Skip to content

FireZone

Firewall and wireguard VPN server.

Install - Ubuntu 22.04 / Debian 11

$ sudo apt update && sudo apt upgrade
$ curl -1sLf 'https://dl.cloudsmith.io/public/firezone/firezone/setup.deb.sh' | sudo -E bash
$ sudo apt install -y firezone
# Required to get the server working at first boot.
$ sudo firezone-ctl reconfigure
$ sudo firezone-ctl restart
# This will print out a random password for firezone@localhost
$ sudo firezone-ctl create-or-reset-admin
access public IP - https://ip-of-server
Email: firezone@localhost
Password: randomly generated by script

Docker Install - Fails currently

# Github issue opened - https://github.com/firezone/firezone/issues/1079
# Install Docker and Docker Compose Plugin ( See Docker docs here )
$ bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)

Firewall

# Make sure to add an Egress Rule for your VPN users
> Login > Rules > Set parametes > Add
# Make sure that you allow inbound traffic 51820/udp ( Security Group AWS )
$ sudo ufw disable
$ sudo apt install nftables
$ sudo su -c "curl 'https://raw.githubusercontent.com/decyphertek-io/configs/main/nftables.conf' >> /etc/nftables.conf"
$ sudo systemctl enable nftables
$ sudo systemctl start nftables
$ sudo systemctl status nftables
$ sudo firezone-ctl restart phoenix

Ports and protocols

* Nginx 443/tcp - all Public HTTPS port for administering Firezone and facilitating authentication.
* Nginx 80/tcp - all Public HTTP port used for ACME. Disabled when ACME is disabled.
* WireGuard 51820/udp - all Public WireGuard port used for VPN sessions.
* Postgresql 15432/tcp - 127.0.0.1 Local-only port used for bundled Postgresql server.
* Phoenix 13000/tcp - 127.0.0.1 Local-only port used by upstream elixir app server.

Security Configurations:

Note:
For production deployments of Firezone, we recommend you disable local authentication 
altogether by setting default['firezone']['authentication']['local']['enabled'] = false 
(Omnibus-based deployments) or LOCAL_AUTH_ENABLED=false (Docker-based deployments).
* Please make sure to promote a non-local user as admin first, so you can still login. 
$ sudo vim /etc/firezone/firezone.rb
<OR>
# You can delete the firezone@localhost user as long as you promote another user as admin. 
# Except the following command - sudo firezone-ctl create-or-reset-admin - can regenerate a local login. 
# This is why to prevent the local admin from being recreated, remove the option as stated above.

Adding Users / VPN EX:

Login > Users > add user > set email & password > add device > download config Or get QR code
Client Instructions - https://docs.firezone.dev/user-guides/client-instructions/
Wireguard - https://www.wireguard.com/install/#installation
# Linux Example - Client side
$ sudo apt install wireguard
$ sudo nmcli connection import type wireguard file /path/to/configuration.conf
# Connect
$ nmcli connection up [vpn name]
# disconnect
$ nmcli connection down [vpn name]
# autoconnect
$ nmcli connection modify [vpn name] connection.autoconnect yes
# disable autoconnect
$ nmcli connection modify [vpn name] connection.autoconnect no

# Android Exmaple - Wireguard App
Download - https://play.google.com/store/apps/details?id=com.wireguard.android&gl=US
Create user > add device > make sure to name tunnel > Scan QR code > Reference tunnel > Login > Confirm browse what is my IP.

Enable MFA

Login > Account > Add MFA > Scan QR code with MFA APP

TroubleShoot

# Make sure to add an Egress Rule for your VPN users
> Login > Rules > Set parametes > Add
# Make sure that you allow inbound traffic 51280/udp
$ sudo firezone-ctl help
$ sudo firezone-ctl tail 
# UFW Firewall - VPN Traffic no passing
$ sudo less /var/log/ufw* | grep 'BLOCK'
# Confirm by temporarily disabling the host firewall
$ sudo ufw disable
# Use nftables instead
$ sudo systemctl status nftables

###CAUTION!!!###
# Please be aware If you stop your instance and relaunch , this may require a server reconfiguration and may void vpn connections.
# This is due to the public IP changing and server configurations and tunnels are driectly tied to that. Please be aware. 
# Production environments can use an elastic IP and assocaite a domain name that will avoid this issue. 
# To test this run reconfigure and restart, then create a new tunnel to see if this resolves the issue.
$ sudo firezone-ctl reconfigure
$ sudo firezone-ctl restart

Upgrade

$ sudo firezone-ctl reconfigure

Optional Security:

# Once all vpn tunnels have been configured, you can set to only allow inbound traffic to port 51829/udp via 
# AWS Security group or other network based firewall. If you need ssh or console access , allow those temporaily. 
# This secures the VPN server and returns no results when scanning via Nmap.

References

https://www.firezone.dev/
https://docs.firezone.dev/
https://kalilinuxtutorials.com/firezone/
https://docs.firezone.dev/user-guides/client-instructions/