Firezone

Firezone is an open source zero-trust access platform designed to replace traditional VPNs with identity-aware, least-privilege connectivity. It uses WireGuard-based tunnels and a gateway/relay architecture to securely connect users to specific resources instead of whole networks.

Key Features

• Granular, group-based access policies for applications, subnets, and networks
• Peer-to-peer, end-to-end encrypted tunnels with NAT traversal (hole punching)
• Lightweight gateway component deployable in your infrastructure
• Optional relay (STUN/TURN) to facilitate connectivity when direct paths fail
• SSO and identity provider integration, including OIDC-based authentication
• Admin portal for managing users, resources, and policies
• Audit/activity logging for visibility and compliance needs

Use Cases

• Secure access to internal web apps, databases, and services without exposing networks
• Remote workforce connectivity as an alternative to OpenVPN-style VPN deployments
• Contractor or partner access with strict, least-privilege, policy-based controls

Limitations and Considerations

• Production self-hosting is not officially supported and internal APIs may change rapidly
• Officially distributed clients may not always be compatible with a custom self-hosted control plane build

Firezone fits teams that want a modern, identity-aware approach to private access with WireGuard performance characteristics and centralized policy management. It is especially useful when you need to reduce broad network access while keeping connectivity fast and manageable.