Hailbytes VPN ine Firezone Firewall Documentation

kuti Started

Nhanho-ne-nhanho mirairo yekuendesa Hailbytes VPN neFirezone GUI inopihwa pano.

Administrator: Kumisikidza sevha yemuenzaniso kune hukama zvakananga nechikamu ichi.

Madhiraivha emushandisi: Mapepa anobatsira anogona kukudzidzisa mashandisiro eFirezone uye kugadzirisa zvakajairika matambudziko. Mushure mekunge sevha yashandiswa zvinobudirira, tarisa chikamu ichi.

Nhungamiro dzeCommon Configurations

Split Tunneling: Shandisa iyo VPN kutumira traffic kune yakatarwa IP siyana.

Whitelisting: Seta VPN server's static IP kero kuitira kushandisa whitelisting.

Reverse Tunnels: Gadzira tunnels pakati pevamwe vezera uchishandisa reverse tunnel.

Get Support

Isu tinofara kukubatsira kana iwe uchida rubatsiro kuisa, kugadzirisa, kana kushandisa Hailbytes VPN.

Authentication

Vasati vashandisi vagadzira kana kudhawunirodha mafaera ekugadzirisa mudziyo, Firezone inogona kugadzirwa kuti inoda humbowo. Vashandisi vangangodawo kutendesa nguva nenguva kuitira kuti vachengetedze VPN yavo ichishanda.

Kunyangwe Firezone's default login nzira iri yemuno email nepassword, inogona zvakare kubatanidzwa nechero yakamisikidzwa OpenID Connect (OIDC) chitupa chekupa. Vashandisi vave kukwanisa kupinda muFirezone vachishandisa yavo Okta, Google, Azure AD, kana yakavanzika yekupa zvitupa.

Batanidza A Generic OIDC Provider

Mamiriro ekugadzirisa anodiwa neFirezone kubvumira SSO uchishandisa OIDC mupi anoratidzwa mumuenzaniso uri pasi apa. Pa /etc/firezone/firezone.rb, unogona kuwana faira rekugadzirisa. Mhanya firezone-ctl reconfigure uye firezone-ctl restart kuti uvandudze application uye ita shanduko.

# Uyu muenzaniso uchishandisa Google neOkta seSSO identity provider.

# Multiple OIDC configs inogona kuwedzerwa kune imwechete Firezone muenzaniso.

# Firezone inogona kudzima VPN yemushandisi kana paine chikanganiso chaonekwa chiri kuyedza

# kumutsiridza_token_yavo. Izvi zvinosimbiswa kushanda kuGoogle, Okta, uye

# Azure SSO uye inoshandiswa kudzima otomatiki VPN yemushandisi kana yabviswa

# kubva kumupi weOIDC. Siya izvi zvakaremara kana mupi wako weOIDC

# ine nyaya dzinozorodza yekuwana tokeni sezvo inogona kukanganisa zvisingatarisirwe a

# mushandisi VPN chikamu.

default['firezone']['authentication']['disable_vpn_on_oidc_error'] = nhema

default['firezone'][' authentication']['oidc'] = {

google: {

discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",

client_id: “ ”,

client_secret: “ ”,

redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",

response_type: "code",

scope: "yakavhurika email mbiri",

label: "Google"

zvakanaka: {

discovery_document_uri: “https:// /.well-known/openid-configuration”,

client_id: “ ”,

client_secret: “ ”,

redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",

response_type: "code",

scope: "yakavhurika email profil offline_access",

label: "Okta"

}

Iyo inotevera config marongero inodiwa pakubatanidzwa:

discovery_document_uri: The OpenID Batanidza mupi kumisikidza URI iyo inodzosera gwaro reJSON rinoshandiswa kugadzira zvikumbiro zvinotevera kune uyu mupi weOIDC.
client_id: ID yemutengi yechishandiso.
client_secret: Chakavanzika chemutengi chekushandisa.
redirect_uri: Inoraira mupi weOIDC kwainotungamira mushure mekusimbiswa. Iyi inofanira kunge iri Firezone yako EXTERNAL_URL + /auth/oidc/ /callback/ (semuenzaniso https://instance-id.yourfirezone.com/auth/oidc/google/callback/).
response_type: Setwa kukodhi.
chiyero: OIDC zviyero kuwana kubva kune wako OIDC mupi. Izvi zvinofanirwa kusetwa kune yakavhurika email mbiri kana openid email profil offline_access zvichienderana nemupi.
label: Iyo bhatani label mavara anoratidza pane yako Firezone login sikirini.

Pretty URLs

Kumupi wega wega weOIDC inoenderana neURL yakanaka inogadzirwa kuti idzokere kune yakamisikidzwa yekusaina URL URL. Semuenzaniso OIDC config pamusoro, maURL ndeaya:

https://instance-id.yourfirezone.com/auth/oidc/google
https://instance-id.yourfirezone.com/auth/oidc/okta

Mirayiridzo Yekuseta Firezone Nevakakurumbira Identity Providers

Vapeji tine zvinyorwa zve:

Google
Okta
Azure Anoshanda Dhairekitori
Onelogin
Local Authentication

Kana chitupa chako chine generic yeOIDC yekubatanidza uye isina kunyorwa pamusoro, ndapota enda kune zvinyorwa zvavo kuti uwane ruzivo rwekuti unotora sei zvigadziriso zvinodikanwa.

Chengetedza Nguva Dzose Kutendesa

Maseting ari pasi pezvirongwa/chengetedzo anogona kuchinjika kuti ade nguva nenguva kusimbiswazve. Izvi zvinogona kushandiswa kusimbisa zvinodiwa kuti vashandisi vapinde muFirezone nguva nenguva kuitira kuti vaenderere mberi nechikamu chavo cheVPN.

Hurefu hweseshini hunogona kugadzirwa kuti huve pakati peawa imwe chete nemazuva makumi mapfumbamwe. Nekumisikidza izvi kuna Never, unogona kugonesa VPN zvikamu chero nguva. Uyu ndiwo chiyero.

Re-authentication

Mushandisi anofanirwa kumisa yavo VPN chikamu uye kupinda muFirezone portal kuitira kuti asimbise zvakare iyo yapera nguva VPN chikamu (URL yakatsanangurwa panguva yekutumirwa).

Unogona kutendesa zvakare chikamu chako nekutevera iwo chaiwo mirairo yemutengi inowanikwa pano.

Mamiriro eVPN Connection

Iyo Users peji yeVPN Yekubatanidza tafura column inoratidza mamiriro ekubatanidza emushandisi. Aya ndiwo mamiriro ekubatanidza:

INOgoneswa - Kubatana kunogoneswa.

AKADZIDZWA - Kubatana kwakavharwa nemutungamiriri kana OIDC yekumutsiridza kutadza.

EXPIRED - Kubatana kwakadzimwa nekuda kwekupera kwechokwadi kana mushandisi asina kusaina kekutanga.

Google

Kuburikidza nechokubatanidza cheOIDC, Firezone inogonesa Single Sign-On (SSO) neGoogle Workspace uye Cloud Identity. Gwaro iri rinokuratidza kuti ungawana sei magadzirirwo akanyorwa pazasi, ayo anodiwa pakubatanidzwa:

discovery_document_uri: The OpenID Batanidza mupi kumisikidza URI iyo inodzosera gwaro reJSON rinoshandiswa kugadzira zvikumbiro zvinotevera kune uyu mupi weOIDC.
client_id: ID yemutengi yechishandiso.
client_secret: Chakavanzika chemutengi chekushandisa.
redirect_uri: Inoraira mupi weOIDC kwainotungamira mushure mekusimbiswa. Iyi inofanira kunge iri Firezone yako EXTERNAL_URL + /auth/oidc/ /callback/ (semuenzaniso https://instance-id.yourfirezone.com/auth/oidc/google/callback/).
response_type: Setwa kukodhi.
chiyero: OIDC zviyero kuwana kubva kune wako OIDC mupi. Izvi zvinofanirwa kusetwa kune yakavhurika email mbiri kuti ipe Firezone neemail yemushandisi mune zvakadzoserwa zvichemo.
label: Iyo bhatani label mavara anoratidza pane yako Firezone login sikirini.

Wana Magadzirirwo Settings

1. OAuth Config Screen

Kana aka kari kekutanga kugadzira ID yemutengi yeOAuth itsva, uchakumbirwa kuti ugadzirise skrini yemvumo.

*Sarudza Yemukati yemhando yemushandisi. Izvi zvinoita kuti maakaundi evashandisi ari muGoogle Workspace Organisation yako chete agadzire magadzirirwo emudziyo. USASARUDZA Zvekunze kunze kwekunge iwe uchida kugonesa chero munhu ane Google Account inoshanda kuti agadzire mudziyo configs.

PaApp information screen:

Zita reApp: Firezone
App logo: Firezone logo (sevha chinongedzo se).
Peji yekumba yekushandisa: iyo URL yeFirezone yako muenzaniso.
Akatenderwa madomasi: iyo yepamusoro nhanho dhairekitori yeFirezone yako muenzaniso.

2. Gadzira maOAuth Client ID

Ichi chikamu chakavakirwa pazvinyorwa zveGoogle pa kumisikidza OAuth 2.0.

Shanyira Google Cloud Console Peji yezvitupa peji, tinya + Gadzira Zvinyorwa uye sarudza OAuth mutengi ID.

PaOAuth mutengi ID yekugadzira skrini:

Seta Rudzi rweKunyorera kuWebhu application
Wedzera yako Firezone EXTERNAL_URL + /auth/oidc/google/callback/ (eg https://instance-id.yourfirezone.com/auth/oidc/google/callback/) sekupinda kuAuthorized redirect URIs.

Mushure mekugadzira iyo OAuth mutengi ID, iwe unopihwa ID yemutengi uye Chakavanzika cheMutengi. Izvi zvichashandiswa pamwe chete neiyo redirect URI munhanho inotevera.

Firezone Integration

pepeta /etc/firezone/firezone.rb kusanganisira sarudzo dziri pasi apa:

# Kushandisa Google seSSO identity provider

default['firezone'][' authentication']['oidc'] = {

google: {

discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",

client_id: “ ”,

client_secret: “ ”,

redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",

response_type: "code",

scope: "yakavhurika email mbiri",

label: "Google"

}

Mhanya firezone-ctl reconfigure uye firezone-ctl restart kuti uvandudze application. Iwe unofanirwa kuona Saina neGoogle bhatani pamudzi Firezone URL.

Okta

Firezone inoshandisa generic OIDC yekubatanidza kufambisa Single Sign-On (SSO) neOkta. Ichi chidzidzo chinokuratidza kuti ungawana sei magadzirirwo akanyorwa pazasi, ayo anodiwa pakubatanidzwa:

discovery_document_uri: The OpenID Batanidza mupi kumisikidza URI iyo inodzosera gwaro reJSON rinoshandiswa kugadzira zvikumbiro zvinotevera kune uyu mupi weOIDC.
client_id: ID yemutengi yechishandiso.
client_secret: Chakavanzika chemutengi chekushandisa.
redirect_uri: Inoraira mupi weOIDC kwainotungamira mushure mekusimbiswa. Iyi inofanira kunge iri Firezone yako EXTERNAL_URL + /auth/oidc/ /callback/ (semuenzaniso https://instance-id.yourfirezone.com/auth/oidc/okta/callback/).
response_type: Setwa kukodhi.
chiyero: OIDC zviyero kuwana kubva kune wako OIDC mupi. Izvi zvinofanirwa kusetwa kune yakavhurika email mbiri offline_access kupa Firezone neemail yemushandisi mune zvakadzoserwa zvichemo.
label: Iyo bhatani label mavara anoratidza pane yako Firezone login sikirini.

Batanidza Okta App

Ichi chikamu chegwaro rakavakirwa pa Zvinyorwa zveOkta.

Mu Admin Console, enda kune Zvishandiso> Zvishandiso uye tinya Gadzira Kubatanidza Kwekushandisa. Isa nzira yekusaina kuOICD - OpenID Batanidza uye Chishandiso mhando kuWebhu application.

