firezone / firezone Goto Github PK

WireGuard®-based zero-trust access platform with OIDC auth, identity sync, and NAT traversal.

License: Apache License 2.0

Elixir 62.63% HTML 0.96% JavaScript 0.43% Shell 0.99% C 0.01% CSS 0.02% TypeScript 5.04% Dockerfile 0.27% Kotlin 1.70% Rust 19.62% Swift 2.95% Makefile 0.04% HCL 5.24% Batchfile 0.02% Nix 0.05% MDX 0.01% Mermaid 0.01%

cloud vpn firewall security wireguard wireguard-vpn wireguard-ui vpn-server network-security self-hosted

firezone's Introduction

firezone logo

A modern alternative to legacy VPNs.

Note: 🚧 The main branch is undergoing major restructuring in preparation for the release of Firezone 1.0 🚧.

See the legacy branch if you're looking for Firezone 0.7.

Read the 1.0 announcement for more.

Overview

Firezone is an open source platform to securely manage remote access for any-sized organization. Unlike most VPNs, Firezone takes a granular, least-privileged approach to access management with group-based policies that control access to individual applications, entire subnets, and everything in between.

Features

Firezone is:

Fast: Built on WireGuard® to be 3-4 times faster than OpenVPN.
Scalable: Deploy two or more gateways for automatic load balancing and failover.
Private: Peer-to-peer, end-to-end encrypted tunnels prevent packets from routing through our infrastructure.
Secure: Zero attack surface thanks to Firezone's holepunching tech which establishes tunnels on-the-fly at the time of access.
Open: Our entire product is open-source, allowing anyone to audit the codebase.
Flexible: Authenticate users via email, Google Workspace, Okta, Entra ID, or OIDC and sync users and groups automatically.
Simple: Deploy gateways and configure access in minutes with a snappy admin UI.

Firezone is not:

A tool for creating bi-directional mesh networks
A full-featured router or firewall
An IPSec or OpenVPN server

Contents of this repository

This is a monorepo containing the full Firezone product, marketing website, and product documentation, organized as follows:

elixir: Control plane and internal Elixir libraries:
- elixir/apps/web: Admin UI
- elixir/apps/api: API for Clients, Relays and Gateways.
rust/: Data plane and internal Rust libraries:
- rust/gateway: Gateway - Tunnel server based on WireGuard and deployed to your infrastructure.
- rust/relay: Relay - STUN/TURN server to facilitate holepunching.
- rust/headless-client: Cross-platform CLI client.
- rust/gui-client: Cross-platform GUI client.
swift/: macOS / iOS clients.
kotlin/: Android / ChromeOS clients.
website/: Marketing website and product documentation.
terraform/: Terraform files for various example deployments.
- terraform/examples/google-cloud/nat_gateway: Example Terraform configurations for deploying a cluster of Firezone gateways behind a NAT gateway on GCP with single egress IP.
- terraform/modules/google-cloud/apps/gateway-region-instance-group: Production-ready Terraform module for deploying regional Firezone gateways to Google Cloud Compute using Regional Instance Groups.

Quickstart

The quickest way to get started with Firezone is to sign up for an account at https://app.firezone.dev/sign_up.

Once you've signed up, follow the instructions in the welcome email to get started.

Frequently asked questions (FAQ)

Can I self-host Firezone?

Our license won't stop you from self-hosting the entire Firezone product top to bottom, but our internal APIs are changing rapidly so we can't meaningfully support self-hosting Firezone in production at this time.

If you're feeling especially adventurous and want to self-host Firezone for educational or hobby purposes, follow the instructions to spin up a local development environment in CONTRIBUTING.md.

The clients can be built from their respective directories.

The latest published clients (on App Stores and on releases) are only guaranteed to work with the managed version of Firezone and may not work with a self-hosted portal built from this repository. This is because Apple and Google can sometimes delay updates to their app stores, and so the latest published version may not be compatible with the tip of main from this repository.

Therefore, if you're experimenting with self-hosting Firezone, you will probably want to use clients you build and distribute yourself as well.

How long will 0.7 be supported until?

Firezone 0.7 is currently end-of-life and has stopped receiving updates as of January 31st, 2024. It will continue to be available indefinitely from the legacy branch of this repo under the Apache 2.0 license.

What's your pricing structure like?

Please see our pricing page at https://www.firezone.dev/pricing?utm_source=readme

Documentation

Additional documentation on general usage, troubleshooting, and configuration can be found at https://www.firezone.dev/kb.

Get Help

If you're looking for help installing, configuring, or using Firezone, check our community support options:

Discussion Forums: Ask questions, report bugs, and suggest features.
Join our Discord Server: Join live discussions, meet other users, and chat with the Firezone team.
Open a PR: Contribute a bugfix or make a contribution to Firezone.

Star History

Developing and Contributing

See CONTRIBUTING.md.

Security

See SECURITY.md.

License

Portions of this software are licensed as follows:

All content residing under the "elixir/" directory of this repository, if that directory exists, is licensed under the "Elastic License 2.0" license defined in "elixir/LICENSE".
All third party components incorporated into the Firezone Software are licensed under the original license provided by the owner of the applicable component.
Content outside of the above mentioned directories or restrictions above is available under the "Apache 2.0 License" license as defined in "LICENSE".

WireGuard® is a registered trademark of Jason A. Donenfeld.

firezone's People

Contributors

Stargazers

Watchers

Forkers

simhaonline zverev-iv picassio 5gapp qnyblog spm1377 sala2000 ediboko1980 ebostijancic w796933 usama7628674 sajanagr shyftxero athulspeaks xoraingroup thecruciblecloud erkannt heartshare dinutek y0d4a chengzehsiao tngamemo fanget-nicolas marklofff alsarmi en-clair silverskyvicto sabixr yud121212 ltvthang legly devotionzhu khanhnt99 rogervaas cyberflamego kaku-io bhardwajrahul mdp ztmark sleleko amishakov ettaroo romnial evo-eco hieultan pspglb suryatmodulus 0xsojalsec princemaple kaowul adamnugraha entrysky willie-lin fengjixuchui maheskrishnan cyrex562 stvhanna rezamt fliphess phil0x1 gbe0 shantanu561993 conectado treble37 uniteddiversity nymurbd abdulkhaliqsoule salmiery gnavarroco williamtaack grantwest hailbytes saeeddirect1 5l1v3r1 filesy sanvu88 happysky2046 jacobjohansen farizov data-gami docugs badeyeye1 tryweirdier ictus4u ctc-kernel leriel nhatduypham1993 neelaundhia thutex sebastianbuechler bbrooks870 code-ql-testing sitsaz rmoorman j4ckzh0u vladislavkupriianov graozgegx85 pemontto vvlasenko-ua meowboy326

firezone's Issues

Support CentOS 9

CentOS 9 is released and should be added to our build pipeline.

