FireZone
Firewall and wireguard VPN server.
Install - Ubuntu 22.04 / Debian 11
$ sudo apt update && sudo apt upgrade
$ curl -1sLf 'https://dl.cloudsmith.io/public/firezone/firezone/setup.deb.sh' | sudo -E bash
$ sudo apt install -y firezone
# Required to get the server working at first boot.
$ sudo firezone-ctl reconfigure
$ sudo firezone-ctl restart
# This will print out a random password for firezone@localhost
$ sudo firezone-ctl create-or-reset-admin
access public IP - https://ip-of-server
Email: firezone@localhost
Password: randomly generated by script
Docker Install - Fails currently
# Github issue opened - https://github.com/firezone/firezone/issues/1079
# Install Docker and Docker Compose Plugin ( See Docker docs here )
$ bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)
Firewall
# Make sure to add an Egress Rule for your VPN users
> Login > Rules > Set parametes > Add
# Make sure that you allow inbound traffic 51820/udp ( Security Group AWS )
$ sudo ufw disable
$ sudo apt install nftables
$ sudo su -c "curl 'https://raw.githubusercontent.com/decyphertek-io/configs/main/nftables.conf' >> /etc/nftables.conf"
$ sudo systemctl enable nftables
$ sudo systemctl start nftables
$ sudo systemctl status nftables
$ sudo firezone-ctl restart phoenix
Ports and protocols
* Nginx 443/tcp - all Public HTTPS port for administering Firezone and facilitating authentication.
* Nginx 80/tcp - all Public HTTP port used for ACME. Disabled when ACME is disabled.
* WireGuard 51820/udp - all Public WireGuard port used for VPN sessions.
* Postgresql 15432/tcp - 127.0.0.1 Local-only port used for bundled Postgresql server.
* Phoenix 13000/tcp - 127.0.0.1 Local-only port used by upstream elixir app server.
Security Configurations:
Note:
For production deployments of Firezone, we recommend you disable local authentication
altogether by setting default['firezone']['authentication']['local']['enabled'] = false
(Omnibus-based deployments) or LOCAL_AUTH_ENABLED=false (Docker-based deployments).
* Please make sure to promote a non-local user as admin first, so you can still login.
$ sudo vim /etc/firezone/firezone.rb
<OR>
# You can delete the firezone@localhost user as long as you promote another user as admin.
# Except the following command - sudo firezone-ctl create-or-reset-admin - can regenerate a local login.
# This is why to prevent the local admin from being recreated, remove the option as stated above.
Adding Users / VPN EX:
Login > Users > add user > set email & password > add device > download config Or get QR code
Client Instructions - https://docs.firezone.dev/user-guides/client-instructions/
Wireguard - https://www.wireguard.com/install/#installation
# Linux Example - Client side
$ sudo apt install wireguard
$ sudo nmcli connection import type wireguard file /path/to/configuration.conf
# Connect
$ nmcli connection up [vpn name]
# disconnect
$ nmcli connection down [vpn name]
# autoconnect
$ nmcli connection modify [vpn name] connection.autoconnect yes
# disable autoconnect
$ nmcli connection modify [vpn name] connection.autoconnect no
# Android Exmaple - Wireguard App
Download - https://play.google.com/store/apps/details?id=com.wireguard.android&gl=US
Create user > add device > make sure to name tunnel > Scan QR code > Reference tunnel > Login > Confirm browse what is my IP.
Enable MFA
Login > Account > Add MFA > Scan QR code with MFA APP
TroubleShoot
# Make sure to add an Egress Rule for your VPN users
> Login > Rules > Set parametes > Add
# Make sure that you allow inbound traffic 51280/udp
$ sudo firezone-ctl help
$ sudo firezone-ctl tail
# UFW Firewall - VPN Traffic no passing
$ sudo less /var/log/ufw* | grep 'BLOCK'
# Confirm by temporarily disabling the host firewall
$ sudo ufw disable
# Use nftables instead
$ sudo systemctl status nftables
###CAUTION!!!###
# Please be aware If you stop your instance and relaunch , this may require a server reconfiguration and may void vpn connections.
# This is due to the public IP changing and server configurations and tunnels are driectly tied to that. Please be aware.
# Production environments can use an elastic IP and assocaite a domain name that will avoid this issue.
# To test this run reconfigure and restart, then create a new tunnel to see if this resolves the issue.
$ sudo firezone-ctl reconfigure
$ sudo firezone-ctl restart
Upgrade
$ sudo firezone-ctl reconfigure
Optional Security:
# Once all vpn tunnels have been configured, you can set to only allow inbound traffic to port 51829/udp via
# AWS Security group or other network based firewall. If you need ssh or console access , allow those temporaily.
# This secures the VPN server and returns no results when scanning via Nmap.
References
https://www.firezone.dev/
https://docs.firezone.dev/
https://kalilinuxtutorials.com/firezone/
https://docs.firezone.dev/user-guides/client-instructions/