Deploy Gateways
Gateways are what Clients connect to in order to access Resources in a Site. They're the data plane workhorse of the Firezone architecture and are responsible for securely routing traffic between Clients and Resources.
Prerequisites
- Any Linux distribution with kernel 3.10 or later
x86_64,aarch64, orarmv7lCPU architectureiptablesandip6tablescommands available on your system- Docker Engine or systemd installed for your distribution
Firewall ports
Gateways implement the industry-standard STUN and TURN protocols to perform secure NAT holepunching. This allows Firezone to establish direct connections between your Users and Resources while keeping your Resources invisible to the public internet.
Inbound ports
In most cases, no inbound firewall ports should be opened for Gateways to function properly. If your network has a stateless firewall in place, however, you'll need to ensure UDP return traffic can reach the Gateway(s). If you're not sure, you should err on the side of caution and leave all inbound ports closed unless you experience connectivity issues.
See the table below for firewall recommendations for popular cloud providers.
| Provider | Resource type | Type | Inbound ports |
|---|---|---|---|
| AWS | Network ACLs | Stateless | By default, AWS ACLs allow all inbound. If you've modified these, be sure that UDP 1024-65536 is allowed from source 0.0.0.0/0 so your Clients can connect directly. If you wish to allow only Relayed connections, use the source IPs in relay-ips.json. |
| AWS | Security Groups | Stateful | None |
| Azure | Network Security Groups | Stateful | None |
| GCP | Firewall Rules | Stateful | None |
Outbound ports
If the network in which your Gateway is deployed applies egress filtering, you'll need to make sure the following outbound traffic is allowed:
| Host | IP Address | Port(s) | Protocol(s) | Purpose |
|---|---|---|---|---|
| app.firezone.dev | 20.227.74.254, 52.142.127.161, 9.234.124.145, see portal-ips.json | 443 | HTTPS | Authentication / admin portal access (IPv4) |
| app.firezone.dev | 2603:1010:3:d::f9, 2603:1020:0:1f::f2, 2603:1030:b:31::19d, see portal-ips.json | 443 | HTTPS | Authentication / admin portal access (IPv6) |
| api.firezone.dev | 20.227.74.254, 52.142.127.161, 9.234.124.145, see portal-ips.json | 443 | HTTPS/WebSocket | Control Plane API (IPv4) |
| api.firezone.dev | 2603:1010:3:d::f9, 2603:1020:0:1f::f2, 2603:1030:b:31::19d, see portal-ips.json | 443 | HTTPS/WebSocket | Control Plane API (IPv6) |
| sentry.firezone.dev | 34.95.103.143 | 443 | HTTPS | Crash-reporting (IPv4), see Telemetry |
| sentry.firezone.dev | 2600:1901:0:64bd:: | 443 | HTTPS | Crash-reporting (IPv6), see Telemetry |
| posthog.firezone.dev | 34.95.103.143 | 443 | HTTPS | Feature-flag evaluation (IPv4) |
| posthog.firezone.dev | 2600:1901:0:64bd:: | 443 | HTTPS | Feature-flag evaluation (IPv6) |
| N/A | Varies, see relay-ips.json | 3478 | STUN | STUN protocol signaling |
| N/A | Varies, see relay-ips.json | 49152-65535 | TURN | TURN protocol channel data |
| github.com, www.firezone.dev | Varies | 443 | HTTPS | Only required for Gateway upgrades. |
Permissions
In order to function correctly, Gateways need access to several parts of the Linux system:
- The TUN device as
/dev/net/tun - Permissions to open new UDP sockets
- Permissions to add and remove routes via
netlink
Typically, it is enough to run Gateways with the CAP_NET_ADMIN capability.
Alternatively, you can run them as root.
Gateways will check on startup for these two conditions and fail if neither are
met. You can skip these permission checks by passing --no-check. This is only
advisable in case you have configured access in ways not covered by these
checks.
Where to deploy Gateways
Ideally, Gateways should be deployed as close to the Resources they're serving -- in some cases, even on the same host. This ensures the lowest possible latency and highest possible throughput for Client connections, and allows you to more easily deploy additional Gateways for other Resources that need to handle more Client connections.
When multiple Gateways are deployed within a Site, Firezone automatically selects the closest Gateway to route Client traffic based on the Client's geolocated IP address. This regional selection helps minimize latency and optimize performance by connecting users to the nearest available Gateway.
The downside of deploying Gateways close to Resources is that it increases the overall number of Gateways and Sites you need to manage. Firezone's control plane is designed to make this as easy as possible, but it's still something to keep in mind when planning your deployment.
When deploying Gateways, remember that all Gateways and Resources in a Site must have unobstructed network connectivity to each other. This is necessary for Firezone's automatic failover and load balancing features to work correctly.
Sizing recommendations
The Gateway, like the rest of Firezone's data plane stack, is written in Rust. As a result, it's extremely lightweight and computationally efficient by nature.
Gateways are mostly performance-bound by the I/O rate at which they can process packets, so bare metal deployments or VMs with high I/O rates will make a big difference in both throughput and latency.
The number of clients a Gateway can support depends heavily on your throughput requirements — available bandwidth is shared across all connected clients. A single Gateway on a 2-core dedicated vCPU VM can reliably handle up to 1,000 clients, assuming your link speed is sufficient. Throughput is also affected by latency to/from clients and whether connections are peer-to-peer or relayed (relayed connections carry additional overhead).
Gateways scale with CPU cores up to 4 cores, beyond which additional cores provide no benefit. Up to 4 GB of RAM can be used for packet buffers; more than that is not utilized. For ideal performance, we recommend at least 4 dedicated CPU cores.
A typical Gateway on a 4-core Linux machine with a recent kernel and sub-10ms round-trip latency should be able to push 2 Gbps+ of peer-to-peer WireGuard traffic. While the Gateway runs as a userspace binary, this is often on par with or faster than the kernel WireGuard module due to multithreading and offloading optimizations.
| Gateway size | Approx. clients served | CPU cores | Memory | Recommended link speed |
|---|---|---|---|---|
| Micro | up to 50 | 1 | 1 GB | 500 Mbps |
| Small | up to 250 | 2 | 2 GB | 1 Gbps |
| Medium | up to 1,000 | 4 | 4 GB | 2.5 Gbps+ |
Gateways deployed to the Internet site should always have at least 4 CPU cores.
For production workloads, we recommend deploying at least 3 Gateways to ensure high availability during rolling upgrades and to distribute load across multiple machines. To scale beyond a single Gateway's capacity, deploy additional Gateways and use Firezone's automatic load balancing to shard Client connections across them.
Performance tuning
The default receive and send buffer sizes on Linux are quite small which can limit the maximum throughput that users can achieve.
The Gateway attempts to increase the system-wide UDP send and receive buffer
max sizes to 16 and 128 MB respectively. It does that by setting
net.core.wmem_max and net.core.rmem_max. This will however only work for
Gateways deployed on bare-metal and not via Docker as Docker mounts /proc/sys
as a read-only file system.
To disable this behaviour, you can set FIREZONE_NO_INC_BUF=true.
To ensure good throughput, it is advisable to ensure these parameters are set correctly.
sudo sysctl -w net.core.wmem_max=16777216 # 16 MB
sudo sysctl -w net.core.rmem_max=134217728 # 128 MB
Deploy a single Gateway
Deploying a single Gateway can be accomplished in the admin portal.
We strongly recommend deploying a minimum of three Gateways in a Site for production use cases. This ensures high availability even when performing rolling upgrades.
Go to Sites -> <name of Site> -> Deploy a Gateway and follow the prompts to
deploy for your preferred environment. This will deploy a single Gateway.
Deploy multiple Gateways
To achieve high availability, deploy two or more Gateways within the same Site. High availability is achieved through a combination of automatic failover and load balancing, both of which are available on all plans.
You can deploy multiple Gateways within a Site manually from the admin portal,
or automate the process by reusing the FIREZONE_TOKEN environment variable
shown on the Manual tab of the Deploy a new Gateway page. This is a
multi-owner token that can be reused to deploy multiple Gateways within the same
Site.
Note: Be sure to set a unique FIREZONE_ID for each Gateway you deploy.
This can be any non-empty string and is used to identify Gateways in the
portal.
Deploy as many Gateways as you need to handle the load of Client connections to Resources in a Site. This effectively shards Client connections across all Gateways in a Site, achieving higher overall throughput than otherwise possible with a single Gateway.
Automated Gateway deployment
See our automation recipes for deploying Gateways on various cloud providers using Terraform.
Keeping Gateways up to date
It's a good idea to keep your Gateways up to date with the latest version available. See upgrading Gateways for ways to automate this.
Telemetry
By default, Gateways will run a https://sentry.io crash-reporting agent. If
you'd like to opt-out of this, set the environment variable
FIREZONE_NO_TELEMETRY=true.
Environment variable reference
| Variable Name | Default Value | Description |
|---|---|---|
FIREZONE_TOKEN | Token generated by the portal to authorize the Gateway's connection. See Deploy multiple Gateways for where to find this. Can also be passed using a systemd credential named FIREZONE_TOKEN. | |
FIREZONE_ID | Unique identifier for this Gateway. Must be unique across all Gateways in your account. If not provided, the contents of /etc/machine-id will be used instead. | |
FIREZONE_NAME | Friendly name for this Gateway to display in the admin portal. | |
FIREZONE_LOG_FORMAT | human | Log output format. Set to json for JSON-formatted logs, or human for human-readable logs. |
FIREZONE_FLOW_LOGS | false | Set to true to enable flow logs of UDP and TCP connections. |
FIREZONE_NO_INC_BUF | false | Set to true to prevent the Gateway from attempting to increase the system's net.core.wmem_max and net.core.rmem_max kernel parameters. See Performance tuning for details. |
RUST_LOG | info | Log level for the Gateway. Common values: error, warn, info, debug, trace. Read more here. |
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.