Install Firezone with Docker

As of 0.6.0, Docker is now the preferred method for deploying Firezone. Docker offers a number of benefits over the old Omnibus method:

Simpler, more robust upgrades: In most cases, simply pull the latest firezone/firezone image and restart the container.
Simpler configuration: Most day-to-day configuration of Firezone can now be done in the web UI instead of the /etc/firezone/firezone.rb configuration file. All other configuration variables can be specified as ENV vars to the Firezone container.
Smaller footprint: The Firezone image weighs in at a couple dozen megabytes versus hundreds of megabytes for the Omnibus package.
Portability: Firezone now runs on any platform that supports Docker.
Security: Containerization providers better security isolation than simply running as an unprivileged local user.

Step 1: Prerequisites

Ensure you're on a supported platform with docker-compose version 2 or higher installed.
Ensure port forwarding is enabled on your firewall. The default Firezone configuration requires the following ports to be open:
- 80/tcp (optional): For automatically issuing SSL certificates.
- 443/tcp: To access the web UI.
- 51820/udp: VPN traffic listen port.

Before deploying Firezone in production, you'll need a valid DNS record pointing to this instance. See Prepare to deploy if you haven't done this already.

Step 2: Install server

After prerequisites are satisfied, you're ready to install the Firezone Server.

Option 1: Automatic install

The easiest way to deploy Firezone with Docker is the automatic install script:

bash <(curl -fsSL https://github.com/firezone/firezone/raw/legacy/scripts/install.sh)

This will ask you a few questions regarding initial configuration, then proceed to download a sample docker-compose.yml file, configure it with your responses, and then print instructions for accessing the Web UI.

Firezone files will be installed in $HOME/.firezone by default.

Option 2: Manual install

If the automatic install fails, or you'd just like more control over the installation process, follow the steps below to install manually.

Download the docker compose template to a local working directory: For Linux:

curl -fsSL https://raw.githubusercontent.com/firezone/firezone/legacy/docker-compose.prod.yml -o docker-compose.yml

For macOS, Windows (non-production only):

curl -fsSL https://raw.githubusercontent.com/firezone/firezone/legacy/docker-compose.desktop.yml -o docker-compose.yml

Generate required secrets:

docker run --rm firezone/firezone bin/gen-env > .env

At a minimum, change the DEFAULT_ADMIN_EMAIL and EXTERNAL_URL variables. Optionally modify other secrets as needed.
Migrate the database:

docker compose run --rm firezone bin/migrate

Create the first admin:

docker compose run --rm firezone bin/create-or-reset-admin

Bring the services up: docker compose up -d

You should now be able to access the Firezone web portal at the EXTERNAL_URL variable you defined above.

Step 3 (optional): Enable on boot

If you'd like Firezone to start automatically on boot, first ensure Docker is enabled at startup:

sudo systemctl enable docker

Then, make sure your Firezone services have the restart: always or restart: unless-stopped option specified in the docker-compose.yml file. This is the default used in the docker-compose.prod.yml production template file.

Step 4 (optional): Enable IPv6

By default, Firezone ships with IPv6 connectivity enabled inside the tunnel but not routable to the public internet. To enable IPv6 support in Docker-deployed Firezone, follow the steps below.

Enable IPv6 support within Docker by adding the following to /etc/docker/daemon.json:

{
  "ipv6": true,
  "ip6tables": true,
  "experimental": true,
  "fixed-cidr-v6": "fcff:db8:1::/64"
}

This enables IPv6 NAT and configures IPv6 forwarding for Docker containers.

Enable router advertisements on boot for your default egress interface:

egress=`ip route show default 0.0.0.0/0 | grep -oP '(?<=dev ).*' | cut -f1 -d' ' | tr -d '\n'`
sudo bash -c "echo net.ipv6.conf.${egress}.accept_ra=2 >> /etc/sysctl.conf"

Reboot

You should now be able to ping google from within a docker container:

docker run --rm -t busybox ping6 -c 4 google.com

You shouldn't need to manually add any iptables rules to enable IPv6 SNAT/masquerading for tunneled traffic; Firezone handles this for you by default on start.

Step 5: Install client apps

Firezone currently uses WireGuard's open-source client apps.

Once successfully deployed, users and devices can be added to connect to the VPN server:

Add Users: Add users to grant them access to your network.
Client Instructions: Instructions to establish a VPN session.

Need additional help?

Try asking on one of our community-powered support channels:

Discussion forums: Ask questions, report bugs, and suggest features.
Discord server: Join discussions, meet other users, and chat with the Firezone team
Email us: We read every message.

Or try searching the docs:

Post Setup

Congrats! You have completed the setup, but there's a lot more you can do with Firezone:

Integrate your identity provider for authenticating clients
Using Firezone as a NAT gateway to establish a static IP for your team
Create tunnels between multiple peers with reverse tunnels
Only route certain traffic through Firezone with split tunneling