Show HN: Firezone, an open-source WireGuard-based alternative to OpenVPN AS

183 points

5 years ago

I created Firezone to make it easier to host and manage your own WireGuard VPN server. While working at Cisco as a security automation engineer I experienced a lot of unnecessary pain managing secure network-level access into our cloud VPCs. I tried OpenVPN Access Server but I personally feel that security software should be open source to be validated (and improved) by the community. I discovered WireGuard and quickly fell in love with it, but soon found managing the peer configs to be a bit tedious and error-prone. So I built some convenience functionality on top, added a simple Web UI, and open sourced it.

Firezone is packaged with Chef Omnibus so the only dependencies are a recent Linux kernel (4.19+) and the WireGuard module. The Web UI is built with Elixir/Phoenix (I’m a recovering full-stack Rails engineer) and runs as an unprivileged user. The Web UI communicates with two other Elixir applications that manage the WireGuard configuration and firewall configuration respectively. I built it this way to allow potentially decoupling the Web UI, VPN, and firewall hosts at some point in the future, but for now Firezone assumes they’re all running on the same host. The firewall application is essentially a frontend to nftables and currently functions as a simple egress firewall to block outbound traffic to specific hosts/CIDRs (in your private network or elsewhere).

In the near term I’m planning to polish it up a bit and add more security features. Longer-term I’d like to add things like DNS-based ad blocking, IP blocklist support, LDAP / SSO authentication, and more user management features.

I wanted to show it here and see what HN thinks. Hope you find it useful!

35 comments