I created Firezone to make it easier to host and manage your own WireGuard VPN server. While working at Cisco as a security automation engineer I experienced a lot of unnecessary pain managing secure network-level access into our cloud VPCs. I tried OpenVPN Access Server but I personally feel that security software should be open source to be validated (and improved) by the community. I discovered WireGuard and quickly fell in love with it, but soon found managing the peer configs to be a bit tedious and error-prone. So I built some convenience functionality on top, added a simple Web UI, and open sourced it.
Firezone is packaged with Chef Omnibus so the only dependencies are a recent Linux kernel (4.19+) and the WireGuard module. The Web UI is built with Elixir/Phoenix (I’m a recovering full-stack Rails engineer) and runs as an unprivileged user. The Web UI communicates with two other Elixir applications that manage the WireGuard configuration and firewall configuration respectively. I built it this way to allow potentially decoupling the Web UI, VPN, and firewall hosts at some point in the future, but for now Firezone assumes they’re all running on the same host. The firewall application is essentially a frontend to nftables and currently functions as a simple egress firewall to block outbound traffic to specific hosts/CIDRs (in your private network or elsewhere).
In the near term I’m planning to polish it up a bit and add more security features. Longer-term I’d like to add things like DNS-based ad blocking, IP blocklist support, LDAP / SSO authentication, and more user management features.
I wanted to show it here and see what HN thinks. Hope you find it useful!
We get rejected on stuff like PCI-DSS because the standards mandate a 2-FA. I am not a security expert and wouldnt know about the pros and cons here. But the fact remains that most high-sec compliance needs 2-FA.
We have filed tickets on wireguard and it has always got rejected - things like epass2003, fido keys, etc. We have requested the most popular wireguard self-setup - Algo - but also have been rejected.
Of all the open source software here, only Pritunl comes somewhat close by layering google auth - https://docs.pritunl.com/docs/google . But Pritunl doesnt let u setup google auth as a second factor and its generally tricky to config.
If u can have a simple 2-FA - even something as simple as getting a google auth login link while connecting as second factor - that would make the killer feature here. As of right now, Tailscale is the only closed source solution that works.