Firewall and wireguard VPN server.
Install - Ubuntu 22.04 / Debian 11
$ sudo apt update && sudo apt upgrade $ curl -1sLf 'https://dl.cloudsmith.io/public/firezone/firezone/setup.deb.sh' | sudo -E bash $ sudo apt install -y firezone # Required to get the server working at first boot. $ sudo firezone-ctl reconfigure $ sudo firezone-ctl restart # This will print out a random password for firezone@localhost $ sudo firezone-ctl create-or-reset-admin access public IP - https://ip-of-server Email: firezone@localhost Password: randomly generated by script
Docker Install - Fails currently
# Github issue opened - https://github.com/firezone/firezone/issues/1079 # Install Docker and Docker Compose Plugin ( See Docker docs here ) $ bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)
# Make sure to add an Egress Rule for your VPN users > Login > Rules > Set parametes > Add # Make sure that you allow inbound traffic 51820/udp ( Security Group AWS ) $ sudo ufw disable $ sudo apt install nftables $ sudo su -c "curl 'https://raw.githubusercontent.com/decyphertek-io/configs/main/nftables.conf' >> /etc/nftables.conf" $ sudo systemctl enable nftables $ sudo systemctl start nftables $ sudo systemctl status nftables $ sudo firezone-ctl restart phoenix
Ports and protocols
* Nginx 443/tcp - all Public HTTPS port for administering Firezone and facilitating authentication. * Nginx 80/tcp - all Public HTTP port used for ACME. Disabled when ACME is disabled. * WireGuard 51820/udp - all Public WireGuard port used for VPN sessions. * Postgresql 15432/tcp - 127.0.0.1 Local-only port used for bundled Postgresql server. * Phoenix 13000/tcp - 127.0.0.1 Local-only port used by upstream elixir app server.
Note: For production deployments of Firezone, we recommend you disable local authentication altogether by setting default['firezone']['authentication']['local']['enabled'] = false (Omnibus-based deployments) or LOCAL_AUTH_ENABLED=false (Docker-based deployments). * Please make sure to promote a non-local user as admin first, so you can still login. $ sudo vim /etc/firezone/firezone.rb <OR> # You can delete the firezone@localhost user as long as you promote another user as admin. # Except the following command - sudo firezone-ctl create-or-reset-admin - can regenerate a local login. # This is why to prevent the local admin from being recreated, remove the option as stated above.
Adding Users / VPN EX:
Login > Users > add user > set email & password > add device > download config Or get QR code Client Instructions - https://docs.firezone.dev/user-guides/client-instructions/ Wireguard - https://www.wireguard.com/install/#installation # Linux Example - Client side $ sudo apt install wireguard $ sudo nmcli connection import type wireguard file /path/to/configuration.conf # Connect $ nmcli connection up [vpn name] # disconnect $ nmcli connection down [vpn name] # autoconnect $ nmcli connection modify [vpn name] connection.autoconnect yes # disable autoconnect $ nmcli connection modify [vpn name] connection.autoconnect no # Android Exmaple - Wireguard App Download - https://play.google.com/store/apps/details?id=com.wireguard.android&gl=US Create user > add device > make sure to name tunnel > Scan QR code > Reference tunnel > Login > Confirm browse what is my IP.
Login > Account > Add MFA > Scan QR code with MFA APP
# Make sure to add an Egress Rule for your VPN users > Login > Rules > Set parametes > Add # Make sure that you allow inbound traffic 51280/udp $ sudo firezone-ctl help $ sudo firezone-ctl tail # UFW Firewall - VPN Traffic no passing $ sudo less /var/log/ufw* | grep 'BLOCK' # Confirm by temporarily disabling the host firewall $ sudo ufw disable # Use nftables instead $ sudo systemctl status nftables ###CAUTION!!!### # Please be aware If you stop your instance and relaunch , this may require a server reconfiguration and may void vpn connections. # This is due to the public IP changing and server configurations and tunnels are driectly tied to that. Please be aware. # Production environments can use an elastic IP and assocaite a domain name that will avoid this issue. # To test this run reconfigure and restart, then create a new tunnel to see if this resolves the issue. $ sudo firezone-ctl reconfigure $ sudo firezone-ctl restart
$ sudo firezone-ctl reconfigure
# Once all vpn tunnels have been configured, you can set to only allow inbound traffic to port 51829/udp via # AWS Security group or other network based firewall. If you need ssh or console access , allow those temporaily. # This secures the VPN server and returns no results when scanning via Nmap.
https://www.firezone.dev/ https://docs.firezone.dev/ https://kalilinuxtutorials.com/firezone/ https://docs.firezone.dev/user-guides/client-instructions/