Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard

115 pointsby jamilbk10 months ago

Hi HN! I'm Jamil Bou Kheir, founder of Firezone (<a href="https://www.firezone.dev">https://www.firezone.dev</a>), a remote access platform that is a replacement for legacy corporate VPNs. Built on WireGuard (a fast, modern VPN protocol), Firezone secures your team’s apps, networks and services using access policies synced with your identity provider. You deploy tiny, self-contained binaries into your infrastructure anywhere you need access, and your workforce uses our client apps to reach the resources they protect.Here’s a demo: <a href="https://youtu.be/QEv7dJwKMvo" rel="nofollow">https://youtu.be/QEv7dJwKMvo</a>.Historically, the tool used to achieve this has been the corporate VPN. These work off a security model where you authenticate with the perimeter and gain access to the network behind it, which works when most workers are in office and resources on-prem. But as workers go remote and resources move to the cloud, the perimeter blurs, making it harder to secure.I experienced this issue first-hand as a security engineer hunting for APT malware on Cisco's intranet. Malware often landed first on remote employee laptops, then spread from there to critical internal systems. Firewalls were somewhat effective at solving this problem, but they were clunky—it could take months for Infosec to approve requests to allow your team’s app or services through.When Covid forced everyone to work from home, even Cisco struggled to grapple with the increased demand on its VPN concentrators. The perimeter defense model meant that we had to VPN into the intranet to get anything done, and if the speeds were really bad, we couldn't work that day.One way to solve the above problems is to break up the single perimeter into many smaller ones, shifting them closer to the resources they protect. That way, compromising one perimeter does not gain you access to all others, and traffic is not bottlenecked through a single choke point. However, now you have many VPN tunnels instead of one, and most VPN protocols are too heavyweight for this.If Cisco was facing these issues with remote access, I thought, others must be facing similar problems. So when WireGuard came along, I started Firezone.WireGuard tunnels are so lightweight you can open thousands of them from an iPhone to whatever resources you need access to. Firezone builds on that and also handles NAT traversal, so you don’t need to change your firewall configuration to use it. Just deploy Gateways - small, statically-linked Linux binaries - where you need access, and Firezone’s homegrown STUN/TURN layer (we call “snownet”) handles the rest. If you need more throughput, just deploy more Gateways, and load is balanced across all of them.WireGuard keys are distributed to peers only when access to a particular resource is authorized, and private keys never leave the device’s memory where they were generated. If a Gateway goes offline, Firezone will migrate connections from it to healthy ones within about 10 seconds, without user intervention. We lean heavily on Elixir/Phoenix and OTP’s awesome concurrency features to power all of this.Firezone’s access control system is intentionally very simple. Policies define which user groups have access to which resources based on a default-deny system. More perimeters means more rules managing access to them, so we intentionally wanted to keep admins out of “ACL hell” as the number of controls grew.One area we’re actively working to improve is our UI/UX - Firezone is a product built by engineers, for engineers, and at times, it shows! Expect refinements to come in this area over the coming months.I’d love for you to give Firezone a try! You can spin up a demo instance at <a href="https://app.firezone.dev/try">https://app.firezone.dev/try</a> without signing up, and download clients from <a href="https://www.firezone.dev/kb/client-apps">https://www.firezone.dev/kb/client-apps</a>. And if you’re curious to learn more about how Firezone works, see for yourself - we build in the open at <a href="https://www.github.com/firezone/firezone">https://www.github.com/firezone/firezone</a>.Thanks for reading, and I look forward to your feedback!

17 comments

jkelleyrtp10 months ago

Hey! I worked on WARP at Cloudflare. I believe Cisco has anyconnect and then there's zscaler.I'm curious how you guys are competing with the other folks in the space. WARP was/is a really tough product to maintain (crossplatform networking is very difficult). CF was doing well with WARP mostly due to the distribution advantage. I imagine it's harder for startups to break into the space.

