Wireguard using Firezone, Jumpcloud and NextDNS
As a rule, my home network is set up to communicate across several sites using Tailscale and I also use this as a personal VPN when out of the house. Everything I need is hidden behind the Tailnet.
Lessons life has taught me however is always to have a backup.. I also have some situations where providing family access to my Tailscale network isn’t a good idea. So in these situations, I’ve been using Wireguard.
It’s fast, and easy to set up with wg-easy in docker and I provide the family with a config for Windows or Android and they don’t need to do anything.
I’m always looking for better ways to do things, and I was looking to see if there was a way I could have my family self-serve their own Wireguard configs while moving the server out of the home network onto my cloud network to improve security a little.
This is when I ran across Firezone.
The following post will explain how to set Firezone up, where I had a few issues and how I got around them, how I’ve linked Firezone to Jumpcloud for SSO and then because I’m all about Chromebooks, I’ll cover how to create a Wireguard config and have it running on a Chromebook.
I’ve installed this on an Ubuntu 22.04 machine on a cloud hoster with 1vCPU and 2Gb of ram this is the minimum spec recommended by the development team
Docker or Omnibus
There is both a Docker and an Omnibus install, I’ve gone for the docker install as I run it across my estate and assumed it was going to be the simpler of the two.
For sanity more than anything else I’ve also run the following symlink
ln -s ~/.docker/cli-plugins/docker-compose /usr/local/bin/docker-compose
I’ve opened the following public ports using ufw
80/tcp(optional): For automatically issuing SSL certificates.
443/tcp: To access the web UI.
51820/udp: VPN traffic listen port.
ufw allow in on enp1s0 to any port 80 proto tcp ufw allow in on enp1s0 to any port 443 proto tcp ufw allow in on enp1s0 to any port 51820 proto udp
You’ll need a publically accessible IP address with an internet-accessible DNS Address pointing to that IP Address as part of the setup certificate are generated using that DNS address.
There are two methods for installing Docker an Automatic Install and a Kinda Automatic Install, when I ran this in a test VM I had no issues at all running the Automatic Method, but when I ran it in the CloudVM it would stall at starting Postgres. The Choice is yours
Run the automatic install script as a user (not root)
bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh) 1859c4ec6ac1d8-0d70a3ea532847-5817011c-465000-1859c4ec6ad99e
The script prompts for answers to questions the ones you need to worry about
- Default the rest of the questions.
What should happen next?
A docker-compose.yaml and .env files are created under the location chosen to download the files then the docker-compose is run to bring up a caddy, Postgres and firezone container and finally create an admin user.
What happened to me?
The Postgres container started and the script ended.
Kinda Automatic Install
Download the docker compose template to a local working directory: For Linux:
curl -fsSL https://raw.githubusercontent.com/firezone/firezone/master/docker-compose.prod.yml -o docker-compose.yml
Generate required secrets
docker run --rm firezone/firezone bin/gen-env > .env
At a minimum, change the
EXTERNAL_URLvariables. Optionally modify other secrets as needed.
Bring the services up:
docker compose up -d
Run the following
watch docker ps
This will refresh the docker output every few seconds until you see something like this
Press CTRL — C to exit watch
Wait about a minute for the services to boot, then create the first admin
docker compose exec firezone bin/create-or-reset-admin
You should now be able to log in
The password to log in is in the .env file created earlier
You’re now ready to log in.
Once logged in you’ll be presented with several config options.
List or Add New Users via this screen, also add devices to your account
List of devices which have connected across all user accounts to
Egress routing rules
These are the defaults which will apply to a device config like DNS, allowed IPs, and endpoints.
Details of the logged-in account, including logged-in devices, 2FA and account disabling.
An area to change the product logo
Base security settings for accounts and SSO/SAML Setup
Firezone periodically checks for WAN connectivity to the Internet and logs the result here. This is used to determine the public IP address of this server for populating the default endpoint field in device configurations.
Add a User
To add a user click on Add User and then the Add User button
This will display the following popup
Fill in and click on Save
This will take you to the user page.
