Firezone: WireGuard-based VPN server and firewall


A self-managed WireGuard-based VPN server and Linux firewall designed for simplicity and security.


  • Fast: Uses WireGuard to be 3-4 times faster than OpenVPN.
  • No dependencies: All dependencies are bundled thanks to Chef Omnibus.
  • Simple: Takes minutes to set up. Manage via a simple CLI API.
  • Secure: Runs unprivileged. HTTPS enforced. Encrypted cookies.
  • Firewall included: Uses Linux nftables to block unwanted egress traffic.


Firezone is not:

  • An inbound firewall
  • A tool for creating mesh networks
  • A full-featured router
  • An IPSec or OpenVPN server

Deploying and Configuring

Firezone consists of a single distributable Linux package that you install and manage yourself. Management of the Firezone installation is handled by the firezone-ctl utility while management of the VPN and firewall themselves are handled by the Web UI.

Firezone acts as a frontend to both the WireGuard kernel module and the netfilter kernel subsystem. It creates a WireGuard interface (by default called wg-firezone) and firezone netfilter table and adds appropriate routes to the routing table. Other programs that modify the Linux routing table or netfilter firewall may interfere with Firezone’s operation.


Firezone requires a valid SSL certificate and a matching DNS record to run in production. We recommend using Let’s Encrypt to generate a free SSL cert for your domain.

Security Considerations

Firezone is beta software. We highly recommend limiting network access to the Web UI to prevent exposing it to the public Internet.

Install & Use

Copyright 2020 Engineering

Source: Penetration Testing

Leave a Reply