Hi, after trying out Firezone for some hours, below are my suggestions:
- Make it fail safe, especially for admin accounts, as currently the admin can get locked out
- The docker approach seems to abstract out the components and gets in the way during debugging and fixing config, native packages fare better
- Please consider using Open Build Service(OBS) for distro native packages, as in some situations using docker may not be possible or undesirable
- With native packages an operator can host the FZ components separately and enable scaling
- Do consider whether logging VPN activity can be possible, with something like wirelogd
- And an option to enable wireguard metrics with the prometheus exporter
- Document how to take backups, I see that it uses docker volumes, but afaik it has risks for DB storage
- Consider supporting LDAP + OIDC with group based RBAC (SAML may not be necessary when alternatives exists, LDAP is widely used in large organizations, OIDC adoption is fast, not sure about SAML)
I come from OpenVPN background and exploring Wireguard self hosted options, I will continue with the exploration of Firezone, subspace and wg-portal and may share more points.
Edit:
- Allow operator to set custom time in ‘Require Authentication For VPN Sessions’ setting, like h hours or d days.