Gadzirisa izvi zvigadziriso:

Zita reApp: Firezone
App logo: Firezone logo (sevha chinongedzo se).
Grant Type: Tarisa iyo Refresh Token bhokisi. Izvi zvinoita kuti Firezone iwirirane nemupi wekuzivikanwa uye kuwanikwa kweVPN kunomiswa kana mushandisi abviswa.
Saina-inotungamira zvakare maURIs: Wedzera yako Firezone EXTERNAL_URL + /auth/oidc/okta/callback/ (eg https://instance-id.yourfirezone.com/auth/oidc/okta/callback/) sekupinda kune Akabvumidzwa redirect URIs. .
Mabasa: Chengetedza kumapoka aunoda kupa mukana kune yako Firezone muenzaniso.

Kana zvigadziriso zvangochengetwa, iwe unopihwa ID yeMutengi, Chakavanzika cheMutengi, uye Okta Domain. Aya matatu maitiro achashandiswa muChikamu chechipiri kugadzirisa Firezone.

Batanidza Firezone

pepeta /etc/firezone/firezone.rb kuisa sarudzo pazasi. Your discovery_document_url zvichazova /.well-known/openid-configuration yakawedzerwa kusvika kumagumo ako okta_domain.

# Kushandisa Okta seSSO identity provider

default['firezone'][' authentication']['oidc'] = {

zvakanaka: {

discovery_document_uri: “https:// /.well-known/openid-configuration”,

client_id: “ ”,

client_secret: “ ”,

redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",

response_type: "code",

scope: "yakavhurika email profil offline_access",

label: "Okta"

}

Mhanya firezone-ctl reconfigure uye firezone-ctl restart kuti uvandudze application. Iwe unofanirwa kuona Saina neOkta bhatani pamudzi Firezone URL.

Dzora Kuwana Kune Vamwe Vashandisi

Vashandisi vanogona kuwana iyo Firezone app vanogona kurambidzwa naOkta. Enda kune yako Okta Admin Console's Firezone App Integration's Assignments peji kuti uite izvi.

Azure Anoshanda Dhairekitori

Kuburikidza neiyo generic OIDC yekubatanidza, Firezone inogonesa Single Sign-On (SSO) ine Azure Active Directory. Iri bhuku rinokuratidza kuti ungawana sei magadzirirwo akanyorwa pazasi, ayo anodiwa pakubatanidzwa:

discovery_document_uri: The OpenID Batanidza mupi kumisikidza URI iyo inodzosera gwaro reJSON rinoshandiswa kugadzira zvikumbiro zvinotevera kune uyu mupi weOIDC.
client_id: ID yemutengi yechishandiso.
client_secret: Chakavanzika chemutengi chekushandisa.
redirect_uri: Inoraira mupi weOIDC kwainozotungamira mushure mekusimbiswa. Iyi inofanira kunge iri Firezone yako EXTERNAL_URL + /auth/oidc/ /callback/ (semuenzaniso https://instance-id.yourfirezone.com/auth/oidc/azure/callback/).
response_type: Setwa kukodhi.
chiyero: OIDC zviyero kuwana kubva kune wako OIDC mupi. Izvi zvinofanirwa kusetwa kune yakavhurika email mbiri offline_access kupa Firezone neemail yemushandisi mune zvakadzoserwa zvichemo.
label: Iyo bhatani label mavara anoratidza pane yako Firezone login sikirini.

Wana Magadzirirwo Settings

Gwaro iri rinotorwa kubva ku Azure Active Directory Docs.

Enda kune Azure portal's Azure Active Directory peji. Sarudza iyo Manage menyu sarudzo, sarudza New Registration, wobva wanyoresa nekupa ruzivo rwuri pazasi:

Zita: Firezone
Anotsigirwa mhando dzeakaundi: (Default Dhairekitori chete - Single roja)
Redirect URI: Iyi inofanirwa kunge iri firezone yako EXTERNAL_URL + /auth/oidc/azure/callback/ (eg https://instance-id.yourfirezone.com/auth/oidc/azure/callback/). Ita shuwa kuti unosanganisira trailing slash. Iyi ichave iyo redirect_uri kukosha.

Mushure mekunyoresa, vhura iwo maonero echishandiso uye wokopa iyo Chikumbiro (mutengi) ID. Iyi ichave iyo client_id kukosha. Tevere, vhura iyo yekupedzisira menyu kuti utore iyo OpenID Batanidza metadata gwaro. Iyi ichave iyo discovery_document_uri kukosha.

Gadzira chakavanzika chitsva chemutengi nekudzvanya iyo Zvitupa & zvakavanzika sarudzo pasi peManeja menyu. Kopa chakavanzika chemutengi; mutengi chakavanzika kukosha chichava ichi.

Chekupedzisira, sarudza iyo API mvumo yekubatanidza pasi peManeja menyu, tinya Wedzera mvumo, uye sarudza Microsoft Girafu, wedzera e, openid, offline_access uye profile kune mvumo inodiwa.

Firezone Integration

pepeta /etc/firezone/firezone.rb kusanganisira sarudzo dziri pasi apa:

# Kushandisa Azure Active Directory seyeSSO identity provider

default['firezone'][' authentication']['oidc'] = {

azure: {

discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration”,

client_id: “ ”,

client_secret: “ ”,

redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",

response_type: "code",

scope: "yakavhurika email profil offline_access",

zita: "Azure"

}

Mhanya firezone-ctl reconfigure uye firezone-ctl restart kuti uvandudze application. Iwe unofanirwa kuona Saina neAzure bhatani pamudzi Firezone URL.

Maitiro Ekuita: Kurambidza Kuwanikwa Kune Dzimwe Nhengo

Azure AD inogonesa vatariri kudzikamisa kupinda kweapp kune rimwe boka revashandisi mukati mekambani yako. Rumwe ruzivo rwekuita izvi runogona kuwanikwa mune zvinyorwa zveMicrosoft.

Administrator

kugadzira
Manage Installation
ndiwedzere
disposal
Kuchengetedzwa Kufunga
Kumhanya SQL Mibvunzo

kugadzira

Chef Omnibus inoshandiswa neFirezone kubata mabasa anosanganisira kuburitsa kurongedza, maitiro ekutarisa, log management, nezvimwe.

Ruby code inogadzira iyo yekutanga configuration file, iyo iri pa /etc/firezone/firezone.rb. Kutangazve sudo firezone-ctl reconfigure mushure mekugadzirisa faira iyi kunoita kuti Chef vaone shanduko uye voishandisa kune yazvino sisitimu yekushandisa.

Ona iyo configuration faira referensi yerunyoro rwakakwana rwemagadzirirwo akasiyana uye tsananguro dzadzo.

Manage Installation

Yako Firezone muenzaniso inogona kutarisirwa kuburikidza ne firezone-ctl raira, sezvakaratidzwa pasi apa. Mazhinji subcommands anoda prefixing ne sudo.

mudzi @ demo:~# firezone-ctl

omnibus-ctl: command (subcommand)

General Commands:

tsvina

Dzima *ese* firezone data, uye tanga kubva pakutanga.

gadzira-kana-reset-admin

Reseta zvakare password ye admin neemail yakataurwa neyakagadzika['firezone']['admin_email'] kana kugadzira admin mutsva kana email iyoyo isipo.

batsira

Prinda iyi meseji yekubatsira.

kugadzirisa zvakare

Gadzirisa zvakare application.

reset-network

Resets nftables, WireGuard interface, uye routing tafura kudzokera kuFirezone defaults.

show-config

Ratidza zvigadziriso zvingagadzirwa nekugadzirisa zvakare.

teardown-network

Inobvisa WireGuard interface uye firezone nftables tafura.

simba-cert-kuvandudzwa

Manikidza kuti chitupa chivandudzwe iko zvino kunyangwe chisati chapera.

stop-cert-kuvandudzwa

Inobvisa cronjob inovandudza zvitupa.

uninstall

Uraya maitiro ese uye uninstall mutariri webasa (data richachengetedzwa).

mhando

Ratidza vhezheni yazvino yeFirezone

Service Management Commands:

kuuraya-nyasha

Edza kumira zvakanaka, wobva wa SIGKILL boka rese rekuita.

hup

Tumira masevhisi HUP.

Int

Tumira masevhisi INT.

kuuraya

Tumira masevhisi URAYA.

kamwe

Tanga masevhisi kana ari pasi. Usavatangazve kana vakamira.

kutangazve

Misa masevhisi kana ari kushanda, wobva watanga zvakare.

service-list

Nyora masevhisi ese (akagoneswa masevhisi anooneka aine *.)

kutanga

Tanga masevhisi kana ari pasi, woatangazve kana akamira.

chinzvimbo

Ratidza mamiriro emasevhisi ese.

Mira

Misa masevhisi, uye usaatangazve.

muswe

Tarisa marogi esevhisi ese akabatidzwa masevhisi.

izwi

Tumira masevhisi TERM.

usr1

Tumira masevhisi neUSR1.

usr2

Tumira masevhisi neUSR2.

ndiwedzere

Yese masesheni eVPN anofanirwa kumiswa asati akwidziridza Firezone, iyo inodawo kuvhara iyo Webhu UI. Muchiitiko icho chimwe chinhu chikatadza panguva yekuvandudza, tinopa zano kuisa parutivi awa rekuchengetedza.

Kuti uwedzere Firezone, ita zvinotevera:

Simudzira iyo firezone package uchishandisa one-command install: sudo -E bash -c “$(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)”
Mhanya firezone-ctl reconfigure kuti utore shanduko itsva.
Mhanya firezone-ctl restart kuti utangezve masevhisi.

Kana paine matambudziko amuka, ndapota tizivise ne kuendesa tikiti rekutsigira.

Simudzira Kubva pa<0.5.0 kuenda ku>=0.5.0

Pane mashoma anotyora shanduko uye magadzirirwo ekugadzirisa mu 0.5.0 iyo inofanirwa kugadziriswa. Tsvaga zvimwe pazasi.

Bundled Nginx non_ssl_port (HTTP) zvikumbiro zvakabviswa

Nginx haichatsigire simba reSSL uye risiri-SSL port paramita seyevhezheni 0.5.0. Nekuti Firezone inoda SSL kuti ishande, tinopa zano kuti ubvise sevhisi yeNginx nekuseta default['firezone']['nginx']['enabled'] = nhema uye kunangisa yako reverse proxy kuPhoenix app pachiteshi 13000 pachinzvimbo (nekudaro. )

ACME Protocol Tsigiro

0.5.0 inosvitsa ACME protocol rutsigiro rwekuvandudza otomatiki zvitupa zveSSL neiyo mabundled Nginx sevhisi. Kugonesa,

Ita shuwa kuti default['firezone']['external_url'] ine FQDN inoshanda inogadzirisa kune server yako IP kero yeruzhinji.
Ita shuwa kuti port 80/tcp inowanikwa
Gonesa ACME protocol tsigiro ine default['firezone']['ssl']['acme']['enabled'] = ichokwadi mune yako config file.

Kupindirana Egress Rule Nzvimbo

Iko mukana wekuwedzera mitemo ine duplicate yekuenda kwaenda kuFirezone 0.5.0. Runyoro rwedu rwekutama runozoziva mamiriro aya panguva yekuvandudza kusvika ku 0.5.0 uye chengeta chete mitemo iyo kwainoenda kunosanganisira mumwe mutemo. Hapana chaunofanira kuita kana izvi zvakanaka.

Zvikasadaro, usati wakwidziridza, isu tinopa zano kushandura yako mutemo kuti ubvise aya mamiriro.

Preconfiguring Okta uye Google SSO

Firezone 0.5.0 inobvisa tsigiro yechimiro chekare cheOkta uye Google SSO gadziriso ichifarira iyo itsva, inoshanduka-shanduka OIDC-yakavakirwa gadziriro.

Kana uine chero zvigadziriso pasi pezvakagara zvichiitwa['firezone']['authentication']['okta'] kana default['firezone']['authentication']['google'] makiyi, unofanira kutamisa aya kuOIDC yedu. -based configuration uchishandisa gwara riri pazasi.