Containerization Support

As mentioned in this Reddit comment, it would be useful to be able to run Firezone as a containerized application.

This presents us with a few challenges that need to be investigated, however:

Firezone expects control of the host routing table to add default routes for the WireGuard interface and set up IPv4/IPv6 forwarding
Firezone needs to be able to add a new nftables firewall and manage rules in that table
Firezone needs to create a wireguard-type interface on the host and manage it

This StackOverflow post would be a good starting point.

This Arch Linux troubleshooting tip may be helpful as well: https://wiki.archlinux.org/title/nftables#Working_with_Docker

Edit: Perhaps this could be accomplished by abstracting the Firezone firewall driver so that eBPF can be used. This could open the door to integrate with something like https://github.com/cilium/cilium to provide eBPF-based filtering.

refs #737

Some screen widths cut off device configuration

Some screen widths cut off device configuration:

The responsive selector should kick in before this happens to reflow the config tile below the details tile.

CentOS 8 Stream Fresh Build

Hello Firezone Team,

I just created a fresh CentOS 8 box, I then installed the RPM and ran through the setup guide. Everything was working until I clicked ad a device under my user.

I'm wondering if I'm missing a dependency for a Wireguard tool.

2021-12-27_23:35:25.84431 {"Kernel pid terminated",application_controller,"{application_start_failure,fz_vpn,{{shutdown,{failed_to_start_child,'Elixir.FzVpn.Server',{#{'__exception__' => true,'__struct__' => 'Elixir.RuntimeError',message => <<\" Error executing command wg set wg-firezone peer dyr9ZK3R9aVudD5hVVXfVGhiZTquicU282ivTK6/fGc= allowed-ips 10.3.2.2/32,fd00:3:2::2/128.\n Exit code: 1\n Error message:\n Unable to modify interface: Protocol not supported\n\n\">>},[{'Elixir.FzCommon.CLI',exec,2,[{file,\"lib/cli.ex\"},{line,28},{error_info,#{module => 'Elixir.Exception'}}]},{'Elixir.FzVpn.Server',apply_config,1,[{file,\"lib/fz_vpn/server.ex\"},{line,83}]},{gen_server,init_it,2,[{file,\"gen_server.erl\"},{line,423}]},{gen_server,init_it,6,[{file,\"gen_server.erl\"},{line,390}]},{proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,226}]}]}}},{'Elixir.FzVpn.Application',start,[normal,[]]}}}"} 2021-12-27_23:35:25.84495 Kernel pid terminated (application_controller) ({application_start_failure,fz_vpn,{{shutdown,{failed_to_start_child,'Elixir.FzVpn.Server',{#{'__exception__' => true,'__struct__' => 'Elixir.RuntimeError',message => <<" Error executing command wg set wg-firezone peer dyr9ZK3R9aVudD5hVVXfVGhiZTquicU282ivTK6/fGc= allowed-ips 10.3.2.2/32,fd00:3:2::2/128.\n Exit code: 1\n Error message:\n Unable to modify interface: Protocol not supported\n\n">>},[{'Elixir.FzCommon.CLI',exec,2,[{file,"lib/cli.ex"},{line,28},{error_info,#{module => 'Elixir.Exception'}}]},{'Elixir.FzVpn.Server',apply_config,1,[{file,"lib/fz_vpn/server.ex"},{line,83}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,423}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,390}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]}}},{'Elixir.FzVpn.Application',start,[normal,[]]}}}) 2021-12-27_23:35:25.84801 2021-12-27_23:35:25.84803 Crash dump is being written to: erl_crash.dump...done 2021-12-27_23:35:28.97298 18:35:28.971 [info] Running FzHttpWeb.Endpoint with cowboy 2.9.0 at 127.0.0.1:13000 (http) 2021-12-27_23:35:28.98410 18:35:28.983 [info] Access FzHttpWeb.Endpoint at http://firezone.private.com:13000 2021-12-27_23:35:29.32457 18:35:29.254 [notice] Application fz_vpn exited: FzVpn.Application.start(:normal, []) returned an error: shutdown: failed to start child: FzVpn.Server 2021-12-27_23:35:29.32461 ** (EXIT) an exception was raised: 2021-12-27_23:35:29.32462 ** (RuntimeError) Error executing command wg set wg-firezone peer dyr9ZK3R9aVudD5hVVXfVGhiZTquicU282ivTK6/fGc= allowed-ips 10.3.2.2/32,fd00:3:2::2/128. 2021-12-27_23:35:29.32462 Exit code: 1 2021-12-27_23:35:29.32463 Error message: 2021-12-27_23:35:29.32463 Unable to modify interface: Protocol not supported 2021-12-27_23:35:29.32463 2021-12-27_23:35:29.32464 2021-12-27_23:35:29.32464 (fz_common 0.2.0) lib/cli.ex:28: FzCommon.CLI.exec/2 2021-12-27_23:35:29.32464 (fz_vpn 0.2.0) lib/fz_vpn/server.ex:83: FzVpn.Server.apply_config/1 2021-12-27_23:35:29.32465 (stdlib 3.17) gen_server.erl:423: :gen_server.init_it/2 2021-12-27_23:35:29.32465 (stdlib 3.17) gen_server.erl:390: :gen_server.init_it/6 2021-12-27_23:35:29.32465 (stdlib 3.17) proc_lib.erl:226: :proc_lib.init_p_do_apply/3 2021-12-27_23:35:30.94241 {"Kernel pid terminated",application_controller,"{application_start_failure,fz_vpn,{{shutdown,{failed_to_start_child,'Elixir.FzVpn.Server',{#{'__exception__' => true,'__struct__' => 'Elixir.RuntimeError',message => <<\" Error executing command wg set wg-firezone peer dyr9ZK3R9aVudD5hVVXfVGhiZTquicU282ivTK6/fGc= allowed-ips 10.3.2.2/32,fd00:3:2::2/128.\n Exit code: 1\n Error message:\n Unable to modify interface: Protocol not supported\n\n\">>},[{'Elixir.FzCommon.CLI',exec,2,[{file,\"lib/cli.ex\"},{line,28},{error_info,#{module => 'Elixir.Exception'}}]},{'Elixir.FzVpn.Server',apply_config,1,[{file,\"lib/fz_vpn/server.ex\"},{line,83}]},{gen_server,init_it,2,[{file,\"gen_server.erl\"},{line,423}]},{gen_server,init_it,6,[{file,\"gen_server.erl\"},{line,390}]},{proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,226}]}]}}},{'Elixir.FzVpn.Application',start,[normal,[]]}}}"} 2021-12-27_23:35:30.94326 Kernel pid terminated (application_controller) ({application_start_failure,fz_vpn,{{shutdown,{failed_to_start_child,'Elixir.FzVpn.Server',{#{'__exception__' => true,'__struct__' => 'Elixir.RuntimeError',message => <<" Error executing command wg set wg-firezone peer dyr9ZK3R9aVudD5hVVXfVGhiZTquicU282ivTK6/fGc= allowed-ips 10.3.2.2/32,fd00:3:2::2/128.\n Exit code: 1\n Error message:\n Unable to modify interface: Protocol not supported\n\n">>},[{'Elixir.FzCommon.CLI',exec,2,[{file,"lib/cli.ex"},{line,28},{error_info,#{module => 'Elixir.Exception'}}]},{'Elixir.FzVpn.Server',apply_config,1,[{file,"lib/fz_vpn/server.ex"},{line,83}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,423}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,390}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]}}},{'Elixir.FzVpn.Application',start,[normal,[]]}}})

