Zero-Trust VPN
WireGuard
Deploy Firezone on a VPS
Open-source zero-trust remote access platform built on WireGuard — deploy a lightweight Gateway with Docker, no inbound ports required, with group-based access policies.
At a Glance
| Project | Firezone |
| License | Apache 2.0 |
| Recommended Plan | RamNode Cloud VPS 1 GB+ (up to 50 concurrent clients) |
| OS | Ubuntu 22.04 / 24.04 LTS |
| Stack | Docker, WireGuard, Managed Control Plane |
| Estimated Setup Time | 15–20 minutes |
Prerequisites
- A RamNode VPS with at least 1 GB RAM (1 vCPU sufficient for up to 50 clients)
- Ubuntu 22.04 or 24.04 LTS
- Docker Engine and Docker Compose v2+ installed
- A free Firezone account at
app.firezone.dev
Architecture
- Control Plane (Managed): Hosted at app.firezone.dev — handles auth, policies, and Gateway coordination
- Gateway (Self-hosted): Lightweight Rust binary on your VPS — routes encrypted WireGuard traffic
- Client Apps: Native apps for macOS, Windows, Linux, iOS, and Android
VPS Sizing Guide
| Tier | CPU | RAM | Clients | Link Speed |
|---|---|---|---|---|
| Micro | 1 vCPU | 1 GB | Up to 50 | 500 Mbps |
| Small | 2 vCPU | 2 GB | Up to 250 | 1 Gbps |
| Medium | 4 vCPU | 4 GB | Up to 1,000 | 2.5 Gbps+ |
1
Initial Server Setup
Update and install essentials
ssh root@YOUR_VPS_IP
apt update && apt upgrade -y
apt install -y curl wget gnupg lsb-release ca-certificatesCreate non-root user
adduser firezone
usermod -aG sudo firezone
su - firezoneConfigure firewall
sudo ufw allow OpenSSH
sudo ufw enableNo inbound ports needed: Firezone uses STUN/TURN NAT hole-punching. Keep inbound rules as restrictive as possible.
2
Install Docker Engine
Add Docker repository
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) \
signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo $VERSION_CODENAME) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullInstall Docker packages
sudo apt update
sudo apt install -y docker-ce docker-ce-cli \
containerd.io docker-buildx-plugin \
docker-compose-plugin
sudo usermod -aG docker $USER
newgrp docker
docker --version
docker compose version3
Configure Your Firezone Account
- Sign in at
app.firezone.devusing email OTP - Navigate to Sites → Add Site (e.g., "RamNode-Dallas")
- Click Deploy a Gateway → select "Docker" tab
- Copy the
FIREZONE_TOKENvalue
Token security: Treat this like an API key. Do not commit to version control.
4
Deploy the Firezone Gateway
Create project directory and .env
mkdir -p ~/firezone && cd ~/firezone
cat > .env << 'EOF'
FIREZONE_TOKEN=YOUR_TOKEN_HERE
FIREZONE_ID=ramnode-gateway-01
FIREZONE_NAME=RamNode-Gateway-01
RUST_LOG=info
EOF
chmod 600 .envdocker-compose.yml
services:
firezone-gateway:
image: "ghcr.io/firezone/gateway:1"
env_file: .env
volumes:
- /var/lib/firezone:/var/lib/firezone
cap_add:
- NET_ADMIN
init: true
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
healthcheck:
test: ["CMD-SHELL", "ip link | grep tun-firezone"]
interval: 5s
timeout: 10s
retries: 3
start_period: 1m
devices:
- /dev/net/tun:/dev/net/tun
restart: unless-stoppedLaunch and verify
docker compose up -d
docker compose ps
docker compose logs -f firezone-gatewayThe Gateway should appear as Online in your admin portal within moments.
5
Performance Tuning
Increase UDP buffer sizes
sudo sysctl -w net.core.wmem_max=16777216
sudo sysctl -w net.core.rmem_max=134217728
echo "net.core.wmem_max=16777216" | sudo tee -a /etc/sysctl.conf
echo "net.core.rmem_max=134217728" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pVerify IP forwarding
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwardingBoth should return 1.
6
Add Resources and Policies
In the admin portal, navigate to your Site and click Add Resource. Resources can be:
- IP Address: A single host (e.g.,
10.1.2.3) - FQDN: A domain name (e.g.,
internal.example.com) - CIDR Range: An entire subnet (e.g.,
10.10.10.0/24)
Create policies under Policies → Add Policy. Access is default-deny — users cannot reach any resource without an explicit policy.
7
Install Client Apps
| Platform | Installation |
|---|---|
| macOS | Download from firezone.dev or Homebrew |
| Windows | Download from firezone.dev or winget |
| Linux (GUI) | AppImage or .deb/.rpm from firezone.dev |
| Linux (Headless) | Shell script for servers and CI/CD |
| iOS | App Store |
| Android / ChromeOS | Google Play Store |
8
Ongoing Maintenance
Update the Gateway
cd ~/firezone
docker compose pull
docker compose up -dView logs
docker compose logs -f firezone-gateway
docker compose logs --tail 100 firezone-gatewayOptional environment variables:
| Variable | Default | Description |
|---|---|---|
RUST_LOG | info | Log level (error, warn, info, debug, trace) |
FIREZONE_FLOW_LOGS | false | Enable per-connection flow logging |
FIREZONE_NO_TELEMETRY | false | Disable Sentry crash reporting |
FIREZONE_LOG_FORMAT | human | Set to json for structured logging |
Firezone Pricing
| Plan | Price | Users | Key Features |
|---|---|---|---|
| Starter | Free | Up to 6 | OIDC auth, load balancing, failover |
| Team | $5/user/month | Up to 500 | Access logs, traffic restrictions, conditional policies |
| Enterprise | Contact sales | Unlimited | Directory sync, dedicated Slack, SLA, SOC 2 |
Troubleshooting
- Gateway offline: Check
docker compose ps, verify token, and ensure outbound HTTPS to api.firezone.dev - Clients can't connect: Verify a policy exists granting access, and that the Gateway can reach the resource directly
- Slow throughput: Apply UDP buffer tuning from Step 5 and check for relay usage in logs