Firezone
What is Firezone
Firezone is an open-source remote access platform built on WireGuard?, a modern VPN protocol that's 4-6x faster than OpenVPN. Deploy on your infrastructure and start onboarding users in minutes.
Preparation
The following placeholders will be used:
firezone.companyis the FQDN of the Firezone install.authentikis the unique ID used to generate logins for this provider.authentik.companyis the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client type:
Confidential - Redirect URIs/Origins:
Redirect URI from Firezone Config - Signing Key:
<Select your certificate> - Click:
Finish
Note the Client ID and Client Secret value. Create an application using the provider you've created above.
Firezone Config
- Click Security under Settings
- Under Single Sign-On, click on Add OpenID Connect Provider
- Config ID:
authentik - Label:
Text to display on the Login button - Scope:
(leave default of "openid email profile") - Response type: `(leave default of 'code')
- Client ID:
Taken from Authentik Provider Config - Client Secret:
Taken from Authentik Provider Config - Discovery Document URI:
OpenID Configuration URL from Authentik - Redirect URI:
https://firezone.company/auth/oidc/<ConfigID>/callback/noteYou should be able to leave the default Rediret URL
- Auto-create Users: Enabled in order to automatically provision users when signing in the first time.
- Click Save,
Although local authentication is quick and easy to get started with, you can limit attack surface by disabling local authentication altogether. For production deployments it's usually a good idea to disable local authentication and enforce MFA through authentik.
In case something goes wrong with the configuration, you can temporarily re-enable local authentication via the REST API or by following instructions from https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli.