How to Set Up Hailbytes VPN for Your AWS Environment


In this article, we will go over how to set up HailBytes VPN on your network, a simple and secure VPN and firewall for your network. Further details and specific specifications can be found in our developer documentation linked here.


   1.  Resource Requirements:

  • We recommend starting with 1 vCPU and 1 GB of RAM before scaling up.
  • For Omnibus-based deployments on servers with less than 1 GB of memory, you should turn on swap to avoid the Linux kernel from unexpectedly killing Firezone processes.
  • 1 vCPU should be sufficient to saturate a 1 Gbps link for the VPN.

   2.  Create DNS record:  Firezone requires a proper domain name for production use, e.g. Creating an appropriate DNS record like A, CNAME, or AAAA record will be required.

   3.  Set up SSL: You will need a valid SSL certificate to use Firezone in a production capacity. Firezone supports ACME for automatic provisioning of SSL certificates for Docker and Omnibus-based installations.

   4.  Open firewall ports: Firezone uses ports 51820/udp and 443/tcp for HTTPS and WireGuard traffic respectively. You can change these ports later in the configuration file.

Deploy on Docker (Recommended)

   1.  Prerequisites:

  • Ensure you are on a supported platform with docker-compose version 2 or higher installed.


  • Make sure port forwarding is enabled on the firewall. Defaults require the following ports to be open:

         o   80/tcp (optional): Automatically issuing SSL certificates

         o   443/tcp: Access web UI

         o   51820/udp: VPN traffic listen port

  2.  Install Server Option I: Automatic Installation (Recommended)

  • Run installation script: bash <(curl -fsSL 1889d1a18e090c-0ec2bae288f1e2-26031d51-144000-1889d1a18e11c6c


  • It will ask you a few questions regarding initial configuration before downloading a sample docker-compose.yml file. You will want to configure it with your responses, and print instructions for accessing the Web UI.


  • Firezone default address: $HOME/.firezone.

  2.  Install Server Option II: Manual Installation

  • Download the docker compose template to a local working directory

          – Linux: curl -fsSL -o docker-compose.yml

          – macOS or Windows: curl -fsSL -o docker-compose.yml

  • Generate required secrets: docker run –rm firezone/firezone bin/gen-env > .env


  • Change the DEFAULT_ADMIN_EMAIL and EXTERNAL_URL variables. Modify other secrets as needed.


  • Migrate the database: docker compose run –rm firezone bin/migrate


  • Create an admin account: docker compose run –rm firezone bin/create-or-reset-admin


  • Bring the services up: docker compose up -d


  • You should be able to access the Firezome UI throught the EXTERNAL_URL variable defined above.

   3.  Enable on boot (optional):

  • Ensure Docker is enabled at startup: sudo systemctl enable docker


  • Firezone services should have the restart: always or restart: unless-stopped option specified in the docker-compose.yml file.

   4.  Enable IPv6 Public Routability (optional):

  • Add the following to /etc/docker/daemon.json to enable IPv6 NAT and configure IPv6 forwarding for Docker containers.


  • Enable router notifications on boot for your default egress interface: egress=`ip route show default | grep -oP ‘(?<=dev ).*’ | cut -f1 -d’ ‘ | tr -d ‘\n’` sudo bash -c “echo net.ipv6.conf.${egress}.accept_ra=2 >> /etc/sysctl.conf”


  • Reboot and test by pinging to Google from within docker container: docker run –rm -t busybox ping6 -c 4


  • No need to add any iptables rules to enable IPv6 SNAT/masquerading for tunneled traffic. Firezone will handle this.

   5.  Install client apps

        You can now add users to your network and configure instructions to establish a VPN session.

Post Setup

Congratulations, you have completed the setup! You may want to check our developer documentation for additional configurations, security considerations, and advanced features: