I created Firezone to make it easier to host and manage your own WireGuard VPN server. While working at Cisco as a security automation engineer I experienced a lot of unnecessary pain managing secure network-level access into our cloud VPCs. I tried OpenVPN Access Server but I personally feel that security software should be open source to be validated (and improved) by the community. I discovered WireGuard and quickly fell in love with it, but soon found managing the peer configs to be a bit tedious and error-prone. So I built some convenience functionality on top, added a simple Web UI, and open sourced it.<p>Firezone is packaged with Chef Omnibus so the only dependencies are a recent Linux kernel (4.19+) and the WireGuard module. The Web UI is built with Elixir/Phoenix (I’m a recovering full-stack Rails engineer) and runs as an unprivileged user. The Web UI communicates with two other Elixir applications that manage the WireGuard configuration and firewall configuration respectively. I built it this way to allow potentially decoupling the Web UI, VPN, and firewall hosts at some point in the future, but for now Firezone assumes they’re all running on the same host. The firewall application is essentially a frontend to nftables and currently functions as a simple egress firewall to block outbound traffic to specific hosts/CIDRs (in your private network or elsewhere).<p>In the near term I’m planning to polish it up a bit and add more security features. Longer-term I’d like to add things like DNS-based ad blocking, IP blocklist support, LDAP / SSO authentication, and more user management features.<p>I wanted to show it here and see what HN thinks. Hope you find it useful!
I have a singular request - so Wireguard is unusable in any high security environments with <i>compliance requirements</i> - because it doesnt support any 2-factor auth out of the box.<p>We get rejected on stuff like PCI-DSS because the standards mandate a 2-FA. I am not a security expert and wouldnt know about the pros and cons here. But the fact remains that most high-sec compliance needs 2-FA.<p>We have filed tickets on wireguard and it has always got rejected - things like epass2003, fido keys, etc. We have requested the most popular wireguard self-setup - Algo - but also have been rejected.<p>Of all the open source software here, only Pritunl comes somewhat close by layering google auth - <a href="https://docs.pritunl.com/docs/google" rel="nofollow">https://docs.pritunl.com/docs/google</a> . But Pritunl doesnt let u setup google auth as a second factor and its generally tricky to config.<p>If u can have a simple 2-FA - even something as simple as getting a google auth login link while connecting as second factor - that would make the killer feature here. As of right now, Tailscale is the only closed source solution that works.
Alternatively, check out wg-easy, which comes with a beautiful management interface.<p><a href="https://github.com/weejewel/wg-easy" rel="nofollow">https://github.com/weejewel/wg-easy</a>
Nice!
I see *BSD are not supported..
Also, people running OPNsense may find there is already a web-ui for it:
<a href="https://docs.opnsense.org/plugins.html#vpn-connectivity" rel="nofollow">https://docs.opnsense.org/plugins.html#vpn-connectivity</a>
I have a feature request. Can you make this optionally integrate into Cockpit as a plugin? For those using Cockpit to remotely manage a machine this would be very nice.
Minor quibble with the title: "open-source alternative to [something]" implies that [something] isn't open-source, but OpenVPN is. Is this actually an alternative to OpenVPN AS?
shameless plug<p>I am a maintainer of subspace (<a href="https://github.com/subspacecommunity/subspace" rel="nofollow">https://github.com/subspacecommunity/subspace</a>). My contributions were updating the SAML library (crewjam/saml), implementing prometheus support (which is still being reviewed) and some minor features.<p>My vision for the project is to evolve into a fully featured userspace VPN service that still relies on WireGuard for the network layer, but implementing useful features like key rotation, built-in horizontal scaling support, server-client configuration sync, automatic user de-provisioning based on the upstream Active Directory users manifest and an api/sdk for extended automation.<p>But before I can even get to the cool stuff, I need more peers just to review current pull requests and deal with the current issues, because as it is, I don't have quorum to do such (I mean without abusing administrator privileges). Without such, my option would be to fork or reimplement the service.<p>I think Firezone is an excellent effort, we need competition wherever possible and I think we can contribute with ideas, but with SAML/SSO already implemented, maybe subspace is already more suited to corporate environments.