Prerequisites | Docs Firezone Link Search Menu Expand Document


Firezone requires the setup of a DNS record and matching SSL certificate for production deployments.

Create a DNS record

Firezone requires a fully-qualified domain name (e.g. for production use. You’ll need to create the appropriate DNS record at your registrar to achieve this. Typically this is either an A, CNAME, or AAAA record depending on your requirements.

Create an SSL certificate

While Firezone generates a self-signed SSL certificate for you on install, you’ll need a valid SSL certificate to use Firezone in a production capacity.

We recommend using Let’s Encrypt to generate a free SSL cert for your domain. Firezone will include the ability to automatically generate valid SSL certificates for you in an upcoming release, but for now these must be generated manually and specified in the main configuration file at /etc/firezone/firezone.rb. See here for a guide on how to do so:

Security Group and Firewall Settings

By default, Firezone requires ports 443/tcp and 51820/udp to be accessible for HTTPS and WireGuard traffic respectively. These ports can change based on what you’ve configured in the configuration file. See the configuration file reference for details.

NOTE: Firezone modifies the kernel netfilter and routing tables. Other programs that modify the Linux routing table or firewall may interfere with Firezone’s operation. For help troubleshooting connectivity issues, see troubleshoot.

Resource Requirements

We recommend starting with 1 vCPU and 1 GB of RAM and scaling up as the number of users and bandwidth requirements grow.

Firezone uses in-kernel WireGuard, so its performance should be very good. In general, more CPU cores translate to higher bandwidth capacity per tunnel while more RAM will help with higher counts of users and tunnels.