How to Set Up Hailbytes VPN for Your AWS Environment
Introduction
In this article, we will go over how to set up HailBytes VPN on your network, a simple and secure VPN and firewall for your network. Further details and specific specifications can be found in our developer documentation linked here.
Preparation
1. Resource Requirements:
- We recommend starting with 1 vCPU and 1 GB of RAM before scaling up.
- For Omnibus-based deployments on servers with less than 1 GB of memory, you should turn on swap to avoid the Linux kernel from unexpectedly killing Firezone processes.
- 1 vCPU should be sufficient to saturate a 1 Gbps link for the VPN.
2. Create DNS record: Firezone requires a proper domain name for production use, e.g. firezone.company.com. Creating an appropriate DNS record like A, CNAME, or AAAA record will be required.
3. Set up SSL: You will need a valid SSL certificate to use Firezone in a production capacity. Firezone supports ACME for automatic provisioning of SSL certificates for Docker and Omnibus-based installations.
4. Open firewall ports: Firezone uses ports 51820/udp and 443/tcp for HTTPS and WireGuard traffic respectively. You can change these ports later in the configuration file.
Deploy on Docker (Recommended)
1. Prerequisites:
- Ensure you are on a supported platform with docker-compose version 2 or higher installed.
- Make sure port forwarding is enabled on the firewall. Defaults require the following ports to be open:
o 80/tcp (optional): Automatically issuing SSL certificates
o 443/tcp: Access web UI
o 51820/udp: VPN traffic listen port
2. Install Server Option I: Automatic Installation (Recommended)
- Run installation script: bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh) 1889d1a18e090c-0ec2bae288f1e2-26031d51-144000-1889d1a18e11c6c
- It will ask you a few questions regarding initial configuration before downloading a sample docker-compose.yml file. You will want to configure it with your responses, and print instructions for accessing the Web UI.
- Firezone default address: $HOME/.firezone.
2. Install Server Option II: Manual Installation
- Download the docker compose template to a local working directory
– Linux: curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.prod.yml -o docker-compose.yml
– macOS or Windows: curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.desktop.yml -o docker-compose.yml
- Generate required secrets: docker run –rm firezone/firezone bin/gen-env > .env
- Change the DEFAULT_ADMIN_EMAIL and EXTERNAL_URL variables. Modify other secrets as needed.
- Migrate the database: docker compose run –rm firezone bin/migrate
- Create an admin account: docker compose run –rm firezone bin/create-or-reset-admin
- Bring the services up: docker compose up -d
- You should be able to access the Firezome UI throught the EXTERNAL_URL variable defined above.
3. Enable on boot (optional):
- Ensure Docker is enabled at startup: sudo systemctl enable docker
- Firezone services should have the restart: always or restart: unless-stopped option specified in the docker-compose.yml file.
4. Enable IPv6 Public Routability (optional):
- Add the following to /etc/docker/daemon.json to enable IPv6 NAT and configure IPv6 forwarding for Docker containers.
- Enable router notifications on boot for your default egress interface: egress=`ip route show default 0.0.0.0/0 | grep -oP ‘(?<=dev ).*’ | cut -f1 -d’ ‘ | tr -d ‘n’` sudo bash -c “echo net.ipv6.conf.${egress}.accept_ra=2 >> /etc/sysctl.conf”
- Reboot and test by pinging to Google from within docker container: docker run –rm -t busybox ping6 -c 4 google.com
- No need to add any iptables rules to enable IPv6 SNAT/masquerading for tunneled traffic. Firezone will handle this.
5. Install client apps
You can now add users to your network and configure instructions to establish a VPN session.
Post Setup
Congratulations, you have completed the setup! You may want to check our developer documentation for additional configurations, security considerations, and advanced features: https://www.firezone.dev/docs/