker-init-gateway.sh

fix(gateway): Apply more specific firewall rules on start (#8483 )

2025-03-19 05:32:50 +00:00

docker-init-relay.sh

feat(relay): add ec2 metadata discovery (#6617 )

2024-09-12 12:28:55 -06:00

docker-init.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

Dockerfile

test(iperf): install iptables rule inside of container (#9880 )

2025-07-16 10:29:33 +00:00

Dockerfile.xdp-tools

chore(relay): Add xdp-tools debug Docker image build script (#8591 )

2025-04-03 18:17:23 +00:00

README.md

docs(rust): fix profiling command (#7547 )

2024-12-18 13:01:23 +00:00

rust-toolchain.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

Ensure the binary you are profiling is compiled with the release profile.
sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
Run the speed test or whatever load-inducing task you want to measure.
sudo perf script > profile.perf
Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.