Kugadziriswa kweGoogle OAuth iripo

Bvisa mitsara iyi ine yekare Google OAuth configs kubva pafaira rako rekugadzirisa riri pa/etc/firezone/firezone.rb

default['firezone']['authentication']['google']['enabled']

default['firezone']['authentication']['google']['client_id']

default['firezone']['authentication']['google']['client_secret']

default['firezone']['authentication']['google']['redirect_uri']

Wobva wagadzirisa Google semupi weOIDC nekutevera maitiro ari pano.

(Ipa mirairo yekubatanidza)<<<<<<<<<<<<<<<<

Rongedza Google iripo OAuth

Bvisa mitsara iyi ine yekare Okta OAuth configs kubva kune yako yekumisikidza faira iri /etc/firezone/firezone.rb

default['firezone'][' authentication']['okta']['enabled']

default['firezone'][' authentication']['okta']['client_id']

default['firezone'][' authentication']['okta']['client_secret']

Default['firezone'][' authentication']['okta']['saiti']

Wobva wagadzirisa Okta semupi weOIDC nekutevera maitiro ari pano.

Simudzira kubva pa0.3.x kuenda ku >= 0.3.16

Zvichienderana nekuseta kwazvino uye vhezheni, tevedzera zviri pazasi:

Kana iwe uchitova neOIDC yekubatanidza:

Kune vamwe vanopa OIDC, kukwidziridza kuenda ku>= 0.3.16 kunoda kuti vawane tokeni yekuvandudza yenzvimbo yekupinda kunze kweindaneti. Nekuita izvi, zvinove nechokwadi chekuti Firezone inogadziridza neanopa chitupa uye kuti VPN yekubatanidza inovharwa mushure mekunge mushandisi adzimwa. Firezone's yekutanga iterations yakashaya chinhu ichi. Mune zvimwe zviitiko, vashandisi vanodzimwa kubva kune chako chitupa vanogona kunge vachiri kubatana neVPN.

Izvo zvinodikanwa kuti ubatanidze kupinda kunze kwenyika muchikamu cheiyo OIDC kumisikidzwa yeOIDC vanopa vanotsigira iyo offline yekuwana scope. Firezone-ctl reconfigure inofanira kuitwa kuitira kushandisa shanduko kuFirezone configuration file, iyo iri pa /etc/firezone/firezone.rb.

Kune vashandisi vakatenderwa nemupi wako weOIDC, iwe uchaona iyo OIDC MaConnections ari kumusoro kune peji remushandisi wewebhu UI kana Firezone ikakwanisa kuburitsa zvinobudirira tokeni yekuvandudza.

Kana izvi zvikasashanda, unozofanirwa kudzima yako iripo OAuth app uye dzokorora OIDC kuseta matanho kuti. gadzira itsva app yekubatanidza .

Ndine OAuth yekubatanidza iripo

0.3.11 isati yasvika, Firezone yakashandisa pre-yakagadzirirwa OAuth2 vanopa.

Tevedza rairo pano kutamira kuOIDC.

Handina kubatanidza chitupa

Hapana chiito chinodiwa.

Unogona kutevera mirairo pano kugonesa SSO kuburikidza nemupi weOIDC.

Simudzira kubva pa0.3.1 kuenda ku>= 0.3.2

Munzvimbo yayo, default['firezone']['external url'] yakatsiva sarudzo yekumisikidza ['firezone']['fqdn'].

Seta izvi kune URL yeFirezone yako yepamhepo portal inowanikwa kune veruzhinji. Ichaita default ku https: // pamwe neFQDN yeserver yako kana ikasiiwa isina kutsanangurwa.

Iyo faira yekumisikidza iri pa /etc/firezone/firezone.rb. Ona iyo configuration faira referensi yerunyoro rwakakwana rwemagadzirirwo akasiyana uye tsananguro dzadzo.

Simudzira kubva pa0.2.x kuenda pa0.3.x

Firezone haichachengeti makiyi ega ega paFirezone server seyevhezheni 0.3.0.

Iyo Firezone Web UI haikubvumidze kuti utorezve kana kuona zvigadziriso izvi, asi chero midziyo iripo inofanira kuramba ichishanda sezvazviri.

Simudzira kubva pa0.1.x kuenda pa0.2.x

Kana uri kukwidziridza kubva kuFirezone 0.1.x, pane shanduko shoma dzefaira dzinofanira kugadziriswa nemaoko.

Kuti uite zvigadziriso zvinodikanwa kune yako /etc/firezone/firezone.rb faira, mhanyisa mirairo iri pazasi semudzi.

cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak

sed -i “s/\['gonesa'\]/\['inogoneswa'\]/” /etc/firezone/firezone.rb

echo "default['firezone']['connectivity_checks']['enabled'] = chokwadi" >> /etc/firezone/firezone.rb

echo "default['firezone']['connectivity_checks']['interval'] = 3_600" >> /etc/firezone/firezone.rb

firezone-ctl reconfigure

firezone-ctl restart

Troubleshooting

Kuongorora matanda eFirezone inhanho yekutanga yehungwaru kune chero nyaya dzinogona kuitika.

Mhanya sudo firezone-ctl muswe kuti uone matanda eFirezone.

Debugging Connectivity Issues

Mazhinji ematambudziko ekubatanidza neFirezone anounzwa nezvisingaenderane iptables kana nftables mitemo. Iwe unofanirwa kuve nechokwadi chekuti chero mitemo yauinayo haipesani nemitemo yeFirezone.

Kubatana kweInternet Kunodonha kana Tunnel Yashanda

Ita shuwa kuti FORWARD cheni inobvumidza mapakeji kubva kune vatengi vako veWireGuard kuenda kunzvimbo dzaunoda kubvumidza kuburikidza neFirezone kana yako Internet yekubatanidza yakashata pese paunomisikidza yako WireGuard mugero.

Izvi zvinogona kuwanikwa kana uri kushandisa ufw nekuona kuti iyo default routing mutemo inobvumidzwa:

ubuntu@fz:~$ sudo ufw default bvumira kufambiswa

Default routed policy yachinjwa kuita 'kubvumira'

(iva nechokwadi chekuvandudza mitemo yako maererano)

A wow chimiro cheyakajairika Firezone server inogona kutaridzika seizvi:

ubuntu@fz:~$ sudo ufw chimiro verbose

Chimiro: inoshanda

Logging: pa (pasi)

Default: ramba (inouya), bvumira (inobuda), bvumira (yakafambiswa)

New profiles: skip

To Action Kubva

————-

22/tcp BVUMA KUPINDA chero kupi zvako

80/tcp BVUMA KUPINDA chero kupi zvako

443/tcp BVIRIRA KUPINDA Chero kupi

51820/udp BVIRIRA KUPINDA Chero kupi

22/tcp (v6) BVIRIRA KUPINDA Kwese (v6)

80/tcp (v6) BVIRIRA KUPINDA Kwese (v6)

443/tcp (v6) BVIRIRA KUPINDA Kwese (v6)

51820/udp (v6) BVIRIRA KUPINDA Kwese (v6)

Kuchengetedzwa Kufunga

Isu tinopa zano kudzikamisa kupinda kune iyo webhu interface yekunyanya kuomesesa uye mishoni-yakakosha kugadzira deployments, sezvakatsanangurwa pazasi.

Services & Ports

sevhisi	Default Port	Teerera Kero	tsananguro
Nginx	80, 443	zvose	Yeruzhinji HTTP(S) chiteshi chekutungamira Firezone uye kufambisa chokwadi.
wire guard	51820	zvose	Public WireGuard chiteshi inoshandiswa kune VPN zvikamu. (UDP)
postgresql	15432	127.0.0.1	Yenzvimbo-chete chiteshi inoshandiswa kune yakaunganidzwa Postgresql server.
Phoenix	13000	127.0.0.1	Yenzvimbo-chete chiteshi inoshandiswa neyekumusoro elixir app server.

Production Deployments

Isu tinokupa zano kuti ufunge nezve kudzora kupinda kune Firezone yakafumurwa pachena yewebhu UI (ne default ports 443/tcp uye 80/tcp) uye panzvimbo pacho shandisa iyo WireGuard mugero kubata Firezone yekugadzira uye yakatarisana neruzhinji kutumirwa uko mumwechete maneja anenge achitungamira. yekugadzira uye kugovera zvigadziriso zvemudziyo kune vashandisi vekupedzisira.

Semuyenzaniso, kana maneja akagadzira chigadziriso chemudziyo uye akagadzira mugero une kero yeWireGuard yemuno 10.3.2.2, ufw unotevera gadziriso uchaita kuti maneja akwanise kuwana Firezone web UI pane server's wg-firezone interface vachishandisa default 10.3.2.1 tunnel address:

mudzi @ demo:~# ufw chimiro verbose

Chimiro: inoshanda

Logging: pa (pasi)

Default: ramba (inouya), bvumira (inobuda), bvumira (yakafambiswa)

New profiles: skip

To Action Kubva

————-

22/tcp BVUMA KUPINDA chero kupi zvako

51820/udp BVIRIRA KUPINDA Chero kupi

Kwose kwose BVUMA MU 10.3.2.2

22/tcp (v6) BVIRIRA KUPINDA Kwese (v6)

51820/udp (v6) BVIRIRA KUPINDA Kwese (v6)

Izvi zvaizosiya chete 22/tcp yakafumurwa yeSSH kuwana kubata sevha (inosarudza), uye 51820/udp pachena kuitira kumisikidza WireGuard tunnel.

Mhanya SQL Mibvunzo

Firezone inounganidza sevha yePostgresql uye kuenzanisa psql chishandiso chinogona kushandiswa kubva kugomba renzvimbo senge:

/ opt/firezone/embedded/bin/psql \

-U firezone \

-d firezone \

-h localhost \

-p 15432 \

-c "SQL_STATEMENT"

Izvi zvinogona kubatsira pakugadzirisa zvinangwa.

Mabasa Anowanikwa:

Kunyora vese vashandisi
Kunyora zvese zvishandiso
Kushandura basa remushandisi
Kutsigira database

Kunyora vashandisi vese:

/ opt/firezone/embedded/bin/psql \

-U firezone \

-d firezone \

-h localhost \

-p 15432 \

-c "SARUDZA * KUBVA kune vashandisi;"

Kunyora zvishandiso zvese:

/ opt/firezone/embedded/bin/psql \

-U firezone \

-d firezone \

-h localhost \

-p 15432 \

-c "SARUDZA * KUBVA kumidziyo;"

Shandura basa remushandisi:

Isa basa ku 'admin' kana 'isina rombo':

/ opt/firezone/embedded/bin/psql \

-U firezone \

-d firezone \

-h localhost \

-p 15432 \

-c "UPDATE vashandisi SET basa = 'admin' PANE email = 'user@example.com';"

Kuchengetedza database:

Uyezve, inosanganisirwa iyo pg dump chirongwa, chinogona kushandiswa kutora nguva dzose backups yedatabase. Ita iyo inotevera kodhi yekurasa kopi yedatabase mune yakajairwa SQL query fomati (tsiva /path/to/backup.sql nenzvimbo ichagadzirwa SQL faira):

/opt/firezone/embedded/bin/pg_dump \

-U firezone \

-d firezone \

-h localhost \

-p 15432 > /path/to/backup.sql

User Guides

Wedzera Vashandisi
Wedzera Zvishandiso
Egress Mitemo
Client Mirayiridzo
Split Tunnel VPN
Reverse Tunnel
NAT Gateway

Wedzera Vashandisi

Mushure mekunge Firezone yaiswa zvinobudirira, unofanirwa kuwedzera vashandisi kuti uvape mukana kunetiweki yako. Iyo Webhu UI inoshandiswa kuita izvi.

Webhu UI

Nekusarudza bhatani re "Wedzera Mushandisi" pasi / vashandisi, unogona kuwedzera mushandisi. Iwe unozodikanwa kupa mushandisi neemail kero uye password. Kuti ubvumire kupinda kwevashandisi musangano rako otomatiki, Firezone inogona zvakare kuchinjika uye kuwiriranisa neanopa chitupa. Mamwe mashoko anowanikwa mu Authenticate. < Wedzera chinongedzo kuKusimbisa

Wedzera Zvishandiso

Isu tinopa zano kukumbira kuti vashandisi vagadzire magadzirirwo emidziyo yavo kuitira kuti kiyi yakavanzika ionekwe kwavari chete. Vashandisi vanogona kugadzira zvigadziriso zvemudziyo wavo nekutevera mafambiro ari pa Client Mirayiridzo peji.

