# Firezone — Self-Hosted WireGuard VPN with Zero Trust Access

> A self-hosted secure access platform built on WireGuard that provides zero-trust network access with identity-based policies and a web management portal.

## Install

Save in your project root:

# Firezone — Self-Hosted WireGuard VPN with Zero Trust Access

## Quick Use
```bash
curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh | bash
```

## Introduction
Firezone is a self-hosted secure access platform that replaces traditional VPNs with a zero-trust network access model. Built on WireGuard, it provides identity-aware access to internal resources with per-resource policies, split tunneling, and a web-based admin portal for managing users and gateways.

## What Firezone Does
- Provides WireGuard-based encrypted tunnels with automatic key management
- Enforces per-resource access policies based on user identity and device posture
- Supports split tunneling so only relevant traffic routes through the gateway
- Offers native clients for Linux, macOS, Windows, iOS, and Android
- Manages multiple gateways for geographic distribution and high availability

## Architecture Overview
Firezone consists of a control plane (Elixir/Phoenix) that handles authentication, policy management, and gateway coordination, plus lightweight gateway nodes that terminate WireGuard connections. Clients connect to the nearest gateway based on DNS-based resource routing. The control plane stores configuration in PostgreSQL and authenticates users via OIDC providers.

## Self-Hosting & Configuration
- Deploy the control plane via Docker Compose with PostgreSQL
- Install gateway nodes on each network segment you want to expose
- Integrate with any OIDC provider (Google, Okta, Azure AD, Keycloak)
- Define resources by DNS name, IP range, or CIDR block
- Configure access policies per group, user, or device attributes

## Key Features
- Zero-trust model: no implicit network access; every resource requires explicit policy
- NAT traversal: clients and gateways connect through firewalls without port forwarding
- Load balancing: multiple gateways per site for redundancy and performance
- DNS-based routing: resources are accessed by name, not IP address
- Audit logging: full visibility into who accessed what and when

## Comparison with Similar Tools
- **Tailscale** — SaaS mesh VPN; Firezone is fully self-hosted with resource-level policies
- **Headscale** — self-hosted Tailscale control server; Firezone adds per-resource access control
- **NetBird** — peer-to-peer mesh; Firezone uses gateway-routed architecture
- **OpenVPN** — legacy protocol with complex config; Firezone uses modern WireGuard
- **Pritunl** — OpenVPN-based; Firezone is lighter and uses WireGuard for performance

## FAQ
**Q: Does Firezone require opening inbound ports?**
A: Gateways need one UDP port for WireGuard. Clients use NAT traversal and need no open ports.

**Q: Can I use Firezone alongside my existing VPN?**
A: Yes, split tunneling ensures Firezone only handles traffic to defined resources, leaving other traffic unaffected.

**Q: What identity providers are supported?**
A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, and self-hosted Keycloak.

**Q: Is there a limit on connected clients?**
A: No artificial client limits in the self-hosted edition. Capacity scales with gateway resources.

## Sources
- https://github.com/firezone/firezone
- https://www.firezone.dev/docs

---
Source: https://tokrepo.com/en/workflows/asset-2abdf176
Author: AI Open Source