Project FireZone A VPN server develops to organize access to hosts in an internal isolated network from user devices located in external networks. The project is intended to achieve a high level of protection and simplify the process of deploying VPN. The project code is written in the languages ELIXIR and Ruby, and spreads under a license Apache 2.0.
The project is developing a security automation engineer from Cisco, which tried to create a solution that automates the work configuration and excluding the emergence of the problems with which it was necessary to encounter when organizing secure access to the cloud VPC. FireZone can be viewed as an open OpenVPN Access Server analog, built over the Wireguard instead of OpenVPN.
To install Offered RPM- and DEB packets for different versions of Centos, Fedora, Ubuntu And Debian, the installation of which does not require external dependencies, since all the necessary dependencies are already included using the Chef OmniBus . Only a distribution with the Linux kernel is not old 4.19 and the assembled kernel module with VPN Wireguard. According to the author, the launch and configuration of the VPN server can be implemented in just a few minutes. Web interface components are performed under an unprivileged user, and access is possible only through HTTPS.
Wireguard is used to organize communication channels in FireZone. FireZone also embeds the functions of a firewall using NFTables. In the current form, the firewall is limited to means to lock outgoing traffic to certain hosts or subnets in internal or external networks. Management is performed via a web interface or in command line mode using the FireZone-CTL utility. Web interface is built on the basis of Admin One Bulma .
Currently, all FireZone components are launched on one server, but the project is initially developing with a light-up to modularity and in the future it is planned to add the possibility of separating components for the Web interface, VPN and a firewall according to different hosts. The plans also mention the integration of an advertisement blocker operating at the DNS level, supporting host blocking lists and subnets, the ability to authenticate via LDAP / SSO and additional user management features.