Kugadzira admin mudziyo kumisikidza

Zvese zvigadziriso zvemushandisi zvinogona kugadzirwa neFirezone admins. Pa peji remushandisi riri pa / vashandisi, sarudza iyo "Wedzera Chishandiso" sarudzo yekuita izvi.

[Isa mufananidzo]

Iwe unogona kutumira email mushandisi iyo WireGuard yekumisikidza faira mushure mekugadzira chimiro chemudziyo.

Vashandisi uye zvishandiso zvakabatana. Kuti uwane rumwe ruzivo rwekuwedzera mushandisi, ona Wedzera Vashandisi.

Egress Mitemo

Kuburikidza nekushandiswa kweiyo kernel's netfilter system, Firezone inogonesa egress kusefa kugona kutsanangura DROP kana ACCEPT mapaketi. Yese traffic inowanzo bvumidzwa.

IPv4 uye IPv6 CIDRs uye IP kero zvinotsigirwa kuburikidza neAllowlist uye Denylist, zvichiteerana. Iwe unogona kusarudza kuyera mutemo kune mushandisi paunenge uchiwedzera, iyo inoshandisa iyo mutemo kune ese eiyo mushandisi zvishandiso.

Client Mirayiridzo

Isa nekugadzirisa

Kumisikidza chinongedzo cheVPN uchishandisa yemuno WireGuard mutengi, tarisa kune iri gwara.

1. Isa chizvarwa WireGuard mutengi

Iwo Official WireGuard vatengi vari pano Firezone inoenderana:

Shanyira iyo yepamutemo WireGuard webhusaiti pa https://www.wireguard.com/install/ yeOS masystem asina kutaurwa pamusoro.

2. Dhawunirodha faira yekumisikidza mudziyo

Pamwe wako Firezone maneja kana iwe pachako unogona kugadzira faira yekumisikidza mudziyo uchishandisa Firezone portal.

Shanyira URL iyo Firezone administrator yako yaakapa kuti uzvigadzirire wega faira yekumisikidza mudziyo. Kambani yako ichave neyakasarudzika URL yeizvi; mune iyi kesi, ndeye https://instance-id.yourfirezone.com.

Pinda kuFirezone Okta SSO

[Isa Screenshot]

3. Wedzera kugadzirisa kwemutengi

Ngenisa iyo.conf faira muWireGuard mutengi nekuivhura. Nekudzvanya iyo Activate switch, unogona kutanga chirongwa cheVPN.

[Isa Screenshot]

Session Reuthentication

Tevedza mirairo iri pasi apa kana network yako maneja akaraira kudzokororwa kwechokwadi kuchengetedza VPN yako yekubatanidza ichishanda.

Unoda:

Firezone portal's URL: Bvunza network yako maneja yekubatanidza.

Mutariri wako wetiweki anofanira kukwanisa kupa yako yekuenda uye password. Iyo Firezone saiti ichakukurudzira kuti upinde uchishandisa iyo imwe chete kusaina-pasevhisi yako yaunoshandisa (seGoogle kana Okta).

1. Dzima kubatana kweVPN

[Isa Screenshot]

2. Simbisa zvakare

Enda kuFirezone portal's URL uye pinda uchishandisa magwaro akapihwa nenetiweki maneja wako. Kana wakatosaina, baya bhatani reSimbisa zvakare usati wapinda zvakare.

[Isa Screenshot]

Nhanho 3: Tangisa chirongwa cheVPN

[Isa Screenshot]

Network Manager yeLinux

Kupinza iyo WireGuard kumisikidza mbiri uchishandisa Network Manager CLI paLinux zvishandiso, tevera iyi mirairo (nmcli).

CHERECHEDZA

Kana iyo mbiri ine IPv6 tsigiro yakagoneswa, kuyedza kupinza iyo yekumisikidza faira uchishandisa Network Manager GUI inogona kutadza nekukanganisa kunotevera:

ipv6.method: nzira "otomatiki" haitsigire WireGuard

1. Isa iyo WireGuard Tools

Izvo zvinodikanwa kuisa iyo WireGuard userspace utilities. Ichi chichava pasuru inonzi wireguard kana wireguard-zvishandiso zvekugovera Linux.

Kune Ubuntu/Debian:

sudo apt kuisa wireguard

Kushandisa Fedora:

sudo dnf isa wireguard-zvishandiso

ArchLinux:

sudo pacman -S wireguard-zvishandiso

Shanyira iyo yepamutemo WireGuard webhusaiti pa https://www.wireguard.com/install/ yekugovera iyo isina kutaurwa pamusoro.

2. Dhawunirodha gadziriso

Ingave yako Firezone maneja kana chizvarwa chako chinogona kugadzira faira yekumisikidza mudziyo uchishandisa Firezone portal.

[Isa Screenshot]

3. Kupinza marongero

Ngenisa iyo yakapihwa yekumisikidza faira uchishandisa nmcli:

sudo nmcli yekubatanidza kupinza mhando wireguard faira /path/to/configuration.conf

CHERECHEDZA

Zita refaira rekugadzirisa rinoenderana neWireGuard connection/interface. Mushure mekupinza, kubatana kunogona kupihwa zita kana zvichidikanwa:

nmcli connection gadzirisa [zita rekare] connection.id [zita idzva]

4. Batanidza kana kubvisa

Kuburikidza nemutsetse wekuraira, batanidza kuVPN sezvinotevera:

nmcli kubatana kumusoro [vpn zita]

Kuti udimbure:

nmcli kubatana pasi [vpn zita]

Iyo inoshanda Network Manager applet inogona zvakare kushandiswa kubata iyo yekubatanidza kana uchishandisa GUI.

Auto Kubatanidza

Nekusarudza "hongu" yeiyo autoconnect sarudzo, iyo VPN yekubatanidza inogona kugadzirwa kuti ibatanidze otomatiki:

nmcli yekubatanidza gadzirisa [vpn zita] kubatana. <<<<<<<<<<<<<<<<<<<<

autoconnect hongu

Kudzima iyo otomatiki yekubatanidza ita kuti idzokere kune kwete:

nmcli yekubatanidza gadzirisa [vpn zita] kubatana.

autoconnect no

Ita Kuti Multi-Factor Authentication Iwanikwe

Kuti uite MFA Enda kuFirezone portal's /user account/register mfa peji. Shandisa yako authenticator app kuti utarise iyo QR kodhi mushure mekunge yagadzirwa, wobva waisa iyo ine manhamba matanhatu.

Bata Admin wako kuti agadzirise zvakare ruzivo rwekuwana account yako kana ukaisa paapp yako yechokwadi.

Split Tunnel VPN

Ichi chidzidzo chinokufambisa iwe kuburikidza nemaitiro ekumisikidza WireGuard's split tunneling chimiro neFirezone kuitira kuti traffic chete kune yakatarwa IP marenji inotumirwa kuburikidza neVPN server.

1. Gadzirisa Inobvumirwa IPs

Iwo IP marenji ayo mutengi achaendesa network traffic akaiswa munzvimbo Inobvumirwa IPs iri pa /settings/default peji. Iyo chete ichangobva kugadzirwa WireGuard tunnel masisitimu anogadzirwa neFirezone ndiwo achakanganiswa nekuchinja kumunda uyu.

[Isa Screenshot]

Iyo yakasarudzika kukosha ndeye 0.0.0.0/0, ::/0, iyo inofambisa ese network traffic kubva kumutengi kuenda kuVPN server.

Mienzaniso yezvakakosha mundima iyi inosanganisira:

0.0.0.0/0, ::/0 - yese network traffic ichaendeswa kune VPN server.

192.0.2.3/32 - chete traffic kune imwechete IP kero ichaendeswa kune VPN server.

3.5.140.0/22 - chete traffic kune IPs mu 3.5.140.1 - 3.5.143.254 mararamiro achaendeswa kune VPN server. Mumuenzaniso uyu, iyo CIDR renji yenzvimbo yeap-kuchamhembe kwakadziva kumabvazuva-2 AWS yakashandiswa.

CHERECHEDZA

Firezone inosarudza iyo egress interface yakabatana neiyo chaiyo nzira yekutanga kana uchifunga kwekuenda pakiti.

2. Regenerate WireGuard configurations

Vashandisi vanofanirwa kudzoreredza mafaera ekugadzirisa uye voawedzera kune yavo yekuzvarwa WireGuard mutengi kuitira kuti vagadzirise zviripo mushandisi zvishandiso neyakapatsanurwa tunnel kumisikidzwa.

Kwemirairo, maona wedzera mudziyo. <<<<<<<<<< Add link

Reverse Tunnel

Bhuku rino richaratidza nzira yekubatanidza zvishandiso zviviri uchishandisa Firezone serelay. Imwe yakajairika kesi yekushandisa ndeyekugonesa maneja kuwana sevha, mudziyo, kana muchina unodzivirirwa neNAT kana firewall.

Node kuNode

Mufananidzo uyu unoratidza mamiriro akatwasuka ekuti Zvishandiso A uye B zvinovaka tunnel.

[Isa firezone architectural picture]

Tanga nekugadzira Chidimbu A uye Chidimbu B nekuenda ku/users/[user_id]/new_device. Mune marongero echishandiso chega chega, ita shuwa kuti anotevera ma paramita akaiswa kune zvakakosha zvakanyorwa pazasi. Unogona kuseta zvigadziriso zvemudziyo paunenge uchigadzira dhizaini yekumisikidza (ona Wedzera Zvishandiso). Kana iwe uchida kuvandudza marongero pane iripo mudziyo, unogona kuzviita nekugadzira nyowani mudziyo config.

Ziva kuti ese maturusi ane /setting/defaults peji apo PersistentKeepalive inogona kugadzirwa.

Mudziyo A

InobvumirwaIPs = 10.3.2.2/32

Iyi ndiyo IP kana huwandu hweIPs yeChishandiso B

PersistentKeepalive = 25

Kana mudziyo uri kuseri kweNAT, izvi zvinoita kuti mudziyo ugone kuchengetedza mugero uri mupenyu uye urambe uchigamuchira mapaketi kubva kuWireGuard interface. Kazhinji kukosha kwe25 kunokwana, asi ungangoda kudzikisira kukosha uku zvichienderana nekwaunogara.

B mudziyo

InobvumirwaIPs = 10.3.2.3/32

Iyi ndiyo IP kana huwandu hweIPs yeChishandiso A

PersistentKeepalive = 25

Admin Case - Imwe kune Mazhinji Node

Uyu muenzaniso unoratidza mamiriro ayo mudziyo A unogona kutaurirana neDhidhiyo B kuburikidza neD mumativi ese. Kuseta uku kunogona kumiririra injinjiniya kana maneja anowana zviwanikwa zvakawanda (maseva, midziyo, kana michina) pane akasiyana network.

[Architectural Diagram]<<<<<<<<<<<<<<<<<<<<<<

Ita shuwa kuti anotevera marongero akaitwa mune yega yega mudziyo kune inowirirana kukosha. Paunenge uchigadzira dhizaini yekumisikidza, unogona kutsanangura marongero emudziyo (ona Wedzera Zvishandiso). Chigadzirwa chitsva chegadziriso chinogona kugadzirwa kana zvigadziriso pamudziyo uripo zvichida kuvandudzwa.

Mudziyo A (Administrator Node)

InobvumirwaIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32

Iyi ndiyo IP yezvigadzirwa B kuburikidza neD. IPs yeDhidhiyo B kuburikidza neD inofanira kuiswa mune chero ipi zvayo ye IP yaunosarudza kuisa.

PersistentKeepalive = 25

Izvi zvinovimbisa kuti mudziyo unogona kuchengetedza mugero uye kuramba uchigamuchira mapaketi kubva kuWireGuard interface kunyangwe yakadzivirirwa neNAT. Muzviitiko zvakawanda, kukosha kwe25 kwakaringana, zvisinei zvichienderana nenzvimbo yaunogara, ungangoda kudzikisa iyi nhamba.

