Tutoriel Firezone WireGuard

Manage your WireGuard VPN easily with Firezone

I. Presentation

In the world of Open Source mobile VPNs, OpenVPN has had the lion’s share for many years. But it was without counting on Jason Donenfeld who developed the WireGuard protocol. This one offers greater performance, less heavy code and ease of administration, what could be better?

This protocol is therefore in full expansion, Free has also implemented it directly in its latest generation boxes.

That said, the command line configuration may put some people off, so to make it even easier to create and maintain tunnels, aficionados had the very good idea of ​​packaging WireGuard with a WebUI to make it a software “user friendly” and usable immediately.

In addition, they added the possibility of using an OpenID compatible SSO provider (Google, Azure AD, for example) and an easier management of nftables (beware, for outbound traffic only!)

In this tutorial, we will therefore see how to install Firezone and create our VPN tunnels.

II. Installation de Firezone

Firezone is available on Github or on their official site. It is compatible with many linux distros you will therefore necessarily find the one that suits you. Installation is done simply in one line, the developers offering a ready-to-use installation script.

For my part, I will do this installation on Ubuntu server 22.04, but you can take any distribution from the list above.

First, the prerequisites:

  • The developers advise to start with 1 vCPU and 1 GB of RAM, and to increase these resources according to the number of users.
  • If you are deploying Firezone in production, you will need a DNS record as well as a certificate, it is of course possible to install one from Let’s Encrypt.
  • Finally, you will need open ports 443 for WebUI et 51820 in UDP for tunnels.

Alright, now let’s get to the installation. First, we connect in SSH and we take the opportunity to update the packages:

sudo apt update && sudo apt upgrade -y

Now that that’s done, let’s move on to the actual installation:

sudo -E bash -c "$(curl -fsSL 

You may see a question:

WireGuard kernel module found, but not loaded. Load it now? (Y/n):

Of course, you have to answer yes ici.

Then come the questions of personalization:

  • Administrator email: enter the email you want to use to connect to the instance
  • Choose if you want to receive emails from the Firezone team

All you have to do is hit the “Entrée “to start the installation.

Note : check if you have a folder named “cron.hourly” in your “/etc” directory. If it doesn’t, create it, because the installer won’t and will show an error.

At the end of the installation, it will show you the address public of the machine, your identifier and your password. Of course, you can connect locally, that’s what I did without any problem.

III. Configuration de Firezone

Log in with your credentials (remember to write them down!!), you will arrive on the dashboard of the solution:

As you can see, he took care of us create a vpn profile. This one is immediately usable, but for the example, we will create another one.

To do this, nothing could be simpler: just click on the “Add User“.

Create a Firezone profile

Fill in the information, be careful the password must be at least 12 characters!

Once the user has been created, you will get a summary page. From here you can: reset the user’s password, deactivate it, promote it to admin or delete it permanently. This makes user management much simpler and more intuitive!

However, you may have noticed a button:

This device makes it possible to monitor in real time who is connected and with what. On the device creation page, we will be able to give it a name, a description, but also to specify authorized addresses, DNS, etc. Note that the creation wizard takes the default Firezone settings, so here we can modify them in a specific way for a particular client.

For now, let’s leave everything as default and validate.

Note : The Firezone developers recommend letting the client generate their own configuration, so that their private key is displayed only to them. The user can therefore fully register his device by connecting to the interface.

Once the validation has been carried out, we have the private key displayed, as well as a QR code and the possibility of downloading the configuration file:

Configure Wireguard with Firezone

I display it here, because I will not reuse this configuration, but it goes without saying that it is personal! Remember to recover everything, because it will be impossible to display this page again!

So there are several solutions, if the customer has generated it himself, he can absolutely scan the QR code with his smartphone for example, that’s what I did:

Now, if you haven’t already, you have to open the ports in your Firewall and redirect the traffic to your Firezone server. I will not detail the manipulation, because it differs according to the suppliers, so I leave you to get closer to the manual. For my part, I do not intend to manage the accounts remotely, so I only open the port dedicated to Wireguard traffic, namely the 51820 a UDP.

Once the ports are open, we can test. If the tunnel goes up, we will see the corresponding line appear in the “Devices” on the server:

Here I see who is connected, from where and the speed used.

For connection from a station, the use of the QR code is not possible, it is necessary to download the Wireguard client available ici.

Once downloaded, import the previously generated configuration file then click on “Enable” to launch the tunnel.

IV. Flow filtering

When creating our user, we left all the default options.

But it is possible to refine some of them, including authorized addresses for customers. Basically, a VPN tunnel creates a one-to-all connection, i.e. all devices on the target network will be accessible. In a production environment, this is undesirable, as it can pose a security risk.

So let’s imagine that I only want to make available the Firezone web interface and a server in RDP.

On the Firezone interface, click “Rules“. Their application is very simple: Allow or Deny. You can specify an address, a range of addresses, the user(s) concerned as well as the layer 4 protocol and the port, with which to do something very fine!

So, let’s start with the rule for accessing the Firezone WebUI:

Create an Allowlist rule in Firezone

Alright, now let’s move on to the one about RDP on the server:

Perfect, now, if we test, we are OK, we have access to the services, but what about the other services? Example with my NAS:

Oops… And yes, we have specified authorized addresses, but none prohibited! Since I don’t want any other addresses to be reachable through the tunnel, I fill in the entire range with “Deny” :

Create a Denylist Rule in Firezone

Of course I specify all the protocols, so nothing will be accessible except what I have authorized.

If I check now, I no longer have access to my NAS:

Note : if your Firezone is on a hypervisor, it will remain reachable, even if you specify it in the forbidden addresses. This is surely due to the fact of the “sharing” of the network card, I have not dug yet, but know it…

V. Split Tunneling

The previous manipulation is in case you want all client traffic to pass through the tunnel, which can be a good thing if you have a UTM with advanced security features (DNS proxy, web filtering, etc.) . On the other hand, you may want your clients to only access the specified resources via VPN, but use their own connection for the rest (internet for example) this is called le split tunneling.

To set it up, you must modify the authorized addresses in the site settings, section “Defaults“.

Note : any changes in this section will cause the need to regenerate the configurations!

We will therefore specify the addresses accessible via the tunnel, so for me 192.168.1.34 and 192.168.1.55:

If ever your users use a resource name, don’t forget to specify your internal DNS either, otherwise they won’t be able to do the resolution!

Now that it’s done, I still have access to my resources, but on the other hand, if I go to whatsmyip.org, I see that my public address is indeed that of where I am, and no longer that from the VPN server! It is therefore a VPN tunnel in “split tunneling” mode.

VI. Conclusion

We have seen how, in a simple and “user friendly” way, configure VPN tunnels for teleworkers or mobile workers, using the Wireguard solution through Firezone.

Firezone is promising because it democratizes the use of Wireguard, thus increasing connection security.

In addition, you will find the doc iciit is relatively complete (even if some parts deserve a little more explanation…).

To go further, if you open your Web interface on the Internet, do not hesitate to secure your server with Crowdsec: the tutorials are available on IT-Connect!

Administration Réseau,Linux,Services,Firezone,VPN,WireGuard,

#Manage #WireGuard #VPN #easily #Firezone

Leave a Comment

Your email address will not be published. Required fields are marked *