Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Firezone, an open-source WireGuard-based alternative to OpenVPN AS (github.com/firezone)
183 points by jamilbk on Sept 29, 2021 | hide | past | favorite | 35 comments
I created Firezone to make it easier to host and manage your own WireGuard VPN server. While working at Cisco as a security automation engineer I experienced a lot of unnecessary pain managing secure network-level access into our cloud VPCs. I tried OpenVPN Access Server but I personally feel that security software should be open source to be validated (and improved) by the community. I discovered WireGuard and quickly fell in love with it, but soon found managing the peer configs to be a bit tedious and error-prone. So I built some convenience functionality on top, added a simple Web UI, and open sourced it.

Firezone is packaged with Chef Omnibus so the only dependencies are a recent Linux kernel (4.19+) and the WireGuard module. The Web UI is built with Elixir/Phoenix (I’m a recovering full-stack Rails engineer) and runs as an unprivileged user. The Web UI communicates with two other Elixir applications that manage the WireGuard configuration and firewall configuration respectively. I built it this way to allow potentially decoupling the Web UI, VPN, and firewall hosts at some point in the future, but for now Firezone assumes they’re all running on the same host. The firewall application is essentially a frontend to nftables and currently functions as a simple egress firewall to block outbound traffic to specific hosts/CIDRs (in your private network or elsewhere).

In the near term I’m planning to polish it up a bit and add more security features. Longer-term I’d like to add things like DNS-based ad blocking, IP blocklist support, LDAP / SSO authentication, and more user management features.

I wanted to show it here and see what HN thinks. Hope you find it useful!




I have a singular request - so Wireguard is unusable in any high security environments with compliance requirements - because it doesnt support any 2-factor auth out of the box.

We get rejected on stuff like PCI-DSS because the standards mandate a 2-FA. I am not a security expert and wouldnt know about the pros and cons here. But the fact remains that most high-sec compliance needs 2-FA.

We have filed tickets on wireguard and it has always got rejected - things like epass2003, fido keys, etc. We have requested the most popular wireguard self-setup - Algo - but also have been rejected.

Of all the open source software here, only Pritunl comes somewhat close by layering google auth - https://docs.pritunl.com/docs/google . But Pritunl doesnt let u setup google auth as a second factor and its generally tricky to config.

If u can have a simple 2-FA - even something as simple as getting a google auth login link while connecting as second factor - that would make the killer feature here. As of right now, Tailscale is the only closed source solution that works.


This is great feedback! You're not the first person to request 2FA. See this issue for discussion: https://github.com/firezone/firezone/issues/259

I'm planning to add functionality that will make it possible to require multi-factor auth before allowing the user access to "restricted" firewall zones. Kind of like a captive portal.

Would something like that solve your problem?


hi - just posted on the bug itself. I'm not sure what firewall zones are...but generally we need 2-FA to basically connect to a wireguard VPN.

I mean its a pretty straightforward usecase - but it doesnt work on any other wireguard system. And it would be a killer feature!


It's not WireGuard's job to do user management or end-user authentication; it's deliberately designed to make that stuff easy to layer on top. You're unlikely to get much traction with the WireGuard project directly, but not unlikely to get it from a project like this (or, for that matter, from Tailscale, which does 2FA authentication for WireGuard by connecting to IdPs).


im not denying that and i apologise if it came off a bit whiney. I meant that since Wireguard is not the place to do it - it would be great to get it a higher order tool.


Not at all! I'm sorry if I sounded snippy. It's a common misconception people have about the role of WireGuard!


Wireguard isn't designed or set up to do that kind of authentication, it's basically the encryption and networking part of OpenVPN with none of the other fluff. You tell it where to connect to with what key and how to deal with basic IP stuff and the rest is up to you.

To do what you'd require with 2FA, someone would need to write a front end for Wireguard that either reconfigures the public key for a session or uses one encrypted tunnel to connect, execute 2FA and then another to do the real connection part.

