Menu
Step-by-step instructions for deploying Hailbytes VPN with Firezone GUI are provided here.
Administer: Setting up the server instance is directly related to this part.
User Guides: Helpful documents that can teach you how to use Firezone and solve typical problems. After the server has been successfully deployed, refer to this section.
Split Tunneling: Use the VPN to only send traffic to specific IP ranges.
Whitelisting: Set a VPN server’s static IP address in order to use whitelisting.
Reverse Tunnels: Create tunnels between several peers using reverse tunnels.
We are pleased to assist you if you need assistance installing, customizing, or utilizing Hailbytes VPN.
Before users can produce or download device configuration files, Firezone can be configured to require authentication. Users may also need to periodically re-authenticate in order to keep their VPN connection active.
Although Firezone’s default login method is local email and password, it can also be integrated with any standardized OpenID Connect (OIDC) identity provider. Users are now able to log into Firezone using their Okta, Google, Azure AD, or private identity provider credentials.
Integrate A Generic OIDC Provider
The configuration parameters needed by Firezone to allow SSO using an OIDC provider are shown in the example below. At /etc/firezone/firezone.rb, you may find the configuration file. Run firezone-ctl reconfigure and firezone-ctl restart to update the application and take effect of changes.
# This is an example using Google and Okta as an SSO identity provider.
# Multiple OIDC configs can be added to the same Firezone instance.
# Firezone can disable a user’s VPN if there’s any error detected trying
# to refresh their access_token. This is verified to work for Google, Okta, and
# Azure SSO and is used to automatically disconnect a user’s VPN if they’re removed
# from the OIDC provider. Leave this disabled if your OIDC provider
# has issues refreshing access tokens as it could unexpectedly interrupt a
# user’s VPN session.
default[‘firezone’][‘authentication’][‘disable_vpn_on_oidc_error’] = false
default[‘firezone’][‘authentication’][‘oidc’] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “<GOOGLE_CLIENT_ID>”,
client_secret: “<GOOGLE_CLIENT_SECRET>”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/google/callback/”,
response_type: “code”,
scope: “openid email profile”,
label: “Google”
},
okta: {
discovery_document_uri: “https://<OKTA_DOMAIN>/.well-known/openid-configuration”,
client_id: “<OKTA_CLIENT_ID>”,
client_secret: “<OKTA_CLIENT_SECRET>”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/okta/callback/”,
response_type: “code”,
scope: “openid email profile offline_access”,
label: “Okta”
}
}
The following config settings are required for the integration:
For each OIDC provider a corresponding pretty URL is created for redirecting to the configured provider’s sign-in URL. For the example OIDC config above, the URLs are:
Providers we have documentation for:
If your identity provider has a generic OIDC connector and is not listed above, please go to their documentation for information on how to retrieve the necessary configuration settings.
The setting under settings/security can be changed to require periodic re-authentication. This can be used to enforce the requirement that users enter into Firezone on a regular basis in order to continue their VPN session.
The session length can be configured to be between one hour and ninety days. By setting this to Never, you can enable VPN sessions at any time. This is the standard.
A user must terminate their VPN session and log in to the Firezone portal in order to re-authenticate an expired VPN session (URL specified during deployment).
You can re-authenticate your session by following the precise client instructions found here.
Status of VPN Connection
The Users page’s VPN Connection table column displays a user’s connection status. These are the connection statuses:
ENABLED – The connection is enabled.
DISABLED – The connection is disabled by an administrator or OIDC refresh failure.
EXPIRED – The connection is disabled due to authentication expiration or a user has not signed in for the first time.
Through the general OIDC connector, Firezone enables Single Sign-On (SSO) with Google Workspace and Cloud Identity. This guide will show you how to get the configuration parameters listed below, which are necessary for the integration:
1. OAuth Config Screen
If this is the first time you are creating a new OAuth client ID, you will be asked to configure a consent screen.
*Select Internal for user type. This ensures only accounts belonging to users in your Google Workspace Organization can create device configs. DO NOT select External unless you want to enable anyone with a valid Google Account to create device configs.
On the App information screen:
2. Create OAuth Client IDs
This section is based on Google’s own documentation on setting up OAuth 2.0.
Visit the Google Cloud Console Credentials page page, click + Create Credentials and select OAuth client ID.
On the OAuth client ID creation screen:
After creating the OAuth client ID, you will be given a Client ID and Client Secret. These will be used together with the redirect URI in the next step.
Edit /etc/firezone/firezone.rb to include the options below:
# Using Google as the SSO identity provider
default[‘firezone’][‘authentication’][‘oidc’] = {
google: {
discovery_document_uri: “https://accounts.google.com/.well-known/openid-configuration”,
client_id: “<CLIENT_ID>”,
client_secret: “<CLIENT_SECRET>”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/google/callback/”,
response_type: “code”,
scope: “openid email profile”,
label: “Google”
}
}
Run firezone-ctl reconfigure and firezone-ctl restart to update the application. You should now see a Sign in with Google button at the root Firezone URL.
Firezone uses the generic OIDC connector to facilitate Single Sign-On (SSO) with Okta. This tutorial will show you how to get the configuration parameters listed below, which are necessary for the integration:
This section of the guide is based on Okta’s documentation.
In the Admin Console, go to Applications > Applications and click Create App Integration. Set Sign-in method to OICD – OpenID Connect and Application type to Web application.
Configure these settings:
Once settings are saved, you will be given a Client ID, Client Secret, and Okta Domain. These 3 values will be used in Step 2 to configure Firezone.
Edit /etc/firezone/firezone.rb to include the options below. Your discovery_document_url will be /.well-known/openid-configuration appended to the end of your okta_domain.
# Using Okta as the SSO identity provider
default[‘firezone’][‘authentication’][‘oidc’] = {
okta: {
discovery_document_uri: “https://<OKTA_DOMAIN>/.well-known/openid-configuration”,
client_id: “<CLIENT_ID>”,
client_secret: “<CLIENT_SECRET>”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/okta/callback/”,
response_type: “code”,
scope: “openid email profile offline_access”,
label: “Okta”
}
}
Run firezone-ctl reconfigure and firezone-ctl restart to update the application. You should now see a Sign in with Okta button at the root Firezone URL.
The users who can access the Firezone app can be restricted by Okta. Go to your Okta Admin Console’s Firezone App Integration’s Assignments page to accomplish this.
Through the generic OIDC connector, Firezone enables Single Sign-On (SSO) with Azure Active Directory. This manual will show you how to get the configuration parameters listed below, which are necessary for the integration:
This guide is drawn from the Azure Active Directory Docs.
Go to the Azure portal’s Azure Active Directory page. Choose the Manage menu option, select New Registration, then register by providing the information below:
After registering, open the details view of the application and copy the Application (client) ID. This will be the client_id value. Next, open the endpoints menu to retrieve the OpenID Connect metadata document. This will be the discovery_document_uri value.
Create a new client secret by clicking the Certificates & secrets option under the Manage menu. Copy the client secret; the client secret value will be this.
Lastly, select the API permissions link under the Manage menu, click Add a permission, and select Microsoft Graph. Add email, openid, offline_access and profile to the required permissions.
Edit /etc/firezone/firezone.rb to include the options below:
# Using Azure Active Directory as the SSO identity provider
default[‘firezone’][‘authentication’][‘oidc’] = {
azure: {
discovery_document_uri: “https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration”,
client_id: “<CLIENT_ID>”,
client_secret: “<CLIENT_SECRET>”,
redirect_uri: “https://instance-id.yourfirezone.com/auth/oidc/azure/callback/”,
response_type: “code”,
scope: “openid email profile offline_access”,
label: “Azure”
}
}
Run firezone-ctl reconfigure and firezone-ctl restart to update the application. You should now see a Sign in with Azure button at the root Firezone URL.
Azure AD enables administrators to limit app access to a specific group of users inside your company. More information on how to do this can be found in Microsoft’s documentation.
Chef Omnibus is used by Firezone to manage tasks including release packaging, process supervision, log management, and more.
Ruby code makes up the primary configuration file, which is located at /etc/firezone/firezone.rb. Restarting sudo firezone-ctl reconfigure after making modifications to this file causes Chef to recognize the changes and apply them to the current operating system.
See the configuration file reference for a complete list of configuration variables and their descriptions.
Your Firezone instance can be managed via the firezone-ctl command, as shown below. Most subcommands require prefixing with sudo.
root@demo:~# firezone-ctl
omnibus-ctl: command (subcommand)
General Commands:
cleanse
Delete *all* firezone data, and start from scratch.
create-or-reset-admin
Resets the password for the admin with email specified by default[‘firezone’][‘admin_email’] or creates a new admin if that email doesn’t exist.
help
Print this help message.
reconfigure
Reconfigure the application.
reset-network
Resets nftables, WireGuard interface, and routing table back to Firezone defaults.
show-config
Show the configuration that would be generated by reconfigure.
teardown-network
Removes WireGuard interface and firezone nftables table.
force-cert-renewal
Force certificate renewal now even if it hasn\’t expired.
stop-cert-renewal
Removes cronjob that renews certificates.
uninstall
Kill all processes and uninstall the process supervisor (data will be preserved).
version
Display current version of Firezone
Service Management Commands:
graceful-kill
Attempt a graceful stop, then SIGKILL the entire process group.
hup
Send the services a HUP.
int
Send the services an INT.
kill
Send the services a KILL.
once
Start the services if they are down. Do not restart them if they stop.
restart
Stop the services if they are running, then start them again.
service-list
List all the services (enabled services appear with a *.)
start
Start services if they are down, and restart them if they stop.
status
Show the status of all the services.
stop
Stop the services, and do not restart them.
tail
Watch the service logs of all enabled services.
term
Send the services a TERM.
usr1
Send the services a USR1.
usr2
Send the services a USR2.
All VPN sessions must be terminated before upgrading Firezone, which also calls for shutting down the Web UI. In the event that something goes wrong during the upgrade, we advise setting aside an hour for maintenance.
To enhance Firezone, take the following actions:
If any problems arise, please let us know by submitting a support ticket.
There are a few breaking changes and configuration modifications in 0.5.0 that must be addressed. Find out more below.
Nginx no longer supports the force SSL and non-SSL port parameters as of version 0.5.0. Because Firezone needs SSL to work, we advise removing the bundle Nginx service by setting default[‘firezone’][‘nginx’][‘enabled’] = false and directing your reverse proxy to the Phoenix app on port 13000 instead (by default).
0.5.0 introduces ACME protocol support for automatically renewing SSL certificates with the bundled Nginx service. To enable,
The possibility to add rules with duplicate destinations is gone in Firezone 0.5.0. Our migration script will automatically recognize these situations during an upgrade to 0.5.0 and only keep the rules whose destination includes the other rule. There is nothing you need to do if this is okay.
Otherwise, before upgrading, we advise changing your ruleset to get rid of these situations.
Firezone 0.5.0 removes support for the old-style Okta and Google SSO configuration in favor of the new, more flexible OIDC-based configuration.
If you have any configuration under the default[‘firezone’][‘authentication’][‘okta’] or default[‘firezone’][‘authentication’][‘google’] keys, you need to migrate these to our OIDC-based configuration using the guide below.
Existing Google OAuth configuration
Remove these lines containing the old Google OAuth configs from your configuration file located at /etc/firezone/firezone.rb
default[‘firezone’][‘authentication’][‘google’][‘enabled’]
default[‘firezone’][‘authentication’][‘google’][‘client_id’]
default[‘firezone’][‘authentication’][‘google’][‘client_secret’]
default[‘firezone’][‘authentication’][‘google’][‘redirect_uri’]
Then, configure Google as an OIDC provider by following the procedures here.
(Provide link instructions)<<<<<<<<<<<<<<<<<
Configure Existing Google OAuth
Remove these lines containing the old Okta OAuth configs from your configuration file located at /etc/firezone/firezone.rb
default[‘firezone’][‘authentication’][‘okta’][‘enabled’]
default[‘firezone’][‘authentication’][‘okta’][‘client_id’]
default[‘firezone’][‘authentication’][‘okta’][‘client_secret’]
Default[‘firezone’][‘authentication’][‘okta’][‘site’]
Then, configure Okta as an OIDC provider by following the procedures here.
Depending on your current setup and version, adhere to the directions below:
If you already have an OIDC integration:
For some OIDC providers, upgrading to >= 0.3.16 necessitates obtaining a refresh token for the offline access scope. By doing this, it is made sure that Firezone updates with the identity provider and that VPN connection is shut off after a user is deleted. Firezone’s earlier iterations lacked this feature. In some instances, users that are deleted from your identity provider may still be connected to a VPN.
It is necessary to include offline access in the scope parameter of your OIDC configuration for OIDC providers that support the offline access scope. Firezone-ctl reconfigure must be executed in order to apply changes to the Firezone configuration file, which is located at /etc/firezone/firezone.rb.
For users who have been authenticated by your OIDC provider, you will see the OIDC Connections heading in the user details page of the web UI if Firezone is able to successfully retrieve the refresh token.
If this does not work, you will need to delete your existing OAuth app and repeat the OIDC setup steps to create a new app integration .
I have an existing OAuth integration
Prior to 0.3.11, Firezone used pre-configured OAuth2 providers.
Follow the instructions here to migrate to OIDC.
I have not integrated an identity provider
No action needed.
You can follow the instructions here to enable SSO through an OIDC provider.
In its place, default[‘firezone’][‘external url’] has replaced the configuration option default[‘firezone’][‘fqdn’].
Set this to the URL of your Firezone online portal that is accessible to the general public. It will default to https:// plus the FQDN of your server if left undefined.
The configuration file is located at /etc/firezone/firezone.rb. See the configuration file reference for a complete list of configuration variables and their descriptions.
Firezone no longer keeps device private keys on the Firezone server as of version 0.3.0.
The Firezone Web UI will not allow you to re-download or see these configurations, but any existing devices should continue to operate as-is.
If you’re upgrading from Firezone 0.1.x, there are a few configuration file changes that must be addressed manually.
To make the necessary modifications to your /etc/firezone/firezone.rb file, run the commands below as root.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\[‘enable’\]/\[‘enabled’\]/” /etc/firezone/firezone.rb
echo “default[‘firezone’][‘connectivity_checks’][‘enabled’] = true” >> /etc/firezone/firezone.rb
echo “default[‘firezone’][‘connectivity_checks’][‘interval’] = 3_600” >> /etc/firezone/firezone.rb
firezone-ctl reconfigure
firezone-ctl restart
Checking the Firezone logs is a wise first step for any issues that can occur.
Run sudo firezone-ctl tail to view the Firezone logs.
The majority of connectivity problems with Firezone are brought on by incompatible iptables or nftables rules. You must make sure that any rules you have in effect do not clash with the Firezone rules.
Make sure the FORWARD chain permits packets from your WireGuard clients to the locations you want to let through Firezone if your Internet connectivity deteriorates everytime you activate your WireGuard tunnel.
This may be achieved if you’re using ufw by ensuring that the default routing policy is allow:
ubuntu@fz:~$ sudo ufw default allow routed
Default routed policy changed to ‘allow’
(be sure to update your rules accordingly)
A ufw status for a typical Firezone server might look like this:
ubuntu@fz:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
— —— —-
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
51820/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
51820/udp (v6) ALLOW IN Anywhere (v6)
We advise limiting access to the web interface for extremely sensitive and mission-critical production deployments, as explained below.
Service | Default Port | Listen Address | Description |
Nginx | 80, 443 | all | Public HTTP(S) port for administering Firezone and facilitating authentication. |
Wireguard | 51820 | all | Public WireGuard port used for VPN sessions. (UDP) |
Postgresql | 15432 | 127.0.0.1 | Local-only port used for bundled Postgresql server. |
Phoenix | 13000 | 127.0.0.1 | Local-only port used by upstream elixir app server. |
We advise you to think about restricting access to Firezone’s publicly exposed web UI (by default ports 443/tcp and 80/tcp) and instead use the WireGuard tunnel to manage Firezone for production and public-facing deployments where a single administrator will be in charge of creating and distributing device configurations to end users.
For instance, if an administrator created a device configuration and created a tunnel with the local WireGuard address 10.3.2.2, the following ufw configuration would enable the administrator to access the Firezone web UI on the server’s wg-firezone interface using the default 10.3.2.1 tunnel address:
root@demo:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
— —— —-
22/tcp ALLOW IN Anywhere
51820/udp ALLOW IN Anywhere
Anywhere ALLOW IN 10.3.2.2
22/tcp (v6) ALLOW IN Anywhere (v6)
51820/udp (v6) ALLOW IN Anywhere (v6)
This would leave only 22/tcp exposed for SSH access to manage the server (optional), and 51820/udp exposed in order to establish WireGuard tunnels.
Firezone bundles a Postgresql server and matching psql utility that can be used from the local shell like so:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “SQL_STATEMENT”
This can be helpful for debugging purposes.
Common Tasks:
Listing all users:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “SELECT * FROM users;”
Listing all devices:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “SELECT * FROM devices;”
Change a user role:
Set the role to ‘admin’ or ‘unprivileged’:
/opt/firezone/embedded/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p 15432 \
-c “UPDATE users SET role = ‘admin’ WHERE email = ‘user@example.com’;”
Backing up the database:
Furthermore, included is the pg dump program, which may be used to take regular backups of the database. Execute the following code to dump a copy of the database in the common SQL query format (replace /path/to/backup.sql with the location where the SQL file should be created):
/opt/firezone/embedded/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432 > /path/to/backup.sql
After Firezone has been successfully deployed, you must add users to provide them access to your network. The Web UI is used to do this.
By selecting the “Add User” button under /users, you can add a user. You will be required to provide the user with an email address and a password. In order to allow access to users in your organization automatically, Firezone can also interface and sync with an identity provider. More details are available in Authenticate. < Add a link to Authenticate
We advise requesting that users create their own device configurations so that the private key is only visible to them. Users can generate their own device configurations by following the directions on the Client Instructions page. <Add link
All user device configurations can be created by Firezone admins. On the user profile page located at /users, select the “Add Device” option to accomplish this.
[Insert screenshot]
You can email the user the WireGuard configuration file after creating the device profile.
Users and devices are linked. For further details on how to add a user, see Add Users. <Add link
Through the use of the kernel’s netfilter system, Firezone enables egress filtering capabilities to specify DROP or ACCEPT packets. All traffic is normally permitted.
IPv4 and IPv6 CIDRs and IP addresses are supported via the Allowlist and Denylist, respectively. You can choose to scope a rule to a user when adding it, which applies the rule to all of that user’s devices.
Install and configure
To establish a VPN connection using the native WireGuard client, refer to this guide.
The Official WireGuard clients located here are Firezone compatible:
Visit the official WireGuard website at https://www.wireguard.com/install/ for OS systems not mentioned above.
Either your Firezone administrator or yourself can generate the device configuration file using the Firezone portal.
Visit the URL your Firezone administrator has provided to self-generate a device configuration file. Your firm will have a unique URL for this; in this case, it is https://instance-id.yourfirezone.com.
Login to Firezone Okta SSO
[Insert Screenshot]
Import the.conf file into the WireGuard client by opening it. By flipping the Activate switch, you can start a VPN session.
[Insert Screenshot]
Follow the instructions below if your network administrator has mandated recurring authentication to keep your VPN connection active.
You need:
Firezone portal’s URL: Ask your network administrator for the connection.
Your network administrator should be able to offer your login and password. The Firezone site will prompt you to log in using the single sign-on service your employer uses (such as Google or Okta).
[Insert Screenshot]
Go to the Firezone portal’s URL and log in using the credentials your network administrator has provided. If you are already signed in, click the Reauthenticate button before signing back in.
[Insert Screenshot]
[Insert Screenshot]
To import the WireGuard configuration profile using Network Manager CLI on Linux devices, follow these instructions (nmcli).
If the profile has IPv6 support enabled, attempting to import the configuration file using the Network Manager GUI may fail with the following error:
ipv6.method: method “auto” is not supported for WireGuard
It is necessary to install the WireGuard userspace utilities. This will be a package called wireguard or wireguard-tools for Linux distributions.
For Ubuntu/Debian:
sudo apt install wireguard
To use Fedora:
sudo dnf install wireguard-tools
Arch Linux:
sudo pacman -S wireguard-tools
Visit the official WireGuard website at https://www.wireguard.com/install/ for distributions that aren’t mentioned above.
Either your Firezone administrator or self-generation can generate the device configuration file using the Firezone portal.
Visit the URL your Firezone administrator has provided to self-generate a device configuration file. Your firm will have a unique URL for this; in this case, it is https://instance-id.yourfirezone.com.
[Insert Screenshot]
Import the supplied configuration file using nmcli:
sudo nmcli connection import type wireguard file /path/to/configuration.conf
The name of the configuration file will correspond to the WireGuard connection/interface. After import, the connection can be renamed if necessary:
nmcli connection modify [old name] connection.id [new name]
Via the command line, connect to the VPN as follows:
nmcli connection up [vpn name]
To disconnect:
nmcli connection down [vpn name]
The applicable Network Manager applet can also be used to manage the connection if using a GUI.
By selecting “yes” for the autoconnect option, the VPN connection can be configured to connect automatically:
nmcli connection modify [vpn name] connection. <<<<<<<<<<<<<<<<<<<<<<<Doublecheck this
autoconnect yes
To disable the automatic connection set it back to no:
nmcli connection modify [vpn name] connection.
autoconnect no
To activate MFA Go to the Firezone portal’s /user account/register mfa page. Use your authenticator app to scan the QR code after it has been generated, then enter the six-digit code.
Contact your Admin to reset your account’s access information if you misplace your authenticator app.
This tutorial will walk you through the process of setting up WireGuard’s split tunneling feature with Firezone so that only traffic to specific IP ranges is forwarded through the VPN server.
The IP ranges for which the client will route network traffic are set forth in the Allowed IPs field located on the /settings/default page. Only the newly created WireGuard tunnel configurations produced by Firezone will be affected by changes to this field.
[Insert Screenshot]
The default value is 0.0.0.0/0, ::/0, which routes all network traffic from the client to the VPN server.
Examples of values in this field include:
0.0.0.0/0, ::/0 – all network traffic will be routed to the VPN server.
192.0.2.3/32 – only traffic to a single IP address will be routed to the VPN server.
3.5.140.0/22 – only traffic to IPs in the 3.5.140.1 – 3.5.143.254 range will be routed to the VPN server. In this example, the CIDR range for the ap-northeast-2 AWS region was used.
Firezone selects the egress interface associated with the most precise route first when determining where to route a packet.
Users must regenerate the configuration files and add them to their native WireGuard client in order to update existing user devices with the new split tunnel configuration.
For instructions, see add device. <<<<<<<<<<< Add link
This manual will demonstrate how to link two devices using Firezone as a relay. One typical use case is to enable an administrator to access a server, container, or machine that is protected by a NAT or firewall.
This illustration shows a straightforward scenario in which Devices A and B construct a tunnel.
[Insert firezone architectural picture]
Start by creating Device A and Device B by navigating to /users/[user_id]/new_device. In the settings for each device, ensure the following parameters are set to the values listed below. You can set device settings when creating the device config (see Add Devices). If you need to update settings on an existing device, you can do so by generating a new device config.
Note that all devices have a /settings/defaults page where PersistentKeepalive can be configured.
AllowedIPs = 10.3.2.2/32
This is the IP or range of IPs of Device B
PersistentKeepalive = 25
If the device is behind a NAT, this ensures the device is able to keep the tunnel alive and continue to receive packets from the WireGuard interface. Usually a value of 25 is sufficient, but you may need to decrease this value depending on your environment.
AllowedIPs = 10.3.2.3/32
This is the IP or range of IPs of Device A
PersistentKeepalive = 25
This example shows a situation in which Device A can communicate with Devices B through D in both directions. This setup can represent an engineer or administrator accessing numerous resources (servers, containers, or machines) across various networks.
[Architectural Diagram]<<<<<<<<<<<<<<<<<<<<<<<<
Make sure the following settings are made in each device’s settings to the corresponding values. When creating the device configuration, you can specify device settings (see Add Devices). A new device config can be created if settings on an existing device need to be updated.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
This is the IP of devices B through D. The IPs of Devices B through D must be included in any IP range you choose to set.
PersistentKeepalive = 25
This guarantees that the device can maintain the tunnel and continue to receive packets from the WireGuard interface even if it is protected by a NAT. In most cases, a value of 25 is adequate, however depending on your surroundings, you might need to lower this figure.
To offer a single, static egress IP for all of your team’s traffic to flow out of, Firezone can be utilized as a NAT gateway. These situations involve its frequent use:
Consulting Engagements: Request that your customer whitelist a single static IP address rather than each employee’s unique device IP.
Using a proxy or masking your source IP for security or privacy purposes.
A simple example of limiting access to a self-hosted web application to a single whitelisted static IP running Firezone will be demonstrated in this post. In this illustration, Firezone and the protected resource are in different VPC areas.
This solution is frequently used in place of managing an IP whitelist for numerous end users, which can be time-consuming as the access list expands.
Our objective is to set up a Firezone server on an EC2 instance to redirect VPN traffic to the restricted resource. In this instance, Firezone is serving as a network proxy or NAT gateway to give each connected device a unique public egress IP.
In this case, an EC2 instance named tc2.micro has a Firezone instance installed on it. For information about deploying Firezone, go to the Deployment Guide. In relation to AWS, be sure:
The Firezone EC2 instance’s security group permits outbound traffic to the protected resource’s IP address.
The Firezone instance comes with an elastic IP. Traffic that is forwarded through the Firezone instance to outside destinations will have this as its source IP address. The IP address in question is 52.202.88.54.
[Insert Screenshot]<<<<<<<<<<<<<<<<<<<<<<<<<
A self-hosted web application serves as the protected resource in this case. The web app can only be accessed by requests coming from the IP address 52.202.88.54. Depending on the resource, it can be necessary to permit inbound traffic on various ports and traffic types. This is not covered in this manual.
[Insert screenshot]<<<<<<<<<<<<<<<<<<<<<<<<<
Please tell the third party in charge of the protected resource that traffic from the static IP defined in Step 1 must be permitted (in this case 52.202.88.54).
By default, all user traffic will go through the VPN server and come from the static IP that was configured in Step 1 (in this case 52.202.88.54). However, if split tunneling has been enabled, settings could be necessary to make sure the protected resource’s destination IP is listed among the Allowed IPs.
Shown below is a complete listing of the configuration options available in /etc/firezone/firezone.rb.
option | description | default value |
default[‘firezone’][‘external_url’] | URL used to access the web portal of this Firezone instance. | “https://#{node[‘fqdn’] || node[‘hostname’]}” |
default[‘firezone’][‘config_directory’] | Top-level directory for Firezone configuration. | /etc/firezone’ |
default[‘firezone’][‘install_directory’] | Top-level directory to install Firezone to. | /opt/firezone’ |
default[‘firezone’][‘app_directory’] | Top-level directory to install the Firezone web application. | “#{node[‘firezone’][‘install_directory’]}/embedded/service/firezone” |
default[‘firezone’][‘log_directory’] | Top-level directory for Firezone logs. | /var/log/firezone’ |
default[‘firezone’][‘var_directory’] | Top-level directory for Firezone runtime files. | /var/opt/firezone’ |
default[‘firezone’][‘user’] | Name of unprivileged Linux user most services and files will belong to. | firezone’ |
default[‘firezone’][‘group’] | Name of Linux group most services and files will belong to. | firezone’ |
default[‘firezone’][‘admin_email’] | Email address for initial Firezone user. | “firezone@localhost” |
default[‘firezone’][‘max_devices_per_user’] | Maximum number of devices a user can have. | 10 |
default[‘firezone’][‘allow_unprivileged_device_management’] | Allows non-admin users to create and delete devices. | TRUE |
default[‘firezone’][‘allow_unprivileged_device_configuration’] | Allows non-admin users to modify device configurations. When disabled, prevents unprivileged users from changing all device fields except for name and description. | TRUE |
default[‘firezone’][‘egress_interface’] | Interface name where tunneled traffic will exit. If nil, the default route interface will be used. | nil |
default[‘firezone’][‘fips_enabled’] | Enable or disable OpenSSL FIPs mode. | nil |
default[‘firezone’][‘logging’][‘enabled’] | Enable or disable logging across Firezone. Set to false to disable logging entirely. | TRUE |
default[‘enterprise’][‘name’] | Name used by the Chef ‘enterprise’ cookbook. | firezone’ |
default[‘firezone’][‘install_path’] | Install path used by Chef ‘enterprise’ cookbook. Should be set to the same as the install_directory above. | node[‘firezone’][‘install_directory’] |
default[‘firezone’][‘sysvinit_id’] | An identifier used in /etc/inittab. Must be a unique sequence of 1-4 characters. | SUP’ |
default[‘firezone’][‘authentication’][‘local’][‘enabled’] | Enable or disable local email/password authentication. | TRUE |
default[‘firezone’][‘authentication’][‘auto_create_oidc_users’] | Automatically create users signing in from OIDC for the first time. Disable to allow only existing users to sign in via OIDC. | TRUE |
default[‘firezone’][‘authentication’][‘disable_vpn_on_oidc_error’] | Disable a user’s VPN if an error is detected trying to refresh their OIDC token. | FALSE |
default[‘firezone’][‘authentication’][‘oidc’] | OpenID Connect config, in the format of {“provider” => [config…]} – See OpenIDConnect documentation for config examples. | {} |
default[‘firezone’][‘nginx’][‘enabled’] | Enable or disable the bundled nginx server. | TRUE |
default[‘firezone’][‘nginx’][‘ssl_port’] | HTTPS listen port. | 443 |
default[‘firezone’][‘nginx’][‘directory’] | Directory to store Firezone-related nginx virtual host configuration. | “#{node[‘firezone’][‘var_directory’]}/nginx/etc” |
default[‘firezone’][‘nginx’][‘log_directory’] | Directory to store Firezone-related nginx log files. | “#{node[‘firezone’][‘log_directory’]}/nginx” |
default[‘firezone’][‘nginx’][‘log_rotation’][‘file_maxbytes’] | File size at which to rotate Nginx log files. | 104857600 |
default[‘firezone’][‘nginx’][‘log_rotation’][‘num_to_keep’] | Number of Firezone nginx log files to keep before discarding. | 10 |
default[‘firezone’][‘nginx’][‘log_x_forwarded_for’] | Whether to log Firezone nginx x-forwarded-for header. | TRUE |
default[‘firezone’][‘nginx’][‘hsts_header’][‘enabled’] | TRUE | |
default[‘firezone’][‘nginx’][‘hsts_header’][‘include_subdomains’] | Enable or disable includeSubDomains for the HSTS header. | TRUE |
default[‘firezone’][‘nginx’][‘hsts_header’][‘max_age’] | Max age for the HSTS header. | 31536000 |
default[‘firezone’][‘nginx’][‘redirect_to_canonical’] | Whether to redirect URLs to the canonical FQDN specified above | FALSE |
default[‘firezone’][‘nginx’][‘cache’][‘enabled’] | Enable or disable the Firezone nginx cache. | FALSE |
default[‘firezone’][‘nginx’][‘cache’][‘directory’] | Directory for Firezone nginx cache. | “#{node[‘firezone’][‘var_directory’]}/nginx/cache” |
default[‘firezone’][‘nginx’][‘user’] | Firezone nginx user. | node[‘firezone’][‘user’] |
default[‘firezone’][‘nginx’][‘group’] | Firezone nginx group. | node[‘firezone’][‘group’] |
default[‘firezone’][‘nginx’][‘dir’] | Top-level nginx configuration directory. | node[‘firezone’][‘nginx’][‘directory’] |
default[‘firezone’][‘nginx’][‘log_dir’] | Top-level nginx log directory. | node[‘firezone’][‘nginx’][‘log_directory’] |
default[‘firezone’][‘nginx’][‘pid’] | Location for nginx pid file. | “#{node[‘firezone’][‘nginx’][‘directory’]}/nginx.pid” |
default[‘firezone’][‘nginx’][‘daemon_disable’] | Disable nginx daemon mode so we can monitor it instead. | TRUE |
default[‘firezone’][‘nginx’][‘gzip’] | Turn nginx gzip compression on or off. | on’ |
default[‘firezone’][‘nginx’][‘gzip_static’] | Turn nginx gzip compression on or off for static files. | off’ |
default[‘firezone’][‘nginx’][‘gzip_http_version’] | HTTP version to use for serving static files. | 1.0′ |
default[‘firezone’][‘nginx’][‘gzip_comp_level’] | nginx gzip compression level. | 2′ |
default[‘firezone’][‘nginx’][‘gzip_proxied’] | Enables or disables gzipping of responses for proxied requests depending on the request and response. | any’ |
default[‘firezone’][‘nginx’][‘gzip_vary’] | Enables or disables inserting the “Vary: Accept-Encoding” response header. | off’ |
default[‘firezone’][‘nginx’][‘gzip_buffers’] | Sets the number and size of buffers used to compress a response. If nil, nginx default is used. | nil |
default[‘firezone’][‘nginx’][‘gzip_types’] | MIME types to enable gzip compression for. | [‘text/plain’, ‘text/css’,’application/x-javascript’, ‘text/xml’, ‘application/xml’, ‘application/rss+xml’, ‘application/atom+xml’, ‘text/javascript’, ‘application/javascript’, ‘application/json’] |
default[‘firezone’][‘nginx’][‘gzip_min_length’] | Minimum file length to enable file gzip compression for. | 1000 |
default[‘firezone’][‘nginx’][‘gzip_disable’] | User-agent matcher to disable gzip compression for. | MSIE [1-6]\.’ |
default[‘firezone’][‘nginx’][‘keepalive’] | Activates cache for connection to upstream servers. | on’ |
default[‘firezone’][‘nginx’][‘keepalive_timeout’] | Timeout in seconds for keepalive connection to upstream servers. | 65 |
default[‘firezone’][‘nginx’][‘worker_processes’] | Number of nginx worker processes. | node[‘cpu’] && node[‘cpu’][‘total’] ? node[‘cpu’][‘total’] : 1 |
default[‘firezone’][‘nginx’][‘worker_connections’] | Max number of simultaneous connections that can be opened by a worker process. | 1024 |
default[‘firezone’][‘nginx’][‘worker_rlimit_nofile’] | Changes the limit on the maximum number of open files for worker processes. Uses nginx default if nil. | nil |
default[‘firezone’][‘nginx’][‘multi_accept’] | Whether workers should accept one connection at a time or multiple. | TRUE |
default[‘firezone’][‘nginx’][‘event’] | Specifies the connection processing method to use inside nginx events context. | epoll’ |
default[‘firezone’][‘nginx’][‘server_tokens’] | Enables or disables emitting nginx version on error pages and in the “Server” response header field. | nil |
default[‘firezone’][‘nginx’][‘server_names_hash_bucket_size’] | Sets the bucket size for the server names hash tables. | 64 |
default[‘firezone’][‘nginx’][‘sendfile’] | Enables or disables the use of nginx’s sendfile(). | on’ |
default[‘firezone’][‘nginx’][‘access_log_options’] | Sets nginx access log options. | nil |
default[‘firezone’][‘nginx’][‘error_log_options’] | Sets nginx error log options. | nil |
default[‘firezone’][‘nginx’][‘disable_access_log’] | Disables nginx access log. | FALSE |
default[‘firezone’][‘nginx’][‘types_hash_max_size’] | nginx types hash max size. | 2048 |
default[‘firezone’][‘nginx’][‘types_hash_bucket_size’] | nginx types hash bucket size. | 64 |
default[‘firezone’][‘nginx’][‘proxy_read_timeout’] | nginx proxy read timeout. Set to nil to use nginx default. | nil |
default[‘firezone’][‘nginx’][‘client_body_buffer_size’] | nginx client body buffer size. Set to nil to use nginx default. | nil |
default[‘firezone’][‘nginx’][‘client_max_body_size’] | nginx client max body size. | 250m’ |
default[‘firezone’][‘nginx’][‘default’][‘modules’] | Specify additional nginx modules. | [] |
default[‘firezone’][‘nginx’][‘enable_rate_limiting’] | Enable or disable nginx rate limiting. | TRUE |
default[‘firezone’][‘nginx’][‘rate_limiting_zone_name’] | Nginx rate limiting zone name. | firezone’ |
default[‘firezone’][‘nginx’][‘rate_limiting_backoff’] | Nginx rate limiting backoff. | 10m’ |
default[‘firezone’][‘nginx’][‘rate_limit’] | Nginx rate limit. | 10r/s’ |
default[‘firezone’][‘nginx’][‘ipv6’] | Allow nginx to listen for HTTP requests for IPv6 in addition to IPv4. | TRUE |
default[‘firezone’][‘postgresql’][‘enabled’] | Enable or disable bundled Postgresql. Set to false and fill in the database options below to use your own Postgresql instance. | TRUE |
default[‘firezone’][‘postgresql’][‘username’] | Username for Postgresql. | node[‘firezone’][‘user’] |
default[‘firezone’][‘postgresql’][‘data_directory’] | Postgresql data directory. | “#{node[‘firezone’][‘var_directory’]}/postgresql/13.3/data” |
default[‘firezone’][‘postgresql’][‘log_directory’] | Postgresql log directory. | “#{node[‘firezone’][‘log_directory’]}/postgresql” |
default[‘firezone’][‘postgresql’][‘log_rotation’][‘file_maxbytes’] | Postgresql log file maximum size before it’s rotated. | 104857600 |
default[‘firezone’][‘postgresql’][‘log_rotation’][‘num_to_keep’] | Number of Postgresql log files to keep. | 10 |
default[‘firezone’][‘postgresql’][‘checkpoint_completion_target’] | Postgresql checkpoint completion target. | 0.5 |
default[‘firezone’][‘postgresql’][‘checkpoint_segments’] | Number of Postgresql checkpoint segments. | 3 |
default[‘firezone’][‘postgresql’][‘checkpoint_timeout’] | Postgresql checkpoint timeout. | 5min’ |
default[‘firezone’][‘postgresql’][‘checkpoint_warning’] | Postgresql checkpoint warning time in seconds. | 30s’ |
default[‘firezone’][‘postgresql’][‘effective_cache_size’] | Postgresql effective cache size. | 128MB’ |
default[‘firezone’][‘postgresql’][‘listen_address’] | Postgresql listen address. | 127.0.0.1′ |
default[‘firezone’][‘postgresql’][‘max_connections’] | Postgresql max connections. | 350 |
default[‘firezone’][‘postgresql’][‘md5_auth_cidr_addresses’] | Postgresql CIDRs to allow for md5 auth. | [‘127.0.0.1/32’, ‘::1/128’] |
default[‘firezone’][‘postgresql’][‘port’] | Postgresql listen port. | 15432 |
default[‘firezone’][‘postgresql’][‘shared_buffers’] | Postgresql shared buffers size. | “#{(node[‘memory’][‘total’].to_i / 4) / 1024}MB” |
default[‘firezone’][‘postgresql’][‘shmmax’] | Postgresql shmmax in bytes. | 17179869184 |
default[‘firezone’][‘postgresql’][‘shmall’] | Postgresql shmall in bytes. | 4194304 |
default[‘firezone’][‘postgresql’][‘work_mem’] | Postgresql working memory size. | 8MB’ |
default[‘firezone’][‘database’][‘user’] | Specifies the username Firezone will use to connect to the DB. | node[‘firezone’][‘postgresql’][‘username’] |
default[‘firezone’][‘database’][‘password’] | If using an external DB, specifies the password Firezone will use to connect to the DB. | change_me’ |
default[‘firezone’][‘database’][‘name’] | Database that Firezone will use. Will be created if it doesn’t exist. | firezone’ |
default[‘firezone’][‘database’][‘host’] | Database host that Firezone will connect to. | node[‘firezone’][‘postgresql’][‘listen_address’] |
default[‘firezone’][‘database’][‘port’] | Database port that Firezone will connect to. | node[‘firezone’][‘postgresql’][‘port’] |
default[‘firezone’][‘database’][‘pool’] | Database pool size Firezone will use. | [10, Etc.nprocessors].max |
default[‘firezone’][‘database’][‘ssl’] | Whether to connect to the database over SSL. | FALSE |
default[‘firezone’][‘database’][‘ssl_opts’] | {} | |
default[‘firezone’][‘database’][‘parameters’] | {} | |
default[‘firezone’][‘database’][‘extensions’] | Database extensions to enable. | { ‘plpgsql’ => true, ‘pg_trgm’ => true } |
default[‘firezone’][‘phoenix’][‘enabled’] | Enable or disable the Firezone web application. | TRUE |
default[‘firezone’][‘phoenix’][‘listen_address’] | Firezone web application listen address. This will be the upstream listen address that nginx proxies. | 127.0.0.1′ |
default[‘firezone’][‘phoenix’][‘port’] | Firezone web application listen port. This will be the upstream port that nginx proxies. | 13000 |
default[‘firezone’][‘phoenix’][‘log_directory’] | Firezone web application log directory. | “#{node[‘firezone’][‘log_directory’]}/phoenix” |
default[‘firezone’][‘phoenix’][‘log_rotation’][‘file_maxbytes’] | Firezone web application log file size. | 104857600 |
default[‘firezone’][‘phoenix’][‘log_rotation’][‘num_to_keep’] | Number of Firezone web application log files to keep. | 10 |
default[‘firezone’][‘phoenix’][‘crash_detection’][‘enabled’] | Enable or disable bringing down the Firezone web application when a crash is detected. | TRUE |
default[‘firezone’][‘phoenix’][‘external_trusted_proxies’] | List of trusted reverse proxies formatted as an Array of IPs and/or CIDRs. | [] |
default[‘firezone’][‘phoenix’][‘private_clients’] | List of private network HTTP clients, formatted an Array of IPs and/or CIDRs. | [] |
default[‘firezone’][‘wireguard’][‘enabled’] | Enable or disable bundled WireGuard management. | TRUE |
default[‘firezone’][‘wireguard’][‘log_directory’] | Log directory for bundled WireGuard management. | “#{node[‘firezone’][‘log_directory’]}/wireguard” |
default[‘firezone’][‘wireguard’][‘log_rotation’][‘file_maxbytes’] | WireGuard log file max size. | 104857600 |
default[‘firezone’][‘wireguard’][‘log_rotation’][‘num_to_keep’] | Number of WireGuard log files to keep. | 10 |
default[‘firezone’][‘wireguard’][‘interface_name’] | WireGuard interface name. Changing this parameter may cause a temporary loss in VPN connectivity. | wg-firezone’ |
default[‘firezone’][‘wireguard’][‘port’] | WireGuard listen port. | 51820 |
default[‘firezone’][‘wireguard’][‘mtu’] | WireGuard interface MTU for this server and for device configurations. | 1280 |
default[‘firezone’][‘wireguard’][‘endpoint’] | WireGuard Endpoint to use for generating device configurations. If nil, defaults to the server’s public IP address. | nil |
default[‘firezone’][‘wireguard’][‘dns’] | WireGuard DNS to use for generated device configurations. | 1.1.1.1, 1.0.0.1′ |
default[‘firezone’][‘wireguard’][‘allowed_ips’] | WireGuard AllowedIPs to use for generated device configurations. | 0.0.0.0/0, ::/0′ |
default[‘firezone’][‘wireguard’][‘persistent_keepalive’] | Default PersistentKeepalive setting for generated device configurations. A value of 0 disables. | 0 |
default[‘firezone’][‘wireguard’][‘ipv4’][‘enabled’] | Enable or disable IPv4 for WireGuard network. | TRUE |
default[‘firezone’][‘wireguard’][‘ipv4’][‘masquerade’] | Enable or disable masquerade for packets leaving the IPv4 tunnel. | TRUE |
default[‘firezone’][‘wireguard’][‘ipv4’][‘network’] | WireGuard network IPv4 address pool. | 10.3.2.0/24′ |
default[‘firezone’][‘wireguard’][‘ipv4’][‘address’] | WireGuard interface IPv4 address. Must be within WireGuard address pool. | 10.3.2.1′ |
default[‘firezone’][‘wireguard’][‘ipv6’][‘enabled’] | Enable or disable IPv6 for WireGuard network. | TRUE |
default[‘firezone’][‘wireguard’][‘ipv6’][‘masquerade’] | Enable or disable masquerade for packets leaving the IPv6 tunnel. | TRUE |
default[‘firezone’][‘wireguard’][‘ipv6’][‘network’] | WireGuard network IPv6 address pool. | fd00::3:2:0/120′ |
default[‘firezone’][‘wireguard’][‘ipv6’][‘address’] | WireGuard interface IPv6 address. Must be within IPv6 address pool. | fd00::3:2:1′ |
default[‘firezone’][‘runit’][‘svlogd_bin’] | Runit svlogd bin location. | “#{node[‘firezone’][‘install_directory’]}/embedded/bin/svlogd” |
default[‘firezone’][‘ssl’][‘directory’] | SSL directory for storing generated certs. | /var/opt/firezone/ssl’ |
default[‘firezone’][‘ssl’][’email_address’] | Email address to use for self-signed certs and ACME protocol renewal notices. | you@example.com’ |
default[‘firezone’][‘ssl’][‘acme’][‘enabled’] | Enable ACME for automatic SSL cert provisioning. Disable this to prevent Nginx from listening on port 80. See here for more instructions. | FALSE |
default[‘firezone’][‘ssl’][‘acme’][‘server’] | ACME server to use for certificate issuance/renewal. Can be any valid acme.sh server | letsencrypt |
default[‘firezone’][‘ssl’][‘acme’][‘keylength’] | Specify the key type and length for SSL certificates. See here | ec-256 |
default[‘firezone’][‘ssl’][‘certificate’] | Path to the certificate file for your FQDN. Overrides ACME setting above if specified. If both ACME and this are nil a self-signed cert will be generated. | nil |
default[‘firezone’][‘ssl’][‘certificate_key’] | Path to the certificate file. | nil |
default[‘firezone’][‘ssl’][‘ssl_dhparam’] | nginx ssl dh_param. | nil |
default[‘firezone’][‘ssl’][‘country_name’] | Country name for self-signed cert. | US’ |
default[‘firezone’][‘ssl’][‘state_name’] | State name for self-signed cert. | CA’ |
default[‘firezone’][‘ssl’][‘locality_name’] | Locality name for self-signed cert. | San Francisco’ |
default[‘firezone’][‘ssl’][‘company_name’] | Company name self-signed cert. | My Company’ |
default[‘firezone’][‘ssl’][‘organizational_unit_name’] | Organizational unit name for self-signed cert. | Operations’ |
default[‘firezone’][‘ssl’][‘ciphers’] | SSL ciphers for nginx to use. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
default[‘firezone’][‘ssl’][‘fips_ciphers’] | SSL ciphers for FIPs mode. | FIPS@STRENGTH:!aNULL:!eNULL’ |
default[‘firezone’][‘ssl’][‘protocols’] | TLS protocols to use. | TLSv1 TLSv1.1 TLSv1.2′ |
default[‘firezone’][‘ssl’][‘session_cache’] | SSL session cache. | shared:SSL:4m’ |
default[‘firezone’][‘ssl’][‘session_timeout’] | SSL session timeout. | 5m’ |
default[‘firezone’][‘robots_allow’] | nginx robots allow. | /’ |
default[‘firezone’][‘robots_disallow’] | nginx robots disallow. | nil |
default[‘firezone’][‘outbound_email’][‘from’] | Outbound email from address. | nil |
default[‘firezone’][‘outbound_email’][‘provider’] | Outbound email service provider. | nil |
default[‘firezone’][‘outbound_email’][‘configs’] | Outbound email provider configs. | see omnibus/cookbooks/firezone/attributes/default.rb |
default[‘firezone’][‘telemetry’][‘enabled’] | Enable or disable anonymized product telemetry. | TRUE |
default[‘firezone’][‘connectivity_checks’][‘enabled’] | Enable or disable the Firezone connectivity checks service. | TRUE |
default[‘firezone’][‘connectivity_checks’][‘interval’] | Interval between connectivity checks in seconds. | 3_600 |
________________________________________________________________
Here you’ll find a listing of files and directories related to a typical Firezone installation. These could change depending on changes to your configuration file.
path | description |
/var/opt/firezone | Top-level directory containing data and generated configuration for Firezone bundled services. |
/opt/firezone | Top-level directory containing built libraries, binaries and runtime files needed by Firezone. |
/usr/bin/firezone-ctl | firezone-ctl utility for managing your Firezone installation. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file for starting the Firezone runsvdir supervisor process. |
/etc/firezone | Firezone configuration files. |
__________________________________________________________
This page was empty in docs
_____________________________________________________________
The following nftables firewall template can be used to secure the server running Firezone. The template does make some assumptions; you may need to adjust the rules to suit your use case:
Firezone configures its own nftables rules to permit/reject traffic to destinations configured in the web interface and to handle outbound NAT for client traffic.
Applying the below firewall template on an already running server (not at boot time) will result in the Firezone rules being cleared. This may have security implications.
To work around this restart the phoenix service:
firezone-ctl restart phoenix
#!/usr/sbin/nft -f
## Clear/flush all existing rules
flush ruleset
################################ VARIABLES ################################
## Internet/WAN interface name
define DEV_WAN = eth0
## WireGuard interface name
define DEV_WIREGUARD = wg-firezone
## WireGuard listen port
define WIREGUARD_PORT = 51820
############################## VARIABLES END ##############################
# Main inet family filtering table
table inet filter {
# Rules for forwarded traffic
# This chain is processed before the Firezone forward chain
chain forward {
type filter hook forward priority filter – 5; policy accept
}
# Rules for input traffic
chain input {
type filter hook input priority filter; policy drop
## Permit inbound traffic to loopback interface
iif lo \
accept \
comment “Permit all traffic in from loopback interface”
## Permit established and related connections
ct state established,related \
accept \
comment “Permit established/related connections”
## Permit inbound WireGuard traffic
iif $DEV_WAN udp dport $WIREGUARD_PORT \
counter \
accept \
comment “Permit inbound WireGuard traffic”
## Log and drop new TCP non-SYN packets
tcp flags != syn ct state new \
limit rate 100/minute burst 150 packets \
log prefix “IN – New !SYN: “ \
comment “Rate limit logging for new connections that do not have the SYN TCP flag set”
tcp flags != syn ct state new \
counter \
drop \
comment “Drop new connections that do not have the SYN TCP flag set”
## Log and drop TCP packets with invalid fin/syn flag set
tcp flags & (fin|syn) == (fin|syn) \
limit rate 100/minute burst 150 packets \
log prefix “IN – TCP FIN|SIN: “ \
comment “Rate limit logging for TCP packets with invalid fin/syn flag set”
tcp flags & (fin|syn) == (fin|syn) \
counter \
drop \
comment “Drop TCP packets with invalid fin/syn flag set”
## Log and drop TCP packets with invalid syn/rst flag set
tcp flags & (syn|rst) == (syn|rst) \
limit rate 100/minute burst 150 packets \
log prefix “IN – TCP SYN|RST: “ \
comment “Rate limit logging for TCP packets with invalid syn/rst flag set”
tcp flags & (syn|rst) == (syn|rst) \
counter \
drop \
comment “Drop TCP packets with invalid syn/rst flag set”
## Log and drop invalid TCP flags
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \
limit rate 100/minute burst 150 packets \
log prefix “IN – FIN:” \
comment “Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) < (fin)”
tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) \
counter \
drop \
comment “Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) < (fin)”
## Log and drop invalid TCP flags
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
limit rate 100/minute burst 150 packets \
log prefix “IN – FIN|PSH|URG:” \
comment “Rate limit logging for invalid TCP flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
counter \
drop \
comment “Drop TCP packets with flags (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)”
## Drop traffic with invalid connection state
ct state invalid \
limit rate 100/minute burst 150 packets \
log flags all prefix “IN – Invalid: “ \
comment “Rate limit logging for traffic with invalid connection state”
ct state invalid \
counter \
drop \
comment “Drop traffic with invalid connection state”
## Permit IPv4 ping/ping responses but rate limit to 2000 PPS
ip protocol icmp icmp type { echo-reply, echo-request } \
limit rate 2000/second \
counter \
accept \
comment “Permit inbound IPv4 echo (ping) limited to 2000 PPS”
## Permit all other inbound IPv4 ICMP
ip protocol icmp \
counter \
accept \
comment “Permit all other IPv4 ICMP”
## Permit IPv6 ping/ping responses but rate limit to 2000 PPS
icmpv6 type { echo-reply, echo-request } \
limit rate 2000/second \
counter \
accept \
comment “Permit inbound IPv6 echo (ping) limited to 2000 PPS”
## Permit all other inbound IPv6 ICMP
meta l4proto { icmpv6 } \
counter \
accept \
comment “Permit all other IPv6 ICMP”
## Permit inbound traceroute UDP ports but limit to 500 PPS
udp dport 33434-33524 \
limit rate 500/second \
counter \
accept \
comment “Permit inbound UDP traceroute limited to 500 PPS”
## Permit inbound SSH
tcp dport ssh ct state new \
counter \
accept \
comment “Permit inbound SSH connections”
## Permit inbound HTTP and HTTPS
tcp dport { http, https } ct state new \
counter \
accept \
comment “Permit inbound HTTP and HTTPS connections”
## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute
## The default policy will be applied to unmatched traffic
limit rate 60/minute burst 100 packets \
log prefix “IN – Drop: “ \
comment “Log any unmatched traffic”
## Count the unmatched traffic
counter \
comment “Count any unmatched traffic”
}
# Rules for output traffic
chain output {
type filter hook output priority filter; policy drop
## Permit outbound traffic to loopback interface
oif lo \
accept \
comment “Permit all traffic out to loopback interface”
## Permit established and related connections
ct state established,related \
counter \
accept \
comment “Permit established/related connections”
## Permit outbound WireGuard traffic before dropping connections with bad state
oif $DEV_WAN udp sport $WIREGUARD_PORT \
counter \
accept \
comment “Permit WireGuard outbound traffic”
## Drop traffic with invalid connection state
ct state invalid \
limit rate 100/minute burst 150 packets \
log flags all prefix “OUT – Invalid: “ \
comment “Rate limit logging for traffic with invalid connection state”
ct state invalid \
counter \
drop \
comment “Drop traffic with invalid connection state”
## Permit all other outbound IPv4 ICMP
ip protocol icmp \
counter \
accept \
comment “Permit all IPv4 ICMP types”
## Permit all other outbound IPv6 ICMP
meta l4proto { icmpv6 } \
counter \
accept \
comment “Permit all IPv6 ICMP types”
## Permit outbound traceroute UDP ports but limit to 500 PPS
udp dport 33434-33524 \
limit rate 500/second \
counter \
accept \
comment “Permit outbound UDP traceroute limited to 500 PPS”
## Permit outbound HTTP and HTTPS connections
tcp dport { http, https } ct state new \
counter \
accept \
comment “Permit outbound HTTP and HTTPS connections”
## Permit outbound SMTP submission
tcp dport submission ct state new \
counter \
accept \
comment “Permit outbound SMTP submission”
## Permit outbound DNS requests
udp dport 53 \
counter \
accept \
comment “Permit outbound UDP DNS requests”
tcp dport 53 \
counter \
accept \
comment “Permit outbound TCP DNS requests”
## Permit outbound NTP requests
udp dport 123 \
counter \
accept \
comment “Permit outbound NTP requests”
## Log any unmatched traffic but rate limit logging to a maximum of 60 messages/minute
## The default policy will be applied to unmatched traffic
limit rate 60/minute burst 100 packets \
log prefix “OUT – Drop: “ \
comment “Log any unmatched traffic”
## Count the unmatched traffic
counter \
comment “Count any unmatched traffic”
}
}
# Main NAT filtering table
table inet nat {
# Rules for NAT traffic pre-routing
chain prerouting {
type nat hook prerouting priority dstnat; policy accept
}
# Rules for NAT traffic post-routing
# This table is processed before the Firezone post-routing chain
chain postrouting {
type nat hook postrouting priority srcnat – 5; policy accept
}
}
The firewall should be stored in the relevant location for the Linux distribution that is running. For Debian/Ubuntu this is /etc/nftables.conf and for RHEL this is /etc/sysconfig/nftables.conf.
nftables.service will need to be configured to start on boot (if not already) set:
systemctl enable nftables.service
If making any changes to the firewall template the syntax can be validated by running the check command:
nft -f /path/to/nftables.conf -c
Be sure to validate the firewall works as expected as certain nftables features may not be available depending on the release running on the server.
_______________________________________________________________
This document presents an overview of the telemetry Firezone collects from your self-hosted instance and how to disable it.
Firezone relies on telemetry to prioritize our roadmap and optimize the engineering resources we have to make Firezone better for everyone.
The telemetry we collect aims to answer the following questions:
There are three main places where telemetry is collected in Firezone:
In each of these three contexts, we capture the minimum amount of data necessary to answer the questions in the section above.
Admin emails are collected only if you explicitly opt-in to product updates. Otherwise, personally-identifiable information is never collected.
Firezone stores telemetry in a self-hosted instance of PostHog running in a private Kubernetes cluster, only accessible by the Firezone team. Here is an example of a telemetry event that is sent from your instance of Firezone to our telemetry server:
{
“id”: “0182272d-0b88-0000-d419-7b9a413713f1”,
“timestamp”: “2022-07-22T18:30:39.748000+00:00”,
“event”: “fz_http_started”,
“distinct_id”: “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“properties”: {
“$geoip_city_name”: “Ashburn”,
“$geoip_continent_code”: “NA”,
“$geoip_continent_name”: “North America”,
“$geoip_country_code”: “US”,
“$geoip_country_name”: “United States”,
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: “20149”,
“$geoip_subdivision_1_code”: “VA”,
“$geoip_subdivision_1_name”: “Virginia”,
“$geoip_time_zone”: “America/New_York”,
“$ip”: “52.200.241.107”,
“$plugins_deferred”: [],
“$plugins_failed”: [],
“$plugins_succeeded”: [
“GeoIP (3)”
],
“distinct_id”: “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
“fqdn”: “awsdemo.firezone.dev”,
“kernel_version”: “linux 5.13.0”,
“version”: “0.4.6”
},
“elements_chain”: “”
}
NOTE
The Firezone development team relies on product analytics to make Firezone better for everyone. Leaving telemetry enabled is the single most valuable contribution you can make to Firezone’s development. That said, we understand some users have higher privacy or security requirements and would prefer to disable telemetry altogether. If that’s you, keep reading.
Telemetry is enabled by default. To completely disable product telemetry, set the following configuration option to false in /etc/firezone/firezone.rb and run sudo firezone-ctl reconfigure to pick up the changes.
default[‘firezone’][‘telemetry’][‘enabled’] = false
That will completely disable all product telemetry.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Phone: (732) 771-9995
Email: info@hailbytes.com