Mudziyo B

AllowedIPs = 10.3.2.2/32: Iyi ndiyo IP kana huwandu hweIPs yeChishandiso A
PersistentKeepalive = 25

Mudziyo C

AllowedIPs = 10.3.2.2/32: Iyi ndiyo IP kana huwandu hweIPs yeChishandiso A
PersistentKeepalive = 25

Mudziyo D

AllowedIPs = 10.3.2.2/32: Iyi ndiyo IP kana huwandu hweIPs yeChishandiso A
PersistentKeepalive = 25

NAT Gateway

Kupa imwechete, yakamira egress IP kuti traffic yechikwata chako yese ibude, Firezone inogona kushandiswa seNAT gedhi. Aya mamiriro anosanganisira kushandiswa kwayo kazhinji:

Kubvunzurudza Engagements: Kumbira kuti mutengi wako anyore kero imwe chete static IP pane yega yega yega yemushandi IP.

Kushandisa proxy kana kuvhara yako sosi IP kuitira kuchengetedza kana kuvanzika zvinangwa.

Muenzaniso wakapfava wekudzikamisa kupinda kune yega-yakagashira webhu application kune imwechete yakacheneswa static IP inomhanya Firezone icharatidzwa mune ino positi. Mumufananidzo uyu, Firezone uye iyo yakachengetedzwa sosi iri munzvimbo dzakasiyana dzeVPC.

Mhinduro iyi inowanzo shandiswa panzvimbo yekutonga IP whitelist kune vakawanda vashandisi vekupedzisira, izvo zvinogona kutora nguva sezvo runyorwa rwekuwana runowedzera.

Muenzaniso weAWS

Chinangwa chedu ndechekumisa sevha yeFirezone pane EC2 muenzaniso kutungamira VPN traffic kune inorambidzwa sosi. Muchiitiko ichi, Firezone iri kushanda senetiweki proxy kana NAT gedhi rekupa yega yega yakabatana mudziyo wakasarudzika weruzhinji egress IP.

1. Isa iyo Firezone server

Muchiitiko ichi, chiitiko cheEC2 chinonzi tc2.micro chine Firezone muenzaniso wakaiswa pairi. Kuti uwane ruzivo nezve kuendesa Firezone, enda kune Deployment Guide. Nezve AWS, ita shuwa:

Boka rekuchengetedza reFirezone EC2 rinobvumidza kubuda traffic kune yakachengetedzwa sosi yeIP kero.

Iyo Firezone muenzaniso inouya ne elastic IP. Traffic inotumirwa kuburikidza neFirezone muenzaniso kune kunze kwekuenda ichave neiyi sosi yayo IP kero. IP kero iri mubvunzo ndeye 52.202.88.54.

[Isa Screenshot]<<<<<<<<<<<<<<<<<<<<<<

2. Kuganhurira kuwana zviwanikwa zviri kuchengetedzwa

A self-hosted web application inoshanda seyakachengetedzwa sosi munyaya iyi. Iyo webhu app inogona kuwanikwa chete nezvikumbiro zvinobva kuIP kero 52.202.88.54. Zvichienderana nechishandiso, zvinogona kuve zvakafanira kubvumidza inbound traffic pane akasiyana madoko uye traffic traffic. Izvi hazvina kunyorwa mubhuku rino.

[Isa mufananidzo]<<<<<<<<<<<<<<<<<<<<<<

Ndokumbira uudze munhu wechitatu ari pamusoro pechishandiso chakadzivirirwa kuti traffic kubva pastatic IP inotsanangurwa muChikamu 1 inofanira kubvumidzwa (munyaya iyi 52.202.88.54).

3. Shandisa VPN server kutungamira traffic kune yakachengetedzwa sosi

Nekumisikidza, traffic yese yemushandisi ichaenda kuburikidza neVPN server uye ichibva kune iyo static IP iyo yakagadzirirwa muChikamu 1 (munyaya iyi 52.202.88.54). Nekudaro, kana kupatsanura tunnel kwave kugoneswa, zvigadziriso zvinogona kuve zvakakosha kuti uve nechokwadi chekuti yakachengetedzwa sosi yekuenda IP yakanyorwa pakati peInobvumidzwa IPs.

Wedzera Yako Yemusoro Wemusoro Pano

Inoratidzwa pazasi izere runyorwa rwemagadzirirwo esarudzo anowanikwa mukati /etc/firezone/firezone.rb.

nezvechisarudzo	tsananguro	default value
default['firezone']['external_url']	URL yakashandiswa kuwana pawebhu portal yechiitiko ichi cheFirezone.	"https://#{node['fqdn'] \|\| node['hostname']}"
default['firezone']['config_directory']	Yepamusoro-nhanho dhairekitori yeFirezone kumisikidza.	/etc/firezone'
default['firezone']['install_directory']	Yepamusoro-nhanho dhairekitori yekuisa Firezone ku.	/opt/firezone'
default['firezone']['app_directory']	Yepamusoro-level directory yekuisa iyo Firezone web application.	“#{node['firezone']['install_directory']}/embedded/service/firezone”
default['firezone']['log_directory']	Yepamusoro-nhanho dhairekitori yeFirezone logs.	/var/log/firezone'
default['firezone']['var_directory']	Yepamusoro-level directory yeFirezone runtime mafaera.	/var/opt/firezone'
default['firezone']['mushandisi']	Zita rekusarongeka kweLinux mushandisi masevhisi mazhinji uye mafaera achave ake.	firezone'
default['firezone']['boka']	Zita reboka reLinux akawanda masevhisi uye mafaera achave ake.	firezone'
default['firezone']['admin_email']	Kero yeemail yekutanga mushandisi weFirezone.	"firezone@localhost"
default['firezone']['max_devices_per_user']	Nhamba yepamusoro yezvishandiso zvinogona kuitwa nemushandisi.	10
default['firezone']['bvumira_unprivileged_device_management']	Inobvumira vasiri-admin vashandisi kugadzira uye kudzima zvishandiso.	TRUE
default['firezone']['bvumira_unprivileged_device_configuration']	Inobvumira vasiri-admin vashandisi kugadzirisa zvigadziriso zvemudziyo. Kana yakadzimwa, inodzivirira vashandisi kusandura nzvimbo dzese dzemidziyo kunze kwezita netsananguro.	TRUE
default['firezone']['egress_interface']	Zita rekuonana panobuda traffic. Kana pasina, iyo default nzira interface ichashandiswa.	nil
default['firezone']['fips_enabled']	Gonesa kana kudzima OpenSSL FIPs modhi.	nil
default['firezone']['logging']['enabled']	Gonesa kana kudzima matanda mukati meFirezone. Ita kuti nhema kuti udzime kutema miti zvachose.	TRUE
default['bhizinesi']['zita']	Zita rinoshandiswa neChef 'enterprise' cookbook.	firezone'
default['firezone']['install_path']	Isa nzira inoshandiswa neChef 'enterprise' cookbook. Inofanirwa kusetwa kune yakafanana neiyo install_directory iri pamusoro.	node['firezone']['install_directory']
default['firezone']['sysvinit_id']	Chiziviso chinoshandiswa mukati /etc/inittab. Inofanirwa kuve yakatevedzana yemavara 1-4.	SUP'
default['firezone'][' authentication']['local']['enabled']	Gonesa kana kudzima email yemuno/password yekusimbisa.	TRUE
default['firezone']['authentication']['auto_create_oidc_users']	Gadzira otomatiki vashandisi kusaina kubva kuOIDC kekutanga. Dzima kutendera vashandisi varipo chete kusaina vachishandisa OIDC.	TRUE
default['firezone'][' authentication']['disable_vpn_on_oidc_error']	Dzima VPN yemushandisi kana kukanganisa kwaonekwa kuyedza kuzorodza yavo OIDC tokeni.	VENHEMA
default['firezone'][' authentication']['oidc']	OpenID Batanidza config, muchimiro che{"provider" => [config...]} - Ona OpenIDConnect zvinyorwa kune config mienzaniso.	{}
default['firezone']['nginx']['enabled']	Gonesa kana kudzima iyo bundled nginx server.	TRUE
default['firezone']['nginx']['ssl_port']	HTTPS teerera chiteshi.	443
default['firezone']['nginx']['dhairekitori']	Dhairekitori yekuchengetedza Firezone-inoenderana nginx virtual host kumisikidza.	“#{node['firezone']['var_directory']}/nginx/etc”
default['firezone']['nginx']['log_directory']	Dhairekitori yekuchengetedza Firezone-inoenderana nginx mafaira.	“#{node['firezone']['log_directory']}/nginx”
default['firezone']['nginx']['log_rotation']['file_maxbytes']	Saizi yefaira painotenderedza Nginx log mafaera.	104857600
default['firezone']['nginx']['log_rotation']['num_to_keep']	Nhamba yeFirezone nginx log mafaira ekuchengeta usati warasa.	10
default['firezone']['nginx']['log_x_forwarded_for']	Kuti utore Firezone nginx x-inotumirwa-yemusoro.	TRUE
default['firezone']['nginx']['hsts_header']['enabled']	Gonesa kana kudzima HSTS.	TRUE
default['firezone']['nginx']['hsts_header']['include_subdomains']	Gonesa kana kudzima sanganisira maSubDomains eiyo HSTS musoro.	TRUE
default['firezone']['nginx']['hsts_header']['max_age']	Zera repamusoro remusoro weHSTS.	31536000
default['firezone']['nginx']['redirect_to_canonical']	Ndoda kuendesazve maURL kune canonical FQDN yataurwa pamusoro	VENHEMA
default['firezone']['nginx']['cache']['enabled']	Gonesa kana kudzima iyo Firezone nginx cache.	VENHEMA
default['firezone']['nginx']['cache']['directory']	Dhairekitori reFirezone nginx cache.	“#{node['firezone']['var_directory']}/nginx/cache”
default['firezone']['nginx']['mushandisi']	Firezone nginx mushandisi.	node['firezone']['mushandisi']
default['firezone']['nginx']['boka']	Firezone nginx boka.	node['firezone']['group']
default['firezone']['nginx']['dir']	Yepamusoro-nhanho nginx kumisikidza dhairekitori.	node['firezone']['nginx']['dhairekitori']
default['firezone']['nginx']['log_dir']	Yepamusoro-nhanho nginx log dhairekitori.	node['firezone']['nginx']['log_directory']
default['firezone']['nginx']['pid']	Nzvimbo ye nginx pid faira.	“#{node['firezone']['nginx']['directory']}/nginx.pid”
default['firezone']['nginx']['daemon_disable']	Dzima nginx daemon modhi kuti tigone kuitarisa panzvimbo.	TRUE
default['firezone']['nginx']['gzip']	Batidza kana kudzima nginx gzip compression.	pa '
default['firezone']['nginx']['gzip_static']	Batidza kana kudzima nginx gzip kune mafaera akamira.	kudzima'
default['firezone']['nginx']['gzip_http_version']	HTTP vhezheni yekushandisa kushandira static mafaera.	1.0 '
default['firezone']['nginx']['gzip_comp_level']	nginx gzip compression level.	2 '
default['firezone']['nginx']['gzip_proxied']	Inogonesa kana kudzima gzipping yemhinduro dzezvikumbiro zveproxied zvichienderana nechikumbiro nemhinduro.	chero'
default['firezone']['nginx']['gzip_vary']	Inogonesa kana kudzima kuisa iyo "Vary: Gamuchira-Encoding" musoro wemhinduro.	kudzima'
default['firezone']['nginx']['gzip_buffers']	Inoseta nhamba nehukuru hwemabhafa anoshandiswa kutsikirira mhinduro. Kana pasina, nginx default inoshandiswa.	nil
default['firezone']['nginx']['gzip_types']	MIME mhando dzekugonesa gzip compression ye.	['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json']
default['firezone']['nginx']['gzip_min_length']	Hurefu hwefaira hudiki hwekugonesa faira gzip compression ye.	1000
default['firezone']['nginx']['gzip_disable']	Mushandisi-mumiriri anofananidza kudzima gzip compression ye.	MSIE [1-6]\.'
default['firezone']['nginx']['keepalive']	Inomisikidza cache yekubatanidza kune maseva ari kumusoro.	pa '
default['firezone']['nginx']['keepalive_timeout']	Nguva yekupera mumasekonzi ekuchengetedza kubatanidza kune maseva ari kumusoro.	65
default['firezone']['nginx']['worker_processes']	Nhamba ye nginx mushandi maitiro.	node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1
default['firezone']['nginx']['worker_connections']	Nhamba huru yekubatanidza panguva imwe chete iyo inogona kuvhurwa nemaitiro evashandi.	1024
default['firezone']['nginx']['worker_rlimit_nofile']	Inoshandura muganhu pahuwandu hwehuwandu hwemafaira akazaruka ekushanda kwevashandi. Inoshandisa nginx default kana nil.	nil
default['firezone']['nginx']['multi_accept']	Kunyangwe vashandi vachifanirwa kugamuchira kubatana kumwe panguva kana kuwanda.	TRUE
default['firezone']['nginx']['chiitiko']	Inotsanangura nzira yekubatanidza yekushandisa mukati me nginx zviitiko mamiriro.	epoll'
default['firezone']['nginx']['server_tokens']	Inogonesa kana kudzima kuburitsa nginx vhezheni pamapeji ekukanganisa uye muchikamu chemusoro wemhinduro ye "Seva".	nil
default['firezone']['nginx']['server_names_hash_bucket_size']	Seta saizi yebhaketi yemazita emaseva ehashi matafura.	64
default['firezone']['nginx']['sendfile']	Inogonesa kana kudzima kushandiswa kwe nginx's sendfile().	pa '
default['firezone']['nginx']['access_log_options']	Sets nginx yekuwana log sarudzo.	nil
default['firezone']['nginx']['error_log_options']	Sets nginx kukanganisa log sarudzo.	nil
default['firezone']['nginx']['disable_access_log']	Inodzima nginx yekupinda log.	VENHEMA
default['firezone']['nginx']['types_hash_max_size']	nginx marudzi hash max size.	2048
default['firezone']['nginx']['types_hash_bucket_size']	nginx marudzi hash bhakiti saizi.	64
default['firezone']['nginx']['proxy_read_timeout']	nginx proxy kuverenga nguva yekupera. Seta ku nil kushandisa nginx default.	nil
default['firezone']['nginx']['client_body_buffer_size']	nginx mutengi muviri buffer saizi. Seta ku nil kushandisa nginx default.	nil
default['firezone']['nginx']['client_max_body_size']	nginx mutengi max saizi yemuviri.	250m'
default['firezone']['nginx']['default']['modules']	Rondedzera mamwe nginx modules.	[]
default['firezone']['nginx']['gonesa_rate_limiting']	Gonesa kana kudzima nginx chiyero chekudzikamisa.	TRUE
default['firezone']['nginx']['rate_limiting_zone_name']	Nginx rate inodzikamisa zone zita.	firezone'
default['firezone']['nginx']['rate_limiting_backoff']	Nginx chiyero chinodzikamisa backoff.	10m'
default['firezone']['nginx']['rate_limit']	Nginx rate muganho.	10r/s'
default['firezone']['nginx']['ipv6']	Bvumira nginx kuteerera zvikumbiro zveHTTP zve IPv6 kuwedzera kuIPv4.	TRUE
default['firezone']['postgresql']['enabled']	Gonesa kana kudzima mabundled Postgresql. Gadzirisa kunhema uye zadza sarudzo dzedhatabhesi pazasi kuti ushandise yako Postgresql muenzaniso.	TRUE
default['firezone']['postgresql']['zita rekushandisa']	Username yePostgresql.	node['firezone']['mushandisi']
default['firezone']['postgresql']['data_directory']	Postgresql data dhairekitori.	“#{node['firezone']['var_directory']}/postgresql/13.3/data”
default['firezone']['postgresql']['log_directory']	Postgresql log directory.	"#{node['firezone']['log_directory']}/postgresql"
default['firezone']['postgresql']['log_rotation']['file_maxbytes']	Postgresql log faira yakakura saizi isati yatenderedzwa.	104857600
default['firezone']['postgresql']['log_rotation']['num_to_keep']	Nhamba yePostgresql log mafaira ekuchengeta.	10
default['firezone']['postgresql']['checkpoint_completion_target']	Postgresql yekutarisa yekupedzisa chinangwa.	0.5
default['firezone']['postgresql']['checkpoint_segments']	Nhamba yePostgresql yekutarisa zvikamu.	3
default['firezone']['postgresql']['checkpoint_timeout']	Postgresql yekutarisa nguva yekubuda.	5min'
default['firezone']['postgresql']['checkpoint_yambiro']	Postgresql yekutarisa yambiro nguva mumasekondi.	30s'
default['firezone']['postgresql']['effective_cache_size']	Postgresql inoshanda cache saizi.	128MB'
default['firezone']['postgresql']['teerera_kero']	Postgresql teerera kero.	127.0.0.1 '
default['firezone']['postgresql']['max_connections']	Postgresql max kubatana.	350
default['firezone']['postgresql']['md5_auth_cidr_addresses']	Postgresql CIDRs kubvumidza md5 auth.	['127.0.0.1/32', ':1/128']
default['firezone']['postgresql']['port']	Postgresql teerera chiteshi.	15432
default['firezone']['postgresql']['shared_buffers']	Postgresql yakagovaniswa buffers size.	“#{(node['memory']['total'].to_i / 4) / 1024}MB”
default['firezone']['postgresql']['shmmax']	Postgresql shmmax mumabheti.	17179869184
default['firezone']['postgresql']['shmall']	Postgresql shmall mumabheti.	4194304
default['firezone']['postgresql']['work_mem']	Postgresql inoshanda ndangariro saizi.	8MB'
default['firezone']['database']['mushandisi']	Inotsanangura zita rekushandisa Firezone ichashandisa kubatana neDB.	node['firezone']['postgresql']['zita rekushandisa']
default['firezone']['database']['password']	Kana uchishandisa yekunze DB, inotsanangura password ichashandiswa neFirezone kubatanidza kuDB.	chinja_ini'
default['firezone']['database']['zita']	Database ichashandiswa neFirezone. Ichagadzirwa kana isipo.	firezone'
default['firezone']['database']['host']	Database host iyo Firezone ichabatana nayo.	node['firezone']['postgresql']['teerera_kero']
default['firezone']['database']['port']	Database port iyo Firezone ichabatana nayo.	node['firezone']['postgresql']['port']
default['firezone']['database']['pool']	Database dziva saizi Firezone ichashandisa.	[10, Etc.nprocessors].max
default['firezone']['database']['ssl']	Kana yekubatanidza kune database pamusoro peSSL.	VENHEMA
default['firezone']['database']['ssl_opts']	Hashi yesarudzo yekutumira kune :ssl_opts sarudzo kana uchibatanidza pamusoro peSSL. Maona Ecto.Adapters.Postgres zvinyorwa.	{}
default['firezone']['database']['parameters']	Hash yemaparamendi ekutumira kune iyo :parameter sarudzo kana uchinge wabatanidza kune database. Maona Ecto.Adapters.Postgres zvinyorwa.	{}
default['firezone']['database']['extensions']	Database extensions yekugonesa.	{'plpgsql' => chokwadi, 'pg_trgm' => chokwadi}
default['firezone']['phoenix']['enabled']	Gonesa kana kudzima iyo Firezone web application.	TRUE
default['firezone']['phoenix']['teerera_kero']	Firezone web application teerera kero. Iyi ichava kero yekumusoro yekuteerera iyo nginx proxies.	127.0.0.1 '
default['firezone']['phoenix']['port']	Firezone web application teerera chiteshi. Ichi chichava chiteshi chepamusoro icho nginx proxies.	13000
default['firezone']['phoenix']['log_directory']	Firezone web application log directory.	“#{node['firezone']['log_directory']}/phoenix”
default['firezone']['phoenix']['log_rotation']['file_maxbytes']	Firezone web application log saizi yefaira.	104857600
default['firezone']['phoenix']['log_rotation']['num_to_keep']	Nhamba yeFirezone web application log mafaira ekuchengeta.	10
default['firezone']['phoenix']['crash_detection']['enabled']	Gonesa kana kudzima kuburitsa Firezone web application kana paonekwa tsaona.	TRUE
default['firezone']['phoenix']['external_trusted_proxies']	Rondedzero yeakavimbika reverse proxies akaumbwa seArray yeIPs uye/kana maCIDRs.	[]
default['firezone']['phoenix']['private_clients']	Rondedzero yeyakavanzika network HTTP vatengi, yakagadzira Array yeIPs uye/kana maCIDRs.	[]
default['firezone']['wireguard']['enabled']	Gonesa kana kudzima mabundled WireGuard manejimendi.	TRUE
default['firezone']['wireguard']['log_directory']	Log dhairekitori ye bundled WireGuard manejimendi.	“#{node['firezone']['log_directory']}/wireguard”
default['firezone']['wireguard']['log_rotation']['file_maxbytes']	WireGuard log faira yakakura saizi.	104857600
default['firezone']['wireguard']['log_rotation']['num_to_keep']	Nhamba yeWireGuard log mafaira ekuchengeta.	10
default['firezone']['wireguard']['interface_name']	WireGuard interface zita. Kuchinja iyi parameter kunogona kukonzera kurasikirwa kwenguva pfupi mukubatana kweVPN.	wg-firezone'
default['firezone']['wireguard']['port']	WireGuard teerera chiteshi.	51820
default['firezone']['wireguard']['mtu']	WireGuard interface MTU yeiyi sevha uye yekumisikidza mudziyo.	1280
default['firezone']['wireguard']['endpoint']	WireGuard Endpoint yekushandisa kugadzira zvigadziriso zvemudziyo. Kana pasina, zvinokanganisa kune server yeruzhinji IP kero.	nil
default['firezone']['wireguard']['dns']	WireGuard DNS yekushandisa kugadzira magadzirirwo emudziyo.	1.1.1.1, 1.0.0.1′
default['firezone']['wireguard']['inobvumirwa_ips']	WireGuard Inobvumidzwa IPs yekushandisa kune akagadzirwa zvigadziriso zvemudziyo.	0.0.0.0/0, ::/0′
default['firezone']['wireguard']['persistent_keepalive']	Default PersistentKeepalive marongero ezvakagadzirwa zvigadziriso zvemudziyo. Kukosha kwe0 kunodzima.	0
default['firezone']['wireguard']['ipv4']['enabled']	Gonesa kana kudzima IPv4 yeWireGuard network.	TRUE
default['firezone']['wireguard']['ipv4']['masquerade']	Gonesa kana kudzima masquerade emapaketi achisiya IPv4 mugero.	TRUE
default['firezone']['wireguard']['ipv4']['network']	WireGuard network IPv4 kero dziva.	10.3.2.0/24 '
default['firezone']['wireguard']['ipv4']['kero']	WireGuard interface IPv4 kero. Inofanira kunge iri mukati meWireGuard kero dziva.	10.3.2.1 '
default['firezone']['wireguard']['ipv6']['enabled']	Gonesa kana kudzima IPv6 yeWireGuard network.	TRUE
default['firezone']['wireguard']['ipv6']['masquerade']	Gonesa kana kudzima masquerade emapaketi achisiya IPv6 mugero.	TRUE
default['firezone']['wireguard']['ipv6']['network']	WireGuard network IPv6 kero dziva.	fd00::3:2:0/120′
default['firezone']['wireguard']['ipv6']['kero']	WireGuard interface IPv6 kero. Inofanirwa kunge iri mukati meIPv6 kero dziva.	fd00::3:2:1′
default['firezone']['runit']['svlogd_bin']	Runit svlogd bin nzvimbo.	“#{node['firezone']['install_directory']}/embedded/bin/svlogd”
default['firezone']['ssl']['dhairekitori']	SSL dhairekitori yekuchengetedza akagadzirwa macerts.	/var/opt/firezone/ssl'
default['firezone']['ssl']['email_address']	Kero yeemail yekushandisa kune wega-kusaina macerts uye ACME protocol yekuvandudza zviziviso.	iwe@muenzaniso.com'
default['firezone']['ssl']['acme']['enabled']	Gonesa ACME kune otomatiki SSL cert kupa. Dzima izvi kuti udzivise Nginx kuteerera pachiteshi 80. Ona pano kune mimwe mirayiridzo.	VENHEMA
default['firezone']['ssl']['acme']['server']	ACME sevha yekushandisa kuburitsa / kuvandudza chitupa. Inogona kuva chero inoshanda acme.sh server	letsencrypt
default['firezone']['ssl']['acme']['keylength']	Taura kiyi mhando uye kureba kweSSL zvitupa. Maona pano	ec-256
default['firezone']['ssl']['certificate']	Nzira yefaira retifiketi reFQDN yako. Inodarika ACME marongero ari pamusoro kana ataurwa. Kana zvese zviri zviviri ACME uye iyi isiri iyo yekuzvisaina cert ichagadzirwa.	nil
default['firezone']['ssl']['certificate_key']	Nzira yefaira retifiketi.	nil
default['firezone']['ssl']['ssl_dhparam']	nginx ssl dh_param.	nil
default['firezone']['ssl']['country_name']	Zita renyika yezvitupa zvega.	US'
default['firezone']['ssl']['state_name']	Zita rezita rezvitupa wega.	CA '
default['firezone']['ssl']['locality_name']	Zita renzvimbo yezvitupa zvega.	San Francisco'
default['firezone']['ssl']['company_name']	Zita rekambani self-signed cert.	Kambani yangu'
default['firezone']['ssl']['organizational_unit_name']	Zita rechikamu chesangano rezvitupa.	Operations'
default['firezone']['ssl']['ciphers']	SSL ciphers ye nginx yekushandisa.	ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’
default['firezone']['ssl']['fips_ciphers']	SSL ciphers yeFIPs modhi.	FIPS@STRENGTH:!aNULL:!eNULL'
default['firezone']['ssl']['protocols']	TLS maprotocol ekushandisa.	TLSv1 TLSv1.1 TLSv1.2′
default['firezone']['ssl']['session_cache']	SSL chikamu cache.	yakagovewa:SSL:4m'
default['firezone']['ssl']['session_timeout']	SSL chikamu chekupera.	5m'
default['firezone']['robots_bvumira']	nginx marobhoti anobvumira.	/'
default['firezone']['robots_disallow']	nginx marobhoti haabvumire.	nil
default['firezone']['outbound_email']['kubva']	Inobuda email kubva kukero.	nil
default['firezone']['outbound_email']['provider']	Outbound email service provider.	nil
default['firezone']['outbound_email']['configs']	Inobuda email mupi anogadzirisa.	ona omnibus/cookbooks/firezone/attributes/default.rb
default['firezone']['telemetry']['enabled']	Gonesa kana kudzima anonymized chigadzirwa telemetry.	TRUE
default['firezone']['connectivity_checks']['enabled']	Gonesa kana kudzima iyo Firezone yekubatanidza cheki sevhisi.	TRUE
default['firezone']['connectivity_checks']['interval']	Interval pakati pekubatanidza cheki mumasekonzi.	3_600