That quickly turns a simple VPN protocol into a complex management system for IP addresses and secrets, so it probably won't ever be part of any standard Wireguard tooling. I can see the business use case here, but as long as no business is willing to write such a tool and open source it, I don't think we'll see anything in this area soon.


understood. I was just qualifying the request so that Firezone can add it.

Quick question however - is there a plan to add any bindings to wireguard to make this stuff more easier to do? i might be wrong, but it seems from a few comments on these bugs that it is quite tricky to get Wireguard core to read from OpenSC encrypted storage, etc. I think there was an attempt to make a python library for this...but it was given up.

Wireguard is definitely the most exciting tool in enterprise security, but its a bit hard to make it work with the existing ecosystem of tooling out there.


headscale is open-source tailscale server. You could probably add 2fa to headscale quite easily


hi - yes im aware of headscale. it doesnt have 2-FA right now.

Pritunl is the only solution that (partially) works. other than that - basically the entire wireguard ecosystem is non-2FA non-SSO compliant.

Not sure why. There is definitely demand. maybe its quite hard to actually make it work in this way.


>I have a singular request - so Wireguard is unusable in any high security environments with compliance requirements - because it doesnt support any 2-factor auth out of the box.

>We get rejected on stuff like PCI-DSS because the standards mandate a 2-FA. I am not a security expert and wouldnt know about the pros and cons here. But the fact remains that most high-sec compliance needs 2-FA.

This is absolutely nuts. Why would 2FA be enforced at the network edge instead of on individual services?

What a completely suicidal security model.


> This is absolutely nuts.

You have never worked in regulated industries, haven't you?


Alternatively, check out wg-easy, which comes with a beautiful management interface.

https://github.com/weejewel/wg-easy


I use this one too. I had to modify it to make it work behind nginx and without docker but otherwise it's working well.


OOh! If there's not already a port for Raspberry Pi OS, might be a fun project for the weekend.


That sounds fun. I was hoping to get around to supporting Raspbian soon. Feel free to open an issue on Github if you get stuck or need help! I'm interested to hear how it goes.

Some tips to get you started:

1. Where it's built:

https://github.com/firezone/firezone/blob/master/.github/wor...

2. You'll likely need the following debian packages installed:

  dpkg-dev ntp zlib1g-dev libssl-dev openssl bzip2 procps rsync ca-certificates build-essential git gnupg curl unzip locales net-tools systemd
3. I build Firezone inside Vagrant VMs using the `vagrant` user, so you'll probably want to adjust for your local user.

4. I use asdf to manage language runtimes: https://asdf-vm.com


Is it using the firewall to block egress traffic? Or ingress?


Right now it's just an egress firewall. It bundles the "nft" userspace utility and creates its own isolated nftables table to block traffic in the forward chain. See here for details:

https://github.com/firezone/firezone/blob/master/apps/fz_wal...

It wouldn't be too hard to add functionality to block ingress traffic as well, though. Is that something you'd find useful?


Can I ask -- what's the idea behind the egress firewall? Is it to make sure that all of the wireguard traffic is destined for the local network and not the internet at large?


Yeah that was one motivation behind it -- to provide some rudimentary controls to filter outbound traffic through the VPN server.

The egress firewall will also be useful for upcoming 2FA features -- we can block traffic destined to the Internet until the user authenticates through the web portal (in addition to having the WireGuard config on their device).

For now the egress firewall is more of just an MVP feature though :-)


I see that you mentioned LDAP/SSO integration, do you have any plans for doing role mappings to egress filters. It would be super handy for the use case you mentioned as your inspiration for the product, connecting to VPCs. We've been looking at AWS Client VPN for this reason alone. This would let us control what peered VPCs a user was able to talk with, or even what subnets on specific VPCs they could access.


