Suggestions for a better operator experience and enhacements

Hi, after trying out Firezone for some hours, below are my suggestions:

  • Make it fail safe, especially for admin accounts, as currently the admin can get locked out
  • The docker approach seems to abstract out the components and gets in the way during debugging and fixing config, native packages fare better
  • Please consider using Open Build Service(OBS) for distro native packages, as in some situations using docker may not be possible or undesirable
  • With native packages an operator can host the FZ components separately and enable scaling
  • Do consider whether logging VPN activity can be possible, with something like wirelogd
  • And an option to enable wireguard metrics with the prometheus exporter
  • Document how to take backups, I see that it uses docker volumes, but afaik it has risks for DB storage
  • Consider supporting LDAP + OIDC with group based RBAC (SAML may not be necessary when alternatives exists, LDAP is widely used in large organizations, OIDC adoption is fast, not sure about SAML)

I come from OpenVPN background and exploring Wireguard self hosted options, I will continue with the exploration of Firezone, subspace and wg-portal and may share more points.


  • Allow operator to set custom time in ‘Require Authentication For VPN Sessions’ setting, like h hours or d days.
1 Like