Firezone — Self-Hosted WireGuard VPN with Zero Trust Access

Introduction

Firezone is a self-hosted secure access platform that replaces traditional VPNs with a zero-trust network access model. Built on WireGuard, it provides identity-aware access to internal resources with per-resource policies, split tunneling, and a web-based admin portal for managing users and gateways.

What Firezone Does

• Provides WireGuard-based encrypted tunnels with automatic key management
• Enforces per-resource access policies based on user identity and device posture
• Supports split tunneling so only relevant traffic routes through the gateway
• Offers native clients for Linux, macOS, Windows, iOS, and Android
• Manages multiple gateways for geographic distribution and high availability

Architecture Overview

Firezone consists of a control plane (Elixir/Phoenix) that handles authentication, policy management, and gateway coordination, plus lightweight gateway nodes that terminate WireGuard connections. Clients connect to the nearest gateway based on DNS-based resource routing. The control plane stores configuration in PostgreSQL and authenticates users via OIDC providers.

Self-Hosting & Configuration

• Deploy the control plane via Docker Compose with PostgreSQL
• Install gateway nodes on each network segment you want to expose
• Integrate with any OIDC provider (Google, Okta, Azure AD, Keycloak)
• Define resources by DNS name, IP range, or CIDR block
• Configure access policies per group, user, or device attributes

Key Features

• Zero-trust model: no implicit network access; every resource requires explicit policy
• NAT traversal: clients and gateways connect through firewalls without port forwarding
• Load balancing: multiple gateways per site for redundancy and performance
• DNS-based routing: resources are accessed by name, not IP address
• Audit logging: full visibility into who accessed what and when

Comparison with Similar Tools

• Tailscale — SaaS mesh VPN; Firezone is fully self-hosted with resource-level policies
• Headscale — self-hosted Tailscale control server; Firezone adds per-resource access control
• NetBird — peer-to-peer mesh; Firezone uses gateway-routed architecture
• OpenVPN — legacy protocol with complex config; Firezone uses modern WireGuard
• Pritunl — OpenVPN-based; Firezone is lighter and uses WireGuard for performance

FAQ

Q: Does Firezone require opening inbound ports? A: Gateways need one UDP port for WireGuard. Clients use NAT traversal and need no open ports.

Q: Can I use Firezone alongside my existing VPN? A: Yes, split tunneling ensures Firezone only handles traffic to defined resources, leaving other traffic unaffected.

Q: What identity providers are supported? A: Any OIDC-compliant provider including Google Workspace, Okta, Azure AD, and self-hosted Keycloak.

Q: Is there a limit on connected clients? A: No artificial client limits in the self-hosted edition. Capacity scales with gateway resources.

Sources

• https://github.com/firezone/firezone
• https://www.firezone.dev/docs