Remove network interface and routes in uninstall / cleanup

wg-firezone and added routes will stick around after an uninstall/cleanup.

Create an omnibus cleanup hook that will uninstall these.

Errors don't clear when adding valid rules

When an invalid rule is created and errors out, the error message doesn't get removed when a valid rule is then created.

Add configuration file upgrade instructions

With 0.2.0, the configuration file has changed slightly, causing the existing upgrade procedure to break.

Add instructions to the README on two options for handling this during the upgrade:

Keep the old configuration file and make required changes to it
Back up the old configuration file, install the new one, and modify accordingly.

README mismatch between latest release and master branch

Due to the way Github displays the master branch README by default, we need a disclaimer or way to make it clear the master branch documentation may not match the latest release.

Possible solutions:

Use a develop branch to stage changes
Use an external site for version-specific documentation (e.g. docs.firez.one)
Only update documentation in the master branch just prior to tagging it

Fixes #299

Request - Allow DNS vs. IP in endpoint config

I'd like to request for the next update to allow for DNS updates to the endpoint. I set this in my current DSNET WireGuard stuff. I use dynamic DNS to reach my home lab in case the IP changes. This application is so awesome. Thank you!

Don't allow duplicate DNS server entries for devices

Public address without port

Don't know if really an issue. I'm running nginx for several other instances so to get Firezone running I had to use another port for SSL (444). Now together with the public address I have to use also the port- https://fire.example.net:444. Maybe there is a way to eliminate this to make it looking better.

Peer connection flapping

A device's handshake (peer connection) occasionally hiccups every minute due to the way we are evaluating which devices are allowed to connect.

Fix is on the way. Noting this here for posterity.

Endpoint is misconfigured when multiple IP addresses are present on the egress interface

Firezone generates incorrect value for Endpoint when multiple IP addresses are configured on the default egress interface on the server.

Request: Allow device defaults to be set via config file

There are two options I currently have to set by hand after I install, specifically DNS and allowed routes.

Its a Must-Have to set DNS globally via a config option and not just via UI. I have dnsmasq running on the firezone server and expect clients to use that, as there are a few domain/wg specific things I've set (host names to wg interfaces for example), and this really ties the whole room together with FQDN resolution on mail and etc.

Allowed routes is a nice-to-have since i really have two use cases, and mostly I just want a couple of private networks routing across wireguard, since this is bridging a private cloud + public VPC and only certain classes of networks are trusted on this bridge. However I have another use case where I want all traffic to be routed (vpn use case). Maybe there can be an option to set one of the following:

Route all traffic (0.0.0.0/0)
Route only WG traffic (10.3.2.0/24 or whatever subnet is set to)
Custom allowed-ips config line ([ 10.3.2.0/24, 192.168.142.128/28, 10.99.14.0/23 ])

Support some further configuration

Hello,
i'm using wireguard primary for accessing my cloud server private networks. Yes i know it can be changed with the edit function but changing every time is non usable for me. So following configuration options would be good:

Disable/Change DNS: When disabled the DNS setting is completely deleted from server&client configs.
Change AllowedIPs: Because of just accessing private networks it would be good to set this variable also manually.
Option to disable IPv6.
Download button for download the client config file.

Rename create_admin -> create-admin to be consistent with other commands

All other firezone-ctl commands use -.

we need Support for ARM！

It is very convenient and cheap to run on your own ARM machine! Running this task on AWS alone will be very expensive!

Client needs same MTU as configured on Firezone server

In rare circumstances on the macOS WireGuard client, connectivity to some sites times out when the MTU is set lower than the WireGuard default of 1420 and the device config is not updated to match.

Ensure that the device configs match what's on the server.

Add WireGuard connectivity test to functional_testing.sh CI script

The .ci/functional_test.sh script should include a connectivity check to an external site, such as ping -c 4 1.1.1.1.

This will require a device to be created beforehand.

Handshake did not complete after 5 seconds, retrying...

Got websockets working, web-end works great, but I can't get my clients to connect over WAN.

Tested this for 3+ hours last night, got literally nowhere.

I create a device, I scan the QR code on my Pixel 4 XL, and then attempt to connect and it won't establish a handshake with the server.

I've port-forwarded the port I'm using to the local address of the VM that's running firezone / wireguard. I completely disabled UFW/IPTables, and got local handshakes to work, but still nothing over WAN.

Support for Arch Linux-based distros

Firezone would be very useful for Arch Linux based distribution as they are widely used for both desktop and server cases.

A package in the AUR could be accessible for :

Links are distrowatch pages and ranks.

SSO Support

Adding SAML, OAuth2, etc. support could increase overall security and will save the need to self store and protect user data.