Add a device
Under the user page click on the Add Device button which will present the following popup
Name — Enter a device name Description — Enter a description
This helps to know what is logged on and where.
Click on Generate Configuration
The following popup will be displayed
I’d recommend saving the config
The QR Code works with the Mobile Wireguard app
Jumpcloud for SSO
Under the security section, there is an option to implement SSO with either SAML or OAUTH which perked my interest because the supported list of services
Includes Jumpcloud and I use Jumpcloud. This makes having a centralised user directory (so one place to manage user passwords) easier to manage services such as this.
Firezone supports Single Sign-On (SSO) using JumpCloud through the generic SAML 2.0 connector. This guide will walk you through how to configure the integration.
Create a SAML connector
In the JumpCloud admin portal, create a new App under the SSO tab. At the bottom of the popup window, click
Custom SAML App.
After entering your desired value for
Display Label, click the
SSO tab, then use the following configuration values:
IdP Entity ID
Any unique string will work, e.g.
SP Entity ID
This should be the same as your Firezone
SAML_ENTITY_ID, defaults to
This is your Firezone
SAMLSubject NameID Format
Leave at the default.
This is your Firezone
Leave the rest of the settings unchanged, then click the
activate button at the bottom-right.
Your JumpCloud configuration should now resemble the following:
Now, download the IdP Metadata document by selecting the App you just created and then clicking the
export metadata button in the upper-right. You'll need to copy-paste the contents of this document into the Firezone portal in the next step.
Add SAML identity provider to Firezone
In the Firezone portal, add a SAML identity provider under the Security tab by filling out the following information:
Firezone uses this value to construct endpoints required in the SAML authentication flow (e.g., receiving assertions, login requests).
Appears on the sign in button for authentication.
Copy-paste the contents of the SAML metadata document you downloaded in the previous step from JumpCloud.
Require signed assertions
Required signed envelopes
Your Firezone configuration should now resemble the following:
After saving the SAML config, you should see a
Sign in with JumpCloud button on your Firezone portal sign-in page.
Now when the login screen is accessed there is an additional Sign in with Jumpcloud button
Any user created in Jumpcloud can now login (authentication) and an account will be set up on Firezone, so you don’t need to set up an account on Firezone for the user Firezone does it automatically.
The user will be prompted for the Jumpcloud login and then be presented with a User login screen
From here the user can self serve adding devices to the Firezone server under their account. The Admin user(s) can see ALL of the devices and users but not the keys for them
Listed in reference below is a link to the most common clients and how to set them up, I use a Chromebook and this is how I use Native wireguard.
Open Settings and head to the network
Click on Add Connections
Click on Add Built-in VPN which defaults to Open VPN
Select Wireguard from the drop-down and the inputs change
Open the conf file downloaded when adding a device to your Firezone user account
[Interface] PrivateKey = YvZd416fnN0Qqrajrakjra6iVPFSP3Eg7ofv9dz08= Address = 10.3.2.4/32,fd00::3:2:4/128 MTU = 1280 DNS = 184.108.40.206,220.127.116.11[Peer] PresharedKey = 0ltbCreTkKdgshfarriZQ+GpsWTQ3qwzrYS2Dc= PublicKey = FjfjksSFJFJjhfnshsskfJh4D8MBMObzAfZYebo6zU= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = vpn.oninternet.com:51820 PersistentKeepalive = 25
To map the Wireguard client inputs to this config file
Click on Connect
You’re now Done
Loginto Firezone to see the login information.
I won’t dwell on this, if once you’ve added SSO you’d like to add some additional protection and don’t have a Pi-Hole setup you can use https://nextdns.io/
You can add a specific VPN setting and assign it to the external IP you get when attached to the VPN
Update the DNS Settings under defaults from the IPv4 DNS addresses NextDNS provides
Have a read about Next DNS here.
I’ve been using Wireguard from its early day when servers were set up from the command line and worked through several interfaces over the years, Firezone is one of the better experiences I’ve had so far.
I inadvertently said Firezone could contact me during the installation and I’m glad I did as it’s a small business that seems to actually care about its product.
Now its time to migrate my family over to it..