________________________________________________________________

Faira Uye Dhairekitori Nzvimbo

Pano iwe unowana rondedzero yemafaira uye madhairekitori ane hukama neyakajairwa Firezone kuisirwa. Izvi zvinogona kuchinja zvichienderana nekuchinja kune yako faira yekumisikidza.

Nzira	tsananguro
/var/opt/firezone	Yepamusoro-nhanho dhairekitori ine data uye yakagadziriswa gadziriso yeFirezone mabundled masevhisi.
/opt/firezone	Yepamusoro-level dhairekitori ine akavakirwa maraibhurari, mabhinari uye runtime mafaera anodiwa neFirezone.
/usr/bin/firezone-ctl	firezone-ctl utility yekugadzirisa yako Firezone kuisirwa.
/etc/systemd/system/firezone-runsvdir-start.service	systemd unit faira yekutanga iyo Firezone runsvdir supervisor process.
/etc/firezone	Firezone configuration mafaira.

__________________________________________________________

Firewall Templates

Peji rino rakanga risina chinhu mumagwaro

_____________________________________________________________

Nftables Firewall template

Iyi inotevera nftables firewall template inogona kushandiswa kuchengetedza sevha inoshandisa Firezone. Iyo template inoita zvimwe fungidziro; ungangoda kugadzirisa iyo mitemo kuti ienderane nenyaya yako yekushandisa:

Iyo WireGuard interface inonzi wg-firezone. Kana izvi zvisiri izvo, chinja DEV_WIREGUARD chinja kuti chienderane nechakare['firezone']['wireguard']['interface_name'] gadziriso sarudzo.
Chiteshi cheWireGuard chirikuteerera ndechekuti 51820. Kana usiri kushandisa podhi yagara iripo chinja WIREGUARD_PORT musiyano.
Chete inotevera inbound traffic ndiyo inotenderwa kune server:
- SSH (TCP port 22)
- HTTP (TCP port 80)
- HTTPS (TCP port 443)
- WireGuard (chiteshi cheUDP WIREGUARD_PORT)
- UDP traceroute (UDP port 33434-33524, chiyero chinogumira ku500/sekondi)
- ICMP uye ICMPv6 (ping/ping mhinduro inogumira ku2000/sekondi)
Chete inotevera inobuda traffic ndiyo inotenderwa kubva kune server:
- DNS (UDP uye TCP port 53)
- HTTP (TCP port 80)
- NTP (UDP port 123)
- HTTPS (TCP port 443)
- SMTP kutumira (TCP port 587)
- UDP traceroute (UDP port 33434-33524, chiyero chinogumira ku500/sekondi)
Traffic isingaenzaniswi ichaiswa. Mitemo inoshandiswa pakutema miti inoparadzaniswa nemirairo yekudonhedza traffic uye ine mwero wakaganhurirwa. Kubvisa iyo yakakodzera mitemo yekutema miti hakuzokanganisa traffic.

Firezone Managed Mitemo

Firezone inogadzirisa yayo yega nftables mitemo yekubvumidza/kuramba traffic kuenda kunzvimbo dzakagadzirirwa muwebhu interface uye kubata inobuda NAT yetraffic yemutengi.

Kushandisa iri pazasi firewall template pane yagara ichimhanya sevha (kwete panguva yebhutsu) zvinozoita kuti mitemo yeFirezone icheneswe. Izvi zvinogona kunge zvine kuchengetedzwa.

Kuti ushande pane izvi tangazve sevhisi yephoenix:

firezone-ctl tangazve phoenix

Base Firewall template

#!/usr/sbin/nft -f

## Bvisa / bvisa mitemo yese iripo

flush mitemo

################################# VARIABLES ################## ################

## Internet/WAN interface zita

tsanangura DEV_WAN = eth0

## WireGuard interface zita

tsanangura DEV_WIREGUARD = wg-firezone

## WireGuard teerera chiteshi

tsanangura WIREGUARD_PORT = 51820

################################## ZVINOGONA KUPEDZISIRA ################### #############

# Main inet yemhuri kusefa tafura

tafura inet sefa {

# Mitemo yekutumira traffic

# Cheni iyi inogadziriswa pamberi peFirezone yekumberi cheni

cheni kumberi {

mhando sefa hook pamberi pekutanga sefa - 5; mutemo unobvuma

}

# Mitemo yekupinza traffic

cheni inopinza {

type filter hook input priority filter; kudonha kwepolicy

## Bvumira inopinda traffic kune loopback interface

kana ndikaona \

bvuma \

komenda "Bvumira traffic yese mukati kubva loopback interface"

## Mvumo yakasimbiswa uye yakabatana yakabatana

ct state yakagadzwa, yakabatana \

bvuma \

komenda "Mvumo yakasimbiswa / yakabatana yakabatana"

## Mvumo inopinda WireGuard traffic

iif $DEV_WAN udp dport $WIREGUARD_PORT \

counter \

bvuma \

komenda "Bvumira inopinda WireGuard traffic"

## Log uye udonhedze matsva eTCP asiri-SYN mapaketi

tcp mireza != syn ct state new \

limit rate 100/miniti kuputika 150 mapaketi \

log prefix “IN – Nyowani !SYN: “ \

komenda "Ratidza kutema matanda kune zvitsva zvinongedzo izvo zvisina iyo SYN TCP mureza yakatarwa"

tcp mireza != syn ct state new \

counter \

Donhedza \

komenda "Donhedza zvitsva zvinongedzo zvisina iyo SYN TCP mureza seti"

## Log uye udonhedze TCP mapaketi ane isingaite fin/syn mureza set

tcp mireza & (fin|syn) == (fin|syn) \

limit rate 100/miniti kuputika 150 mapaketi \

log prefix "IN - TCP FIN | SIN: " \

komenda "Chiyero chekugadzika matanda emapaketi eTCP ane isina kukodzera fin / syn mureza wakaiswa"

tcp mireza & (fin|syn) == (fin|syn) \

counter \

Donhedza \

komenda "Donhedza TCP mapaketi ane invalid fin/syn flag set"

## Log uye udonhedze TCP mapaketi ane isingaite syn/kutanga mureza set

tcp mireza & (syn|rst) == (syn|rst) \

limit rate 100/miniti kuputika 150 mapaketi \

log prefix "IN - TCP SYN | RST: " \

komenda "Chiyero chekugadzika matanda eTCP mapaketi ane isina kukodzera syn / yekutanga mureza set"

tcp mireza & (syn|rst) == (syn|rst) \

counter \

Donhedza \

komenda "Donhedza mapaketi eTCP ane syny/first flag set"

## Log uye udonhedze isingaite TCP mireza

tcp mireza & (fin|syn|rst|psh|ack|urg) < (fin) \

limit rate 100/miniti kuputika 150 mapaketi \

log prefix "IN - FIN:" \

komenda "Reti yekutema matanda kune isingaite TCP mireza (fin|syn|st|psh|ack|urg) < (fin)"

tcp mireza & (fin|syn|rst|psh|ack|urg) < (fin) \

counter \

Donhedza \

komenda "Donhedza mapaketi eTCP ane mireza (fin|syn|rst|psh|ack|urg) < (fin)"

## Log uye udonhedze isingaite TCP mireza

tcp mireza & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \

limit rate 100/miniti kuputika 150 mapaketi \

log prefix “IN – FIN| PSH|URG:” \

komenda "Chiyero chekugadzika matanda kune zvisizvo TCP mireza (fin|syn|syn|rst|psh|ack|urg) == (fin|psh|urg)"

tcp mireza & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \

counter \

Donhedza \

komenda "Donhedza mapaketi eTCP ane mireza (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"

## Donhedza traffic ine isingaite yekubatanidza mamiriro

ct state haina basa \

limit rate 100/miniti kuputika 150 mapaketi \

log mireza ese prefix "IN - Invalid: " \

komenda "Rate kutema matanda etraffic ine invalid yekubatanidza mamiriro"

ct state haina basa \

counter \

Donhedza \

komenda "Dhesa traffic ine invalid connection state"

## Bvumira IPv4 ping/ping mhinduro asi muganho wechiyero kusvika 2000 PPS

ip protocol icmp icmp mhando {echo-mhinduro, echo-chikumbiro} \

limit rate 2000/chepiri \

counter \

bvuma \

komenda "Bvumira inopinda IPv4 echo (ping) inogumira ku2000 PPS"

## Bvumira mamwe ese anopinda IPv4 ICMP

ip protocol icmp \

counter \

bvuma \

komenda "Bvumira mamwe ese IPv4 ICMP"

## Bvumira IPv6 ping/ping mhinduro asi muganho wechiyero kusvika 2000 PPS

icmpv6 mhando {echo-mhinduro, echo-chikumbiro} \

limit rate 2000/chepiri \

counter \

bvuma \

komenda "Bvumira inopinda IPv6 echo (ping) inogumira ku2000 PPS"

## Bvumira mamwe ese anopinda IPv6 ICMP

meta l4proto { icmpv6 } \

counter \

bvuma \

komenda "Bvumira mamwe ese IPv6 ICMP"

## Bvumira inbound traceroute UDP ports asi inogumira ku500 PPS

udp dport 33434-33524 \

limit rate 500/chepiri \

counter \

bvuma \

komenda "Bvumira inopinda UDP traceroute inogumira ku500 PPS"

## Bvumira mukati SSH

tcp dport ssh ct state new \

counter \

bvuma \

komenda "Bvumira inopinda SSH yekubatanidza"

