Firezone CEO here. Someone just clued me into this thread. Unfortunately I’m in and out of Internet service today but I’ll do my best to answer questions.
As noted by others, Firezone isn’t really aiming to be a mesh networking tool like Tailscale, but more of a classic east-west VPN similar to OpenVPN Access Server. We also expose simple controls for managing egress firewall rules.
We have a big release planned next week to bring OIDC auth and the ability to manage multiple WireGuard networks, plus Docker support and more firewall + multisite features in the pipeline for later this summer.
We have a one-line install script for Linux at our repo if you’d like to give it a whirl! Grateful for any and all feedback.
Edit: dunno if that comment was deleted because the author was wrong about their PiHole blocking telemetry causing commands to fail, if they were harassed into deleting it, or what.
I guess I'll give you the benefit of the doubt that there was something else going on with their network that caused commands to fail, but you're still getting side-eye for engaging in telemetry/usage tracking.
Hi, I deleted that post because it had something in it I didn't want forever recorded on the internet. Nobody harassed me and I wasn't wrong.
One of my pihole blocklists includes telemetry.* which matches some network call made by the command you run to update the Firezone config. Pihole returns "0.0.0.0" for hostnames it blocks and the error that's raised ends up coming form openssl. Later I discovered there are 2 options at the bottom of the /etc/firezone/firezone.rb config file, commented out, that allow you to disable the telemetry. With these options turned on the error no longer occurs.
We don't actively block any functionality when a user blocks telemetry -- that's definitely an unintended side effect and bug. You'll have more luck disabling telemetry in the config file with `default['firezone']['telemetry']['enabled'] = false` documented here: https://docs.firezone.dev/docs/reference/configuration-file/
We could definitely clarify how to disable telemetry better and we should make sure nothing breaks when telemetry is blackholed instead of disabled. I've opened https://github.com/firezone/firezone/pull/658 to get these addressed.
Thanks for posting. What are the use cases for Firezone exactly? Is the intention to simplify networking configuration in data centers? (as opposed to the zero config nature of Tailscale devices that could be anywhere on the internet?)
Can you share your experiences working with Elixir for this kind of project? Sharing anything about strengths, weaknesses, or general insights would be appreciated.
Sure! Elixir's been great. Phoenix is a joy to work with, and many of the concurrency primitives built into OTP make it the perfect foundation for a product like this. And rustler makes it super easy to add low-level / native code.
I will say the big downside to using Elixir is that distributing releases is a bit cumbersome. `mix release` expects that you're building on the same OS / version as you'll be running on, though we're looking into using something like burrito [1] to help alleviate this.
As complaining commenters and the project creator agree, this is not a Tailscale alternative. Please don't do that! This was a case study on how small title perturbations end up dominating entire threads.
How does it compare to BSD based firewalls such as OpnSense and pfSense? They're both great products, but support for ARM and 802.11ac doesn't seem ready yet.
After reading around a bit it appears you're right; thanks for the correction. I used pfSense some years ago to full satisfaction and always thought the reasons for the fork leading to OpnSense were motivated only by licensing issues, but apparently there are also technical reasons for choosing OpnSense over pfSense.
Not going to knock these solutions but at least for Tailscale, if I understand what I read on their web site correctly, I think it's built on Wireguard. I found Wireguard to be easy enough to configure and get working and I'm lazy and cheap.
Since then, I run my web and email servers on an old laptop in my home and the Internet POP is a $3.50 VM plus $1 for a static IP, at AWS Lightsail. This works for me but if I needed to connect a disparate office and devices together I might look at Tailscale or one of these packaged solutions, or maybe not.
It is indeed built on Wireguard, but it is a user space implementation of Wireguard. Maybe that's fine, but kernel space would allow much faster speeds.
Sadly not open source and their change notes are not yet production ready. Every release something breaks. I switched back to pure wireguard because of this.
I also wouldn't call tailscale and netmakers ui comparable. Netmaker has far more options. Tailscale tries an apple approach by hiding almost everything but DNS.