Support for 2FA / SSO

I was just made a aware of firezone and I like what I see. This is fairly close to something I thought about implementing several times in the past.

The part that is missing but feels fairly straight forward to add would be a way to support 2FA. My request here would be to provide infrastructure to enable the second verification step, but not actually implement it.

In the concept I had in mind I would have had 2 firewall setups:

a very restrictive setup, which allows access only to systems necessary for the second factory verification (e.g. a captive portal)
the normal firewall setup for clients that have been successfully verified

By default a new client would receive the restrictive setup. The client can then performs the second factor verification and when successful, the VPN manager switches the firewall rules for that client to the normal setup.

The second factor verification could for example be managed by Keycloak server, where the user authenticates in the browsers with additional factors. Upon successful authentication a webhook could be called on the VPN manager on the backend side, that would switch the client firewall rules:

Client connects to wireguard (vpn)
Client goes to https://2fa-vpn.example.com (2fa service)
2fa service redirects client to https://keycloak.example.com (keycloak) as part of oauth2 authorization code flow
Client authenticates to keycloak
Keycloak redirects back to 2fa service
2fa service verifies oauth2 authorization code and on success triggers firewall switch in vpn

I think this could be integrated nicely into firezone:

Currently firezone provides a single allow/block list pair. if it had a way to manage several of these lists and a way to select a default list, then this could be used to model the different states a client is in (e.g. non-authenticated vs authenticated). Additionally some form of API would be necessary, so that outside systems could change the active list for a certain client. All other parts (the 2fa service, keycloak, captive portal detection, some wireguard client integration maybe, ...) could and should be handled by different systems. A nice to have would be some kind of webhook mechanism in firezone, so that it can notify another system about new client connections (e.g. to trigger some cloud-powered auth mechnism on a phone).

The only thing where I'm still not entirely clear on how to correctly (and securely) implement: Uniquely identifying a client, so other systems could switch firewall rules for a specific client.

Installing issue

Hey guys,
Please let me know what I'm doing wrong. I'm running Debian 11. What I did sofar:

wget https://github.com/firezone/firezone/releases/download/0.1.10/firezone_0.1.10-debian11-amd64.deb
sudo wget https://github.com/firezone/firezone/releases/download/0.1.10/firezone_0.1.10-debian11-amd64.deb
sudo dpkg -i firezone_0.1.10-debian11-amd64.deb
sudo firezone-ctl reconfigure
sudo systemctl stop nginx
certbot certonly --standalone --agree-tos -d fire.example.net
sudo nano /etc/firezone/firezone.rb
sudo firezone-ctl reconfigure

Last command is generating following output:

Starting Chef Infra Client, version 16.14.1
Patents: https://www.chef.io/patents
resolving cookbooks for run list: ["firezone::default"]
Synchronizing Cookbooks:
  - firezone (0.0.1)
  - enterprise (1.1.0)
  - runit (5.1.6)
  - line (4.4.2)
  - packagecloud (1.0.1)
  - yum-epel (4.1.4)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 58 resources
Recipe: firezone::config
  * linux_user[firezone] action create (up to date)
  * group[firezone] action create (up to date)
  * directory[/etc/firezone] action create (up to date)
  * directory[/var/opt/firezone] action create (up to date)
  * directory[/opt/firezone/embedded/service/firezone/tmp] action create (up to date)
  * directory[/var/log/firezone] action create (up to date)
  * directory[/var/opt/firezone/etc] action create (up to date)
  * file[configuration-variables] action create (up to date)
  * file[/etc/firezone/secrets.json] action create (up to date)
  * file[/var/opt/firezone/cache/wg_private_key] action create_if_missing (up to date)
Recipe: firezone::setcap
  * file[/opt/firezone/embedded/sbin/nft] action touch
    - update utime on file /opt/firezone/embedded/sbin/nft
  * file[/opt/firezone/embedded/bin/wg] action touch
    - update utime on file /opt/firezone/embedded/bin/wg
  * execute[setcap_nft] action run
    - execute setcap 'cap_net_admin,cap_net_raw+eip' /opt/firezone/embedded/sbin/nft
  * execute[setcap_wg] action run
    - execute setcap 'cap_net_admin,cap_net_raw,cap_dac_read_search+eip' /opt/firezone/embedded/bin/wg
Recipe: firezone::log_management
  * directory[/var/opt/firezone/etc/logrotate.d] action create (up to date)
  * template[/var/opt/firezone/etc/logrotate.conf] action create (up to date)
  * template[/etc/cron.hourly/firezone_logrotate] action create (up to date)
Recipe: firezone::ssl
  * directory[/var/opt/firezone/ssl] action create (up to date)
  * directory[/var/opt/firezone/ssl/ca] action create (up to date)
  * openssl_dhparam[/var/opt/firezone/ssl/ca/dhparams.pem] action create
    * file[/var/opt/firezone/ssl/ca/dhparams.pem] action create (up to date)
     (up to date)
  * link[/var/opt/firezone/ssl/cacert.pem] action create (up to date)
Recipe: firezone::network
  * execute[wireguard_ipv4] action run
    - execute ip address replace 10.3.2.1/24 dev wg-firezone
  * execute[wireguard_ipv6] action run
    - execute ip -6 address replace fd00:3:2::1/120 dev wg-firezone
  * execute[set_mtu] action run
    - execute ip link set mtu 1420 up dev wg-firezone
  * execute[set_wireguard_interface_private_key] action run
    - execute /opt/firezone/embedded/bin/wg set wg-firezone private-key /var/opt/firezone/cache/wg_private_key
  * execute[set_listen_port] action run
    - execute /opt/firezone/embedded/bin/wg set wg-firezone listen-port 51821
  * route[10.3.2.0/24] action add
    - run ip route replace 10.3.2.0/24 dev wg-firezone to add route
  * route[fd00:3:2::0/120] action add
    - run ip route replace fd00:3:2::0/120 dev wg-firezone to add route
  * replace_or_add[IPv4 packet forwarding] action edit
    * file[/etc/sysctl.conf] action create (up to date)
     (up to date)
  * replace_or_add[IPv6 packet forwarding] action edit
    * file[/etc/sysctl.conf] action create (up to date)
     (up to date)
  * execute[sysctl -p /etc/sysctl.conf] action run
    - execute sysctl -p /etc/sysctl.conf
Recipe: enterprise::runit
  * component_runit_supervisor[firezone] action create
    * template[/etc/systemd/system/firezone-runsvdir-start.service] action create (up to date)
    * execute[systemctl daemon-reload] action nothing (skipped due to action :nothing)
    * file[/usr/lib/systemd/system/firezone-runsvdir-start.service] action delete (up to date)
    * service[firezone-runsvdir-start.service] action enable (up to date)
    * service[firezone-runsvdir-start.service] action start (up to date)
     (up to date)
Recipe: firezone::postgresql
  * sysctl[kernel.shmmax] action apply (up to date)
  * sysctl[kernel.shmall] action apply (up to date)
  * directory[/var/log/firezone/postgresql] action create (up to date)
  * enterprise_pg_cluster[firezone] action init
    * directory[/var/opt/firezone/postgresql/13.3/data] action create (up to date)
    * execute[initialize_cluster_/var/opt/firezone/postgresql/13.3/data] action run (skipped due to not_if)
    * template[/var/opt/firezone/postgresql/13.3/data/postgresql.conf] action create (up to date)
    * template[/var/opt/firezone/postgresql/13.3/data/pg_hba.conf] action create (up to date)
     (up to date)
  * component_runit_service[postgresql] action enable
    * template[/var/log/firezone/postgresql/config] action create (up to date)
  Recipe: <Dynamically Defined Resource>
    * service[postgresql] action nothing (skipped due to action :nothing)
    * runit_service[postgresql] action enable
      * ruby_block[restart_service] action nothing (skipped due to action :nothing)
      * ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
      * directory[/opt/firezone/sv/postgresql] action create (up to date)
      * template[/opt/firezone/sv/postgresql/run] action create (up to date)
      * directory[/opt/firezone/sv/postgresql/log] action create (up to date)
      * directory[/opt/firezone/sv/postgresql/log/main] action create (up to date)
      * directory[/var/log/postgresql] action create (up to date)
      * template[/opt/firezone/sv/postgresql/log/config] action create (up to date)
      * link[/var/log/postgresql/config] action create (up to date)
      * template[/opt/firezone/sv/postgresql/log/run] action create (up to date)
      * directory[/opt/firezone/sv/postgresql/env] action create (up to date)
      * ruby_block[Delete unmanaged env files for postgresql service] action run (skipped due to only_if)
      * template[/opt/firezone/sv/postgresql/check] action create (skipped due to only_if)
      * template[/opt/firezone/sv/postgresql/finish] action create (skipped due to only_if)
      * directory[/opt/firezone/sv/postgresql/control] action create (up to date)
      * template[/opt/firezone/sv/postgresql/control/t] action create (up to date)
      * link[/opt/firezone/init/postgresql] action create (up to date)
      * file[/opt/firezone/sv/postgresql/down] action nothing (skipped due to action :nothing)
      * directory[/opt/firezone/service] action create (up to date)
      * link[/opt/firezone/service/postgresql] action create (up to date)
      * ruby_block[wait for postgresql service socket] action run
        - execute the ruby block wait for postgresql service socket


