At a Glance:
Firezone is an open-source, zero-trust remote access platform built on WireGuard, offering peer-to-peer connections that are 3x faster than OpenVPN with group-based access policies for applications and subnets.
Overview:
Firezone is a platform for managing secure remote access that implements a zero-trust, least-privileged model using group-based policies. It is built on the WireGuard protocol to provide peer-to-peer, end-to-end encrypted tunnels, and it supports authentication via email, Google Workspace, Okta, Entra ID, or OIDC. The system uses holepunching technology to establish tunnels on-the-fly, eliminating a public attack surface. It is designed for organizations and provides an admin UI to deploy gateways and configure access. The project explicitly states it is not a tool for creating bi-directional mesh networks, a full-featured router or firewall, or an IPSec or OpenVPN server.
Key Decision Points:
Architecture and access model: Implements zero-trust, peer-to-peer connections with group-based policies that control access to individual applications or entire subnets, rather than providing broad network access.
Deployment model: A managed cloud offering is available with SLA and enterprise support; self-hosting is allowed for educational or hobby use but is not officially supported for production due to rapidly changing internal APIs.
Client and gateway platforms: Provides a cross-platform GUI client, a CLI client, a gateway deployed on user infrastructure, and a relay for holepunching, with separate implementations in Rust, Swift, and Kotlin.
Project boundaries: The README explicitly states that Firezone is not a bi-directional mesh network tool, not a full-featured router or firewall, and not an IPSec or OpenVPN server.
Performance characteristics: Delivers up to 5 Gbps per connection with sub-10ms latency overhead, using a lightweight Rust-based data plane.
Core Features:
Group-based access policies: Controls access to specific applications, IPs, and subnets using granular, group-level rules instead of granting broad network access.
Holepunching tech: Establishes WireGuard tunnels on-the-fly at the time of access, eliminating open ports and creating a zero attack surface for the infrastructure.
Multiple authentication methods: Supports user authentication via email, Google Workspace, Okta, Entra ID, and OIDC, with automatic user and group syncing.
Peer-to-peer encrypted tunnels: All data travels through end-to-end encrypted tunnels directly between peers, not routing through Firezone's infrastructure.
Automatic load balancing and failover: Deploying two or more gateways provides automatic load balancing and failover for connections.
Activity audit logs: Provides full activity logging for compliance and monitoring, with a 90-day retention period available on enterprise plans.
Use Cases:
System administrators who need to replace a traditional VPN with a zero-trust access system that enforces least-privileged access to internal applications and subnets.
Organizations needing to provide remote access for a distributed workforce, using existing identity providers like Okta or Google Workspace for authentication.
Developers who want to experiment with self-hosting a zero-trust access platform for educational or hobby purposes by building the control plane and clients from source.
Teams requiring high-throughput remote access, as the platform supports up to 5 Gbps per connection with WireGuard-based encryption.
Open-Source Alternative Value:
The entire Firezone product is open-source under Apache 2.0 and Elastic 2.0 licenses, making the full source code available for audit. Users can self-host the admin portal and data plane for educational or hobby purposes, though production self-hosting is not officially supported due to rapid internal API changes. The architecture is based on peer-to-peer WireGuard tunnels with holepunching for zero attack surface, which contrasts with legacy hub-spoke VPN models. The admin UI and control plane are built in Elixir, the data plane and gateway in Rust, and native clients in Swift and Kotlin, providing a transparent reference implementation for zero-trust remote access.