Just to clarify this take, the source is available on Github [0] but licensed under the highly controversial Server Side Public License [1][2].
This license was originally written by MongoDB. They applied to get it recognised as an open source license with the OSI but later withdrew the application as it became clear it wouldn't have been approved.
OSI explained in 2019 [3] why it didn't consider the license to be open source.
It's also very much not a "Tailscale Alternative" – it explicitly describes itself as not being "a tool for creating mesh networks", which is the exact thing that Tailscale is all about.
Nebula (https://github.com/slackhq/nebula) is much closer to actually being a fully open-source and self-hostable Tailscale alternative as I understand it, though I've never used it myself.
How are end user devices supposed to join the mesh in Nebula? Is it really add this collection of files to /etc and run a nebula command on the command line?
With keys that are signed with a CA cert. And they connect to a server that basically checks the validation, but then they can connect in between. I've set it up a couple of months ago, I like thr implementation, but it seems a bit too slow somehow.
This doesn't really seem to do what Tailscale is doing, which is to create a mesh network with a central beacon node for facilitating handshakes.
I am currently researching this area and have found the following solutions in the mesh VPN space. In order of how locked down the source code is—which also seems to correlate with ease of use—there is Tailscale, ZeroTier, Netmaker, Nebula, and also Innernet (this last one is only mac/linux).
The originally submitted title said "Tailscale Alternative" but this appears to have been an error and we've taken it out now. More at https://news.ycombinator.com/item?id=31542122.
Yeah you can't really use FZ for Tailscale use cases, though maybe OP is just referring to how it uses WireGuard. Netmaker and Innernet are the two Tailscale alternatives which are using WireGuard. And in fact, both are much faster than Tailscale because they use Kernel WireGuard. So they'd probably be the best options for "Tailscale Alternative."
I have actually lived in China for 2 years and travelled there for maybe 6 months in total in addition to that. I've always just used a traditional, commercial VPN service such as ExpressVPN. In theory, those can also easily be blocked, but in my experience it rarely happens in practice.
The main issue with living in China is the fact that the connections to the outside world are so clogged that using something like Youtube is often so slow that it's not even worth trying; that was the case in the Beijing area between 2016-2018 at least.
I think self-hosting is the better solution if you're worried about someone blocking a VPN's IP address.
I've heard those conspiracy theories, but to be honest I just accepted that everything was monitored when I was in China anyway. Installing something like Wechat/微信 basically gives tencent permission to everything that's on your (Android) phone anyway. To me, the VPN was solely about granting access to what was otherwise blocked, not about privacy.
fully self-hosted is usually best, e.g.wireguard. zerotier is close. openziti, especially in cases in which app-specific VPNs help (each session looks like different encrypted apps, and you choose what apps).
why would anyone want to have IPSec in 2022 ? It means remaining stuck with a mid-90ies committee-driven-crypto protocol (and the design is far from best practice in modern security).
I really like the design principles[1] of Wireguard. It does away with all the key-negotiation nonsense and eliminates a whole cluster of potential flaws right out of the gate. Also Jason Donenfeld's software development cycle is a skill level that can only be described as a 10000x-developer.
another well vetted one is OpenZiti (NetFoundry SaaS products are built on top of OpenZiti). full mesh, although default-closed model instead of default-open model:
Firezone CEO here. Someone just clued me into this thread. Unfortunately I’m in and out of Internet service today but I’ll do my best to answer questions.
As noted by others, Firezone isn’t really aiming to be a mesh networking tool like Tailscale, but more of a classic east-west VPN similar to OpenVPN Access Server. We also expose simple controls for managing egress firewall rules.
We have a big release planned next week to bring OIDC auth and the ability to manage multiple WireGuard networks, plus Docker support and more firewall + multisite features in the pipeline for later this summer.
We have a one-line install script for Linux at our repo if you’d like to give it a whirl! Grateful for any and all feedback.
https://github.com/firezone/firezone