评论 #41178421 未加载

评论 #41179856 未加载

评论 #41192637 未加载

评论 #41174868 未加载

gchamonlive10 months ago

At my last job, I implemented Firezone on AWS and it worked like a charm.It was before the refactoring and the move to zero trust, so back then it was a simple admin panel. It was maybe mid 2022 I implemented it.There was a terraform module I created for setting up the basic infrastructure, but there is no way the module supports the current state of the product. I guess it moved way quicker than I was able to follow LOL. The module was accepted in the Firezone group but later discontinued, for obvious reasons. I wish I had the time to contribute to the project supporting an official module for it, but I guess life happens to everyone hahaGood luck with the project! This is really good and very needed, the only other alternative being Tailscale, which is all closed source.

评论 #41183617 未加载

xyst10 months ago

Wow, a product that hasn’t shoehorned AI/LLM into their offerings. Will be following.Love that you are using rust!

igorguerrero10 months ago

We use it a work, didn't know you guys were fresh in the biz, our dev ops guy switched us to you guys, I had no problem, I love that it uses wireguard, our previous provider was a PITA :)

jimmar10 months ago

In the spirit of constructive feedback, spend the time and effort to record your product demonstrations in a more professional environment. Or generate a fake background at a minimum.

评论 #41175350 未加载

评论 #41177660 未加载

评论 #41175282 未加载

评论 #41181317 未加载

cedws10 months ago

I'm a big fan of Tailscale but it's unfortunate that it's proprietary, so it's really nice to see an open source alternative. The commercial pricing also looks very reasonable. Wishing your product much success.

评论 #41178764 未加载

评论 #41176126 未加载

评论 #41175047 未加载

评论 #41180820 未加载

nmadden10 months ago

I don’t really get the threat model of these “zero trust” appliances and how they are really different from a VPN. Can someone explain it to me? It still looks very much like a perimeter.

评论 #41174838 未加载

评论 #41183561 未加载

mwest21710 months ago

How does this compare with e.g. Tailscale?

评论 #41173684 未加载

评论 #41177706 未加载

phil-martin10 months ago

One of the pain points I’ve experienced with configuration of traditional VPNs is when devices physically connect to different parts of the network when staff travel between home and different offices.For a small example, when working from home, we want to connect to SMB shares over the vpn, with regular traffic going over the regular LAN interface of the computer. When the same person comes into the main office, just use the LAN. The simplest solution is to teach users to make sure they turn their VPN off when in the office, but that’s a super easy step to forget.Could Firezone help managing these quality-of-life details for end users?

评论 #41175018 未加载

computershit10 months ago

Impressive work, congrats on the launch! Aside from the OSS perspective, how would you compare your service to Twingate?

评论 #41173982 未加载

ochronus10 months ago

It's really exciting to see this space bloom! Congrats on the launch!

chetanbhasin10 months ago

Since you're directly competing with Tailscale, you have to compare the websites. The landing pages and documentation are waaay nicer, IMHO.I see the difference though. Tailscale goes with "secure this and that." It appears to attract people who don't already use a VPN, while you compare it straight to a VPN, which may be more enterprise crowd.I'm not sure what your exact market is, but for a young startup at the very least, Tailscale marketing and UX appears a lot nicer.

aos10 months ago

Congrats on the launch! Will definitely have to check it out. I see you’re using Phoenix/Liveview for the control plane. :-) How has that been working for you?

评论 #41178065 未加载

taekwondo12310 months ago

The concern I have with these types of solutions (meaning Tailscale, Firezone, etc.), is that I need to trust the provider not to mess up or maliciously exchange keys with rouge devices. Is this the case with Firezone as well?I see that tailscale addresses this now somewhat: <a href="https://tailscale.com/kb/1226/tailnet-lock" rel="nofollow">https://tailscale.com/kb/1226/tailnet-lock</a>

评论 #41181596 未加载

评论 #41180148 未加载

评论 #41184674 未加载

somepleb10 months ago

Awesome to see so many solutions in this space and the rapid development. Do you plan to add mesh networking?

altdataseller10 months ago

Not a comment on the actual product but did you use a specific template or stack on the app you show in the demo?

评论 #41176891 未加载

aborsy10 months ago

Tailscale does these things, and does them very well. We have been pretty happy with it.