Recipe: firezone::nginx
  * directory[/var/opt/firezone/nginx/cache] action create (up to date)
  * directory[/var/log/firezone/nginx] action create (up to date)
  * directory[/var/opt/firezone/nginx/etc] action create (up to date)
  * directory[/var/opt/firezone/nginx/etc/conf.d] action create (up to date)
  * directory[/var/opt/firezone/nginx/etc/sites-enabled] action create (up to date)
  * link[/var/opt/firezone/nginx/etc/mime.types] action create (up to date)
  * template[nginx.conf] action create (up to date)
  * component_runit_service[nginx] action enable
    * template[/var/log/firezone/nginx/config] action create (up to date)
  Recipe: <Dynamically Defined Resource>
    * service[nginx] action nothing (skipped due to action :nothing)
    * runit_service[nginx] action enable
      * ruby_block[restart_service] action nothing (skipped due to action :nothing)
      * ruby_block[restart_log_service] action nothing (skipped due to action :nothing)
      * directory[/opt/firezone/sv/nginx] action create (up to date)
      * template[/opt/firezone/sv/nginx/run] action create (up to date)
      * directory[/opt/firezone/sv/nginx/log] action create (up to date)
      * directory[/opt/firezone/sv/nginx/log/main] action create (up to date)
      * directory[/var/log/nginx] action create (up to date)
      * template[/opt/firezone/sv/nginx/log/config] action create (up to date)
      * link[/var/log/nginx/config] action create (up to date)
      * template[/opt/firezone/sv/nginx/log/run] action create (up to date)
      * directory[/opt/firezone/sv/nginx/env] action create (up to date)
      * ruby_block[Delete unmanaged env files for nginx service] action run (skipped due to only_if)
      * template[/opt/firezone/sv/nginx/check] action create (skipped due to only_if)
      * template[/opt/firezone/sv/nginx/finish] action create (skipped due to only_if)
      * directory[/opt/firezone/sv/nginx/control] action create (up to date)
      * link[/opt/firezone/init/nginx] action create (up to date)
      * file[/opt/firezone/sv/nginx/down] action nothing (skipped due to action :nothing)
      * directory[/opt/firezone/service] action create (up to date)
      * link[/opt/firezone/service/nginx] action create (up to date)
      * ruby_block[wait for nginx service socket] action run
        - execute the ruby block wait for nginx service socket


Recipe: firezone::nginx
  * template[/var/opt/firezone/etc/logrotate.d/nginx] action create (up to date)
Recipe: firezone::database
  * enterprise_pg_user[firezone] action create (skipped due to not_if)
  * enterprise_pg_database[firezone] action create
    * execute[create_database_firezone] action run

      ================================================================================
      Error executing action `run` on resource 'execute[create_database_firezone]'
      ================================================================================

      Mixlib::ShellOut::ShellCommandFailed
      ------------------------------------
      Expected process to exit with [0], but received '1'
      ---- Begin output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
      STDOUT:
      STDERR: createdb: error: could not connect to database template1: could not connect to server: Connection refused
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 15432?
      ---- End output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
      Ran createdb --template template0 --encoding UTF-8 --owner firezone firezone returned 1

      Resource Declaration:
      ---------------------
      # In /var/opt/firezone/cache/cache/cookbooks/enterprise/resources/pg_database.rb

       39:   execute "create_database_#{new_resource.database}" do
       40:     command createdb_command
       41:     user node[project_name]['postgresql']['username']
       42:     not_if { database_exist? }
       43:     retries 30
       44:   end
       45: end

      Compiled Resource:
      ------------------
      # Declared in /var/opt/firezone/cache/cache/cookbooks/enterprise/resources/pg_database.rb:39:in `block in class_from_file'

      execute("create_database_firezone") do
        action [:run]
        default_guard_interpreter :execute
        command "createdb --template template0 --encoding UTF-8 --owner firezone firezone"
        declared_type :execute
        cookbook_name "firezone"
        domain nil
        user "firezone"
        retries 30
        not_if { #code block }
      end

      System Info:
      ------------
      chef_version=16.14.1
      platform=debian
      platform_version=11
      ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux]
      program_name=/opt/firezone/embedded/bin/chef-client
      executable=/opt/firezone/embedded/bin/chef-client


    ================================================================================
    Error executing action `create` on resource 'enterprise_pg_database[firezone]'
    ================================================================================

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    execute[create_database_firezone] (/var/opt/firezone/cache/cache/cookbooks/enterprise/resources/pg_database.rb line 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
    ---- Begin output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
    STDOUT:
    STDERR: createdb: error: could not connect to database template1: could not connect to server: Connection refused
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 15432?
    ---- End output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
    Ran createdb --template template0 --encoding UTF-8 --owner firezone firezone returned 1

    Resource Declaration:
    ---------------------
    # In /var/opt/firezone/cache/cache/cookbooks/firezone/recipes/database.rb

     42: enterprise_pg_database node['firezone']['database']['name'] do
     43:   owner node['firezone']['database']['user']
     44: end
     45:

    Compiled Resource:
    ------------------
    # Declared in /var/opt/firezone/cache/cache/cookbooks/firezone/recipes/database.rb:42:in `from_file'

    enterprise_pg_database("firezone") do
      action [:create]
      default_guard_interpreter :default
      declared_type :enterprise_pg_database
      cookbook_name "firezone"
      recipe_name "database"
      owner "firezone"
    end

    System Info:
    ------------
    chef_version=16.14.1
    platform=debian
    platform_version=11
    ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux]
    program_name=/opt/firezone/embedded/bin/chef-client
    executable=/opt/firezone/embedded/bin/chef-client


Running handlers:
[2021-10-05T15:35:50+01:00] ERROR: Running exception handlers
Running handlers complete
[2021-10-05T15:35:50+01:00] ERROR: Exception handlers complete
Chef Infra Client failed. 18 resources updated in 01 minutes 05 seconds
[2021-10-05T15:35:51+01:00] FATAL: Stacktrace dumped to /var/opt/firezone/cache/cache/chef-stacktrace.out
[2021-10-05T15:35:51+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2021-10-05T15:35:51+01:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: enterprise_pg_database[firezone] (firezone::database line 42) had an error: Mixlib::ShellOut::ShellCommandFailed: execute[create_database_firezone] (/var/opt/firezone/cache/cache/cookbooks/enterprise/resources/pg_database.rb line 39) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
STDOUT:
STDERR: createdb: error: could not connect to database template1: could not connect to server: Connection refused
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 15432?
---- End output of createdb --template template0 --encoding UTF-8 --owner firezone firezone ----
Ran createdb --template template0 --encoding UTF-8 --owner firezone firezone returned 1

After sudo firezone-ctl create_admin the output is:

    ===============================================================================
    Error executing action `restart` on resource 'component_runit_service[phoenix]'
    ===============================================================================

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    runit_service[phoenix] (/var/opt/firezone/cache/cache/cookbooks/enterprise/reso
ixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but receive
    ---- Begin output of /opt/firezone/embedded/bin/sv restart /opt/firezone/servic
    STDOUT: timeout: run: /opt/firezone/service/phoenix: (pid 74919) 33s, got TERM
    STDERR:
    ---- End output of /opt/firezone/embedded/bin/sv restart /opt/firezone/service/
    Ran /opt/firezone/embedded/bin/sv restart /opt/firezone/service/phoenix returne

Thank yoo in advance!

Typo in install doc

Replace
sudo dpkg -i firezone-.deb
with
sudo dpkg -i firezone.deb

The former fails since the .deb file uses an underscore instead of a hyphen.

WSL2 support

Hi! Tried installing for WSL2, keep running into this error:

Any idea how I can set this up in WSL2? I thought it would be similar to setting up in Ubuntu 20.04 (that's the distro I'm using)

Investigate adding as a Cockpit plugin

It would be useful to have this as a Cockpit plugin: https://news.ycombinator.com/item?id=28708423

Investigate what's required to build Firezone as a Cockpit plugin.

How to deploy on Kubernetes?

How can I deploy this on Kubernetes?

Document how to upgrade Firezone

Upgrading Firezone is currently a manual process.

Add helpers to make non-destructive upgrades easier
Add an "Upgrading" section to the README

Allow devices to be created via firezone-ctl

Right now in order to create a device I have to go into the UI, add it, edit it, change the name and potentially last octet.

It would be great if I could do something like:

firezone-ctl add-device

And get a device and maybe something like:

firezone-ctl add-device 'device-name' '100'

To specific my devicename with 10.3.2.100

This would make automating the addition of firezone clients possible whereas today it is very difficult.

Remove unused config sections from firezone.rb config file

Many config sections are remnants from the underlying Omnibus Supermarket template and can be removed.

Limit Trafic user

can control the total traffic of the connecting user. ? In my case I do not want to exceed the traffic of my vps

Support Fedora 35

Fedora 35 is released and should be added to our build pipeline.

(debian Buster clean inst): Phoenix run file doesnt contain fqdn as specified in /etc/firezone/firezone.rb.

Nice tool, great potential imo :)

I've done a test-installation on debian buster backported kernel 5.10.
modified the /etc/firezone/firezone.rb file with the fqdn name: default['firezone']['fqdn'] = 'myservername.domainname.com' <changed for privacy ofcourse.
other then that, i've only added our certificate filenames.

then, firezone-ctl reconfigure, and created initial admin.

The webinterface lets me login. however, pressing a button such as "Add device" doesn't seem to work.
I've Located the problem via the logfile, stating that there is a discrepancy betweeon the hostname used and the config value.
saying:
==> /var/log/firezone/phoenix/current <==
2021-09-30_11:57:27.41499 13:57:27.414 [error] Could not check origin for Phoenix.Socket transport.

so in /opt/firezone/sv/phoenix/run
export URL_HOST="myservername"
it's missing the .domainname.com
after adding that, and restarting with firezone-ctl restart, it works, and i can click buttons in the webinterface.

extra info:

/etc/hostname contains: myservername (without the domainname.com)
/etc/hosts contains 127.0.0.1 myservername localhost (also without domainname.com)

Hope this helps,
Cheers!
Frank

Default-Admin user is only changeable via firezone.rb, and password is only changable via secrets.json

I was able to successfully install Firezone in a VM on my Synology NAS, but when I went to configure my default admin user, I was unable to change the email address, or the password. It seems that they're "hardcoded" into Firezone.

When attempting to change, the page sits for a second, then refreshes and repopulates with firezone@localhost and nothing in the password field(s).

I would highly suggest moving away from that model due to security concerns. If someone manages to get ahold of your FZ password it isn't easy to change without having to edit a file, and reconfigure.

Error on install

➜  ~ sudo firezone-ctl reconfigure         
sudo: pam_open_session: Module is unknown
sudo: policy plugin failed session initialization

any ideas?

Add configuration option for changing the default web interface port

Hello,
I'm interested in running firezone on my home infrastructure, and I already have a reverse proxy set up for HTTP and HTTPS traffic, so my outbound port 443 is already tied up. I understand that port 443 can be changed in the nginx config included with firezone, but it would be very handy to include a configuration option to change this port easily.

Thanks!

Fix docs build

Need to wrap up a couple issues with the documentation:

Changing multiple times increases path
Version newlines getting chomped in versions.txt
Some links not prefixed properly

Allow editing Device configs

It would be useful to be able to edit the device address, DNS servers, and Allowed IPs: https://www.reddit.com/r/WireGuard/comments/pxc5hk/comment/hemscjw/?utm_source=reddit&utm_medium=web2x&context=3

Add configuration option to disable IPv4, IPv6

In some cases, IPv4 or IPv6 support isn't needed. Add configuration file option to disable IPv4 or IPv6 altogether.

Note, this will likely require disconnecting all connected devices upon the next firezone-ctl reconfigure.

Support for ARM-based OSes

Firezone would be useful on Raspberry Pi OS (and other ARM-based OSes):

https://www.reddit.com/r/elixir/comments/pyrlcq/comment/hew67bk/?utm_source=reddit&utm_medium=web2x&context=3
https://news.ycombinator.com/item?id=28702827

This will require either AWS Grativon instances or the purchase of a few Raspberry Pis to run self-hosted runners on.

Support for the following ARM-based Linux distros:

Raspberry Pi OS
Ubuntu 18.04, 20.04
Red Hat 7, 8
Amazon Linux 2
SUSE

Own DNS server

Hey, tried my best to find the point to change to save my own DNS server instead of 1.1.1.1. Any chance to change it?

UI requires refresh to show updated email address

The currently logged in user's email address is displayed in the upper right corner. However one can update the user's email address via /settings/account, which works as expected. After saving, the page is refreshed and shows the correct email in the primary display, but the user's email address in the upper right corner remains the old address and initially confused me..

However, a full page refresh sets this to display correctly so this is a just minor UI display issue.

Public IP for Endpoints Behind NAT

The current device configuration page only lists internal IP addresses for the endpoint when they exist.

An option to display a public IP for endpoints behind NAT would be nice .

Make IP range configurable

I would like to replace an existing environment with Firezone. Unfortunately, it seems that the internal IP range cannot be changed. This should be configurable.

Firezone interface and firewall rules don't persist after reboot

As reported in #283, the wg-firezone interface and firezone netfilter table don't persist after a reboot.

Firezone should check to ensure these are enabled and configured properly on application startup.

Allow using external Postgresql database

I use Cockroachdb to host several Postgres databases and would like to use it with this project. Plus, if Firezone will be horizontally scalable one day, it will need to be able to connect to an external db.

For this to work, I primarily need to be able to set these options for the Postgres connection:

https://github.com/firezone/firezone/blob/master/config/releases.exs#L43

connect_opts = [
  ...
  ssl: true,
  ssl_opts: [
    cacertfile: ...,
  ],
  parameters: [options: "--cluster=..."]
]

When I was hacking around Firezone, I discovered that :ssl is not currently compiled into the app; at least that's what i think this error is telling me (I'm not an Elixir dev):

SSL connection can not be established because `:ssl` application is not started,
    you can add it to `extra_applications` in your `mix.exs`

Finally, the chef recipe that creates the user, database and extensions would need to be updated to accept those params.
firezone/omnibus/cookbooks/firezone/recipes/database.rb

although an option to skip that would be great as well.
(I've been manually editing the recipes to just skip those parts as I manually created the user, database, and extensions)

Admin UI Malfunctions

Hello! I recently installed Firezone in a couple of different ways to make sure I wasn't doing something wrong.

I created an Ubuntu Container on a Proxmox instance and everything seemed to install correctly. I ran everything and it seemed to be working. When I would go to create a new user or add a device, either the box wouldn't show in the UI (Add device UI) or it would keep resetting every time I would go to type something (Add user UI). I noticed that every few seconds the connection bars in the top right corner would disconnect and reconnect. This was my first go around and it was using version 2.0.0. I then realized it could be a container issue and spun up a standalone VM.
On the standalone VM I experienced the same issue with version 2.0.0. I then figured I would try an older version. I uninstalled 2.0.0 and then installed 0.1.19, but I ran into the same issue, so it seems that I am missing something or my installation is at fault somewhere.

I did notice that I was receiving an Nginx SSL error, but I also could not find the config file for it. I found the section under Firezone, but the error that I was getting didn't seem to be configurable from the Firezone config.

I would be glad to provide any kind of logs or anything that you would like to look at. Thank you! Any guidance/assistance would be greatly appreciated. Thank you!

Use default WireGuard port of 51820

This will be the port people are expecting the VPN service to be available at by default.

https://discourse.firez.one/t/which-port-to-enable-on-the-cloud-providers-dashboard/14

create-or-reset-admin. I don't know that command.

Hey. Installing Firezone again on my Debian 11. On trying to create an admin I'm getting an error.

root@debian:/home/as/Downloads# firezone-ctl create-or-reset-admin
I don't know that command.
omnibus-ctl: command (subcommand)
General Commands:
  cleanse
    Delete *all* firezone data, and start from scratch.
  create-admin
    Create an Admin user.
  help
    Print this help message.
  reconfigure
    Reconfigure the application.
  reset-network
    Resets nftables, WireGuard interface, and routing table back to Firezone defaults.
  show-config
    Show the configuration that would be generated by reconfigure.
  teardown-network
    Removes WireGuard interface and firezone nftables table.
  uninstall
    Kill all processes and uninstall the process supervisor (data will be preserved).
  version
    Display current version of Firezone
Service Management Commands:
  graceful-kill
    Attempt a graceful stop, then SIGKILL the entire process group.
  hup
    Send the services a HUP.
  int
    Send the services an INT.
  kill
    Send the services a KILL.
  once
    Start the services if they are down. Do not restart them if they stop.
  restart
    Stop the services if they are running, then start them again.
  service-list
    List all the services (enabled services appear with a *.)
  start
    Start services if they are down, and restart them if they stop.
  status
    Show the status of all the services.
  stop
    Stop the services, and do not restart them.
  tail
    Watch the service logs of all enabled services.
  term
    Send the services a TERM.
  usr1
    Send the services a USR1.
  usr2
    Send the services a USR2.

root@debian:/home/as/Downloads# sudo firezone-ctl tail
==> /var/log/firezone/phoenix/current <==
2021-10-18_13:41:20.77271 received TERM from runit, forcing quit
2021-10-18_13:41:23.24121 15:41:23.239 [info] Running FzHttpWeb.Endpoint with cowboy 2.9.0 at 127.0.0.1:13000 (http)
2021-10-18_13:41:23.24947 15:41:23.249 [info] Access FzHttpWeb.Endpoint at http://fire.example.net:13000
2021-10-18_13:41:23.30575 15:41:23.305 [warn] Attempted to set empty WireGuard config string. Most of the time this can be safely ignored.
2021-10-18_13:41:23.30577 
2021-10-18_13:45:57.95322 received TERM from runit, forcing quit
2021-10-18_13:46:00.37866 15:46:00.377 [info] Running FzHttpWeb.Endpoint with cowboy 2.9.0 at 127.0.0.1:13000 (http)
2021-10-18_13:46:00.38747 15:46:00.387 [info] Access FzHttpWeb.Endpoint at http://fire.example.net:13000
2021-10-18_13:46:00.44352 15:46:00.443 [warn] Attempted to set empty WireGuard config string. Most of the time this can be safely ignored.
2021-10-18_13:46:00.44353 

==> /var/log/firezone/nginx/access.log <==
127.0.0.1 - - [2021-10-18T15:43:02+02:00]  "GET /favicon.ico HTTP/1.1" 400 253 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:05+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:06+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:07+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
127.0.0.1 - - [2021-10-18T15:43:29+02:00]  "GET / HTTP/1.1" 400 358 "0.000" 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"

==> /var/log/firezone/nginx/current <==
2021-10-18_13:42:59.18215 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /var/opt/firezone/nginx/etc/sites-enabled/phoenix:24
2021-10-18_13:42:59.18309 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2021-10-18_13:42:59.68323 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2021-10-18_13:43:00.18333 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2021-10-18_13:43:00.68358 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2021-10-18_13:43:01.18371 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
2021-10-18_13:43:01.68387 nginx: [emerg] still could not bind()
2021-10-18_13:43:01.68729 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /var/opt/firezone/nginx/etc/sites-enabled/phoenix:24
2021-10-18_13:43:03.23757 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /var/opt/firezone/nginx/etc/sites-enabled/phoenix:24
2021-10-18_13:45:57.54199 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /var/opt/firezone/nginx/etc/sites-enabled/phoenix:24

==> /var/log/firezone/nginx/error.log <==
2021/10/18 15:42:56 [emerg] 72936#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:56 [emerg] 72936#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:56 [emerg] 72936#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:56 [emerg] 72936#0: still could not bind()
2021/10/18 15:42:59 [emerg] 73082#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:59 [emerg] 73082#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:59 [emerg] 73082#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:59 [emerg] 73082#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:59 [emerg] 73082#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/10/18 15:42:59 [emerg] 73082#0: still could not bind()

==> /var/log/firezone/postgresql/current <==
2021-10-18_13:45:58.38269 2021-10-18 13:45:58.382 GMT [71404] LOG:  received fast shutdown request
2021-10-18_13:45:58.38444 2021-10-18 13:45:58.384 GMT [71404] LOG:  aborting any active transactions
2021-10-18_13:45:58.38523 2021-10-18 13:45:58.385 GMT [71404] LOG:  background worker "logical replication launcher" (PID 71411) exited with exit code 1
2021-10-18_13:45:58.38536 2021-10-18 13:45:58.385 GMT [71406] LOG:  shutting down
2021-10-18_13:45:58.40663 2021-10-18 13:45:58.406 GMT [71404] LOG:  database system is shut down
2021-10-18_13:45:58.44116 2021-10-18 13:45:58.441 GMT [73511] LOG:  starting PostgreSQL 13.3 on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
2021-10-18_13:45:58.44118 2021-10-18 13:45:58.441 GMT [73511] LOG:  listening on IPv4 address "127.0.0.1", port 15432
2021-10-18_13:45:58.44340 2021-10-18 13:45:58.443 GMT [73511] LOG:  listening on Unix socket "/tmp/.s.PGSQL.15432"
2021-10-18_13:45:58.44675 2021-10-18 13:45:58.446 GMT [73512] LOG:  database system was shut down at 2021-10-18 13:45:58 GMT
2021-10-18_13:45:58.44926 2021-10-18 13:45:58.449 GMT [73511] LOG:  database system is ready to accept connections

/etc/firezone/firezone.rb

default['firezone']['fqdn'] = 'fire.example.net'
default['firezone']['nginx']['non_ssl_port'] = 81
default['firezone']['nginx']['ssl_port'] = 444
default['firezone']['ssl']['certificate'] = '/etc/letsencrypt/live/fire.example.net/fullchain.pem'
default['firezone']['ssl']['certificate_key'] = '/etc/letsencrypt/live/fire.example.net/privkey.pem'
default['firezone']['ssl']['ssl_dhparam'] = '/etc/nginx/ssl/dhparams.pem'