mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
b404f10d87
As a next step in refactoring the tunnel implementation, I am removing the `device_handler` task and instead use a poll-based function to read from the device. Removing the task means there is one less component that accesses the `Tunnel` via shared-memory. The final one after this PR is the `peer_handler`. Once all shared-access is gone, we can stop using `Arc<Tunnel>` and with it, remove all uses of `Mutex` in the tunnel and simply use `&mut self`. To remove the `device_handler`, we introduce a `Device::poll_read` function that we call as the very first thing in the `Tunnel`'s poll-function. At a later point, we want to think about prioritization within the event loop. I'd suggest deferring that until we have removed the locks as handling the guards is a bit finicky at this stage.
gateway
This crate houses the Firezone gateway.
Building
You can build the gateway using: cargo build --release --bin firezone-gateway
You should then find a binary in target/release/firezone-gateway.
Running
The Firezone Gateway supports Linux only. To run the Gateway binary on your Linux host:
- Generate a new Gateway token from the "Gateways" section of the admin portal and save it in your secrets manager.
- Ensure the
FIREZONE_TOKEN=<gateway_token>environment variable is set securely in your Gateway's shell environment. The Gateway requires this variable at startup. - Set
FIREZONE_IDto a unique string to identify this gateway in the portal, e.g.export FIREZONE_ID=$(uuidgen). The Gateway requires this variable at startup. - Now, you can start the Gateway with:
firezone-gateway
If you're running as a non-root user, you'll need the CAP_NET_ADMIN capability
to open /dev/net/tun. You can add this to the gateway binary with:
sudo setcap 'cap_net_admin+eip' /path/to/firezone-gateway
Ports
The gateway requires no open ports. Connections automatically traverse NAT with STUN/TURN via the relay.