## Mvumo inopinda HTTP uye HTTPS

tcp dport {http, https } ct nyika itsva \

counter \

bvuma \

komenda "Bvumira mukati HTTP uye HTTPS kubatana"

## Rekodha chero isingaenzaniswi traffic asi chiyero chekugadzika matanda kusvika pakusvika makumi matanhatu mameseji/miniti

## Iyo default policy ichashandiswa kune isingaenzaniswi traffic

limit rate 60/miniti kuputika 100 mapaketi \

log prefix "IN - Drop: " \

komenda "Rega chero traffic isingaenzaniswi"

## Verenga iyo isingaenzaniswi traffic

counter \

komenda "Verenga chero traffic isingaenzaniswi"

}

# Mitemo yekubuda traffic

cheni yakabuda {

type filter hook output priority filter; kudonha kwepolicy

## Bvumira inobuda traffic kune loopback interface

hongu \

bvuma \

komenda "Bvumira traffic yese kubuda kune loopback interface"

## Mvumo yakasimbiswa uye yakabatana yakabatana

ct state yakagadzwa, yakabatana \

counter \

bvuma \

komenda "Mvumo yakasimbiswa / yakabatana yakabatana"

## Bvumira inobuda WireGuard traffic usati wadonhedza hukama nemamiriro akaipa

oif $DEV_WAN udp mutambo $WIREGUARD_PORT \

counter \

bvuma \

komenda "Permit WireGuard inobuda traffic"

## Donhedza traffic ine isingaite yekubatanidza mamiriro

ct state haina basa \

limit rate 100/miniti kuputika 150 mapaketi \

log mireza ese prefix "OUT - Haisizvo: " \

komenda "Rate kutema matanda etraffic ine invalid yekubatanidza mamiriro"

ct state haina basa \

counter \

Donhedza \

komenda "Dhesa traffic ine invalid connection state"

## Bvumira mamwe ese anobuda IPv4 ICMP

ip protocol icmp \

counter \

bvuma \

komenda "Bvumira marudzi ese eIPv4 ICMP"

## Bvumira mamwe ese anobuda IPv6 ICMP

meta l4proto { icmpv6 } \

counter \

bvuma \

komenda "Bvumira marudzi ese eIPv6 ICMP"

## Bvumira inobuda traceroute UDP ports asi inogumira ku500 PPS

udp dport 33434-33524 \

limit rate 500/chepiri \

counter \

bvuma \

komenda "Bvumira inobuda UDP traceroute inogumira ku500 PPS"

## Bvumira inobuda HTTP uye HTTPS yekubatanidza

tcp dport {http, https } ct nyika itsva \

counter \

bvuma \

komenda "Bvumira kunze kweHTTP neHTTPS kubatana"

## Bvumira kunze kweSMTP kutumira

tcp dport kutumira ct nyika itsva \

counter \

bvuma \

komenda "Bvumira kunze kweSMTP kutumira"

## Bvumira kunze kweDNS zvikumbiro

udp dport 53 \

counter \

bvuma \

komenda "Bvumira kunze kweUDP DNS zvikumbiro"

tcp dport 53 \

counter \

bvuma \

komenda "Bvumira kunze TCP DNS zvikumbiro"

## Bvumira kunze kweNTP zvikumbiro

udp dport 123 \

counter \

bvuma \

komenda "Bvumira kunze kweNTP zvikumbiro"

## Rekodha chero isingaenzaniswi traffic asi chiyero chekugadzika matanda kusvika pakusvika makumi matanhatu mameseji/miniti

## Iyo default policy ichashandiswa kune isingaenzaniswi traffic

limit rate 60/miniti kuputika 100 mapaketi \

log prefix "OUT - Drop:" \

komenda "Rega chero traffic isingaenzaniswi"

## Verenga iyo isingaenzaniswi traffic

counter \

komenda "Verenga chero traffic isingaenzaniswi"

}

# Yakanyanya NAT kusefa tafura

tafura inet nat {

# Mitemo yeNAT traffic pre-routing

cheni prerouting {

type nat hook prerouting priority dstnat; mutemo unobvuma

}

# Mitemo yeNAT traffic post-routing

# Tafura iyi inogadziriswa pamberi peFirezone post-routing cheni

chain postrouting {

type nat hook postrouting priority srcnat - 5; mutemo unobvuma

}

Usage

Iyo firewall inofanirwa kuchengetwa munzvimbo yakakodzera yekugovera Linux iri kushanda. KuDebian/Ubuntu iyi /etc/nftables.conf uye yeRHEL iyi /etc/sysconfig/nftables.conf.

nftables.service inoda kugadzirwa kuti itange pabhoti (kana isati yatove) set:

systemctl inogonesa nftables.service

Kana uchiita chero shanduko kune firewall template iyo syntax inogona kusimbiswa nekumhanyisa cheki yekuraira:

nft -f /path/to/nftables.conf -c

Iva nechokwadi chekusimbisa firewall inoshanda sezvinotarisirwa sezvo mamwe ma nftables maficha anogona kunge asiri kuwanikwa zvichienderana nekuburitswa kuri kuita sevha.

_______________________________________________________________

Telemetry

Gwaro iri rinopa mucherechedzo weiyo telemetry Firezone inounganidza kubva kune yako wega-yakaitirwa chiitiko uye maitiro ekuidzima.

Nei Firezone inounganidza telemetry

nzvimbo yemoto anovimba pa telemetry yekuisa pamberi pemepu yedu yemugwagwa uye kukwidziridza zviwanikwa zveinjiniya zvatinazvo kuita kuti Firezone ive nani kune wese.

Iyo telemetry yatinounganidza inotarisira kupindura mibvunzo inotevera:

Vangani vanhu vanoisa, vanoshandisa, uye vanomira kushandisa Firezone?
Ndezvipi zvinonyanya kukosha, uye ndezvipi zvisingaone kushandiswa?
Ndeupi mashandiro anoda kunyanya kuvandudzwa?
Kana chimwe chinhu chinotyoka, nei chakatyoka, uye tingachidzivirira sei kuti chisazoitika mune ramangwana?

Maitiro atinounganidza telemetry

Kune nzvimbo nhatu huru uko telemetry inounganidzwa muFirezone:

Package telemetry. Zvinosanganisira zviitiko zvakadai sekuisa, kubvisa, uye kusimudzira.
CLI telemetry kubva firezone-ctl mirairo.
Chigadzirwa telemetry chakabatana neWebhu portal.

Mune imwe neimwe yeaya matatu mamiriro, tinotora hushoma huwandu hwe data inodiwa kupindura mibvunzo iri muchikamu chiri pamusoro.

Maemail eAdmin anounganidzwa chete kana ukasarudza kupinda mune zvekugadzirisa zvigadzirwa. Zvikasadaro, ruzivo rwemunhu-runoziva rwuri haana akaunganidza.

Firezone inochengetera telemetry mune yakazvimiririra yega yePostHog inomhanya mune yakavanzika Kubernetes cluster, inongosvikwa neFirezone timu. Heino muenzaniso wechiitiko che telemetry chinotumirwa kubva kumuenzaniso wako weFirezone kune yedu telemetry server:

{

enda: “0182272d-0b88-0000-d419-7b9a413713f1”,

"timestamp": “2022-07-22T18:30:39.748000+00:00”,

"chiitiko": "fz_http_yakatanga",

“distinct_id”: “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,

“Properties”:{

"$geoip_city_name": "Ashburn",

"$geoip_continent_code": “NA”,

"$geoip_continent_name": "North America",

"$geoip_country_code": “US”,

"$geoip_country_name": "United Sitetsi",

"$geoip_latitude": 39.0469,

"$geoip_longitude": -77.4903,

"$geoip_postal_code": "20149",

"$geoip_subdivision_1_code": "VA",

"$geoip_subdivision_1_name": "Virginia",

"$geoip_time_zone": "America/New_York",

"$ip": "52.200.241.107",

“$plugins_deferred”: [],

“$plugins_yakundikana”: [],

"$plugins_yakabudirira": [

"GeoIP (3)"

“distinct_id”: “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,

"fqdn": "awsdemo.firezone.dev",

"kernel_version": "linux 5.13.0",

"shanduro": "0.4.6"

"elements_chain": ""

}

Maitiro ekudzima telemetry

CHERECHEDZA

The Firezone development team anovimba pane zvigadzirwa analytics kuti Firezone ive nani kune wese munhu. Kusiya telemetry yakagoneswa ndiyo imwechete yakakosha mupiro waunogona kuita mukusimudzira kweFirezone. Zvakadaro, isu tinonzwisisa vamwe vashandisi vane yakakwirira kuvanzika kana kuchengetedza zvinodiwa uye vangade kudzima telemetry zvachose. Kana ndiwe, ramba uchiverenga.

Telemetry inogoneswa neiyo default. Kudzima zvachose chigadzirwa telemetry, isa inotevera gadziriso sarudzo kuita yenhema mu /etc/firezone/firezone.rb uye mhanya sudo firezone-ctl reconfigure kuti utore shanduko.

default['firezone']['telemetry']['gonesa'] = venhema

Izvo zvinozodzima zvachose zvese zvigadzirwa telemetry.

Hailbytes VPN ine Firezone Firewall Documentation

Zviri Mukati

kuti Started

Nhungamiro dzeCommon Configurations

Get Support

Authentication

Pretty URLs

Mirayiridzo Yekuseta Firezone Nevakakurumbira Identity Providers

Chengetedza Nguva Dzose Kutendesa

Re-authentication

Google

Wana Magadzirirwo Settings

Firezone Integration

Okta

Batanidza Okta App

Batanidza Firezone

Dzora Kuwana Kune Vamwe Vashandisi

Azure Anoshanda Dhairekitori

Wana Magadzirirwo Settings

Firezone Integration

Maitiro Ekuita: Kurambidza Kuwanikwa Kune Dzimwe Nhengo

Administrator

kugadzira

Manage Installation

ndiwedzere

Simudzira Kubva pa<0.5.0 kuenda ku>=0.5.0

Bundled Nginx non_ssl_port (HTTP) zvikumbiro zvakabviswa

ACME Protocol Tsigiro

Kupindirana Egress Rule Nzvimbo

Preconfiguring Okta uye Google SSO

Simudzira kubva pa0.3.x kuenda ku >= 0.3.16

Simudzira kubva pa0.3.1 kuenda ku>= 0.3.2

Simudzira kubva pa0.2.x kuenda pa0.3.x

Simudzira kubva pa0.1.x kuenda pa0.2.x

Troubleshooting

Debugging Connectivity Issues

Kubatana kweInternet Kunodonha kana Tunnel Yashanda

Kuchengetedzwa Kufunga

Services & Ports

Production Deployments

Mhanya SQL Mibvunzo

User Guides

Wedzera Vashandisi

Webhu UI

Wedzera Zvishandiso

Kugadzira admin mudziyo kumisikidza

Egress Mitemo

Client Mirayiridzo

1. Isa chizvarwa WireGuard mutengi

2. Dhawunirodha faira yekumisikidza mudziyo

3. Wedzera kugadzirisa kwemutengi

Session Reuthentication

1. Dzima kubatana kweVPN

2. Simbisa zvakare

Nhanho 3: Tangisa chirongwa cheVPN

Network Manager yeLinux

CHERECHEDZA

1. Isa iyo WireGuard Tools

2. Dhawunirodha gadziriso

3. Kupinza marongero

CHERECHEDZA

4. Batanidza kana kubvisa

Auto Kubatanidza

Ita Kuti Multi-Factor Authentication Iwanikwe

Split Tunnel VPN

1. Gadzirisa Inobvumirwa IPs

CHERECHEDZA

2. Regenerate WireGuard configurations

Reverse Tunnel

Node kuNode

Mudziyo A

B mudziyo

Admin Case - Imwe kune Mazhinji Node

Mudziyo A (Administrator Node)

Mudziyo B

Mudziyo C

Mudziyo D

NAT Gateway

Muenzaniso weAWS

1. Isa iyo Firezone server

Firezone Managed Mitemo

Base Firewall template

Usage

Nei Firezone inounganidza telemetry

Maitiro atinounganidza telemetry

Maitiro ekudzima telemetry