This is great feedback. We are discussing features that should satisfy this workflow in this issue: https://github.com/firezone/firezone/issues/259

It essentially boils down to having different firewall zones tied to user states (unauthenticated, authenticated, LDAP group, etc).


Nice! I see *BSD are not supported.. Also, people running OPNsense may find there is already a web-ui for it: https://docs.opnsense.org/plugins.html#vpn-connectivity


As someone who uses OPNsense a lot now, the community WG plugin is both a fairly minimal MVP and also for whatever reason WG on OPNsense has been a bit wonky. DNS for example sometimes just mysteriously stops working for a while, then with absolutely no changes starts working again even while IPs function normally. Haven't had time to try to dig into that yet but as well as speed I'm looking forward very much to WG in the FreeBSD kernel (and OPNsense's move to vanilla FreeBSD foundation as well) in the hopes it'll help eliminate a few extra moving parts.

I'm looking forward though to seeing more tooling developed on top of WG as was always intended, making it easier to plug into other user auth systems and to deploy it to non-technical end users. The QR code thing helps for example but I'd also like to see widespread support for options like autogenerating mobileconfigs [0] for Macs/iDevices and equivalents elsewhere, tying into MDM etc. To get maximum use it needs to get to the point of "install this profile, that's it" or just happen automagically for managed devices. More graphical visualization of what's going on and troubleshooting could help novices too. Such a great foundational tool but projects like this are exciting to see appear as well since they are important next steps.

----

0: https://github.com/WireGuard/wireguard-apple/blob/master/MOB...


That's funny -- I originally started building Firezone for OpenBSD but at that time wireguard-go was the only way to have WireGuard on *BSD so I decided to tackle Linux first.

Firezone is Docker-free and the firewall management application is designed modularly so that nftables can be swapped for another implementation without too much trouble.

There's no technical reason packages couldn't be built for Windows and macOS as well.


I have a feature request. Can you make this optionally integrate into Cockpit as a plugin? For those using Cockpit to remotely manage a machine this would be very nice.


Thanks for the feedback. Love the Cockpit project!

I opened this issue to investigate adding this as a Cockpit plugin: https://github.com/firezone/firezone/issues/264


Impressive work! A number of WireGuard solutions have popped up lately and I'm elated that the capability is becoming more widespread.


Can I run this in an LXC container? I’ve been having a hard time getting Wireguard to work under proxmox…


I'm investigating containerization support here: https://github.com/firezone/firezone/issues/260

The main hurdle to investigate is whether I can do egress filtering from inside a container and how hairy that would be to manage.


How does this compare to Tailscale (the WireGuard-based VPN+ with great / "easy" UX)?


Interesting project! Thanks

Trivial question I guess, but what is the difference between this and using a script to setup wg and `scp`ing keys in?


Minor quibble with the title: "open-source alternative to [something]" implies that [something] isn't open-source, but OpenVPN is. Is this actually an alternative to OpenVPN AS?


Yep, good point! It is. I explain more in my comment here: https://news.ycombinator.com/item?id=28683245

I'll edit the title to clarify. Thanks


shameless plug

I am a maintainer of subspace (https://github.com/subspacecommunity/subspace). My contributions were updating the SAML library (crewjam/saml), implementing prometheus support (which is still being reviewed) and some minor features.

My vision for the project is to evolve into a fully featured userspace VPN service that still relies on WireGuard for the network layer, but implementing useful features like key rotation, built-in horizontal scaling support, server-client configuration sync, automatic user de-provisioning based on the upstream Active Directory users manifest and an api/sdk for extended automation.

But before I can even get to the cool stuff, I need more peers just to review current pull requests and deal with the current issues, because as it is, I don't have quorum to do such (I mean without abusing administrator privileges). Without such, my option would be to fork or reimplement the service.

I think Firezone is an excellent effort, we need competition wherever possible and I think we can contribute with ideas, but with SAML/SSO already implemented, maybe subspace is already more suited to corporate environments.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: