The Firezone project develops a VPN server to provide access to hosts on an internal isolated network from user devices located on external networks. The project is aimed at achieving a high level of protection and simplifying the VPN deployment process. The project code is written in Elixir and Ruby and distributed under the Apache 2.0 license.
The project is being developed by a security automation engineer from Cisco who tried to create a solution that automates host configuration and eliminates the problems that had to be encountered when organizing secure access to cloud VPCs. Firezone can be seen as an open source alternative to OpenVPN Access Server, built on top of WireGuard instead of OpenVPN.
For installation, rpm and deb packages are offered for different versions of CentOS, Fedora, Ubuntu and Debian, the installation of which does not require external dependencies, since all the necessary dependencies are already included using the Chef Omnibus toolkit. To work, you only need a distribution kit with a Linux kernel not older than 4.19 and an assembled kernel module with VPN WireGuard. According to the author, starting and configuring a VPN server can be done in just a few minutes. The web interface components are executed under an unprivileged user, and access is possible only via HTTPS.
WireGuard is used to organize communication channels in Firezone. Firezone also has built-in firewall functionality using nftables. In its current form, the firewall is limited to the means to block outgoing traffic to certain hosts or subnets on internal or external networks. Management is performed through the web interface or in command line mode using the firezone-ctl utility. The web interface is based on Admin One Bulma.
Currently, all Firezone components run on the same server, but the project is initially developed with an eye to modularity and in the future it is planned to add the ability to distribute components for the web interface, VPN and firewall on different hosts. The plans also mention the integration of an ad blocker that works at the DNS level, support for host and subnet block lists, the ability to authenticate via LDAP / SSO, and additional user management capabilities.
Source: opennet.ru