In today's increasingly digital world, the need for secure, reliable, and flexible network access is more critical than ever. Whether you're a small business with a remote team, an enterprise with a branch office, or a group of developers needing a static IP, secure network access is paramount.
One of the most common solutions to this problem is using a VPN (Virtual Private Network). A VPN allows you to create a secure connection over the internet to another network. This can be particularly useful for businesses that need to protect sensitive data or individuals who want to ensure their privacy online.
However, setting up and managing a VPN can be a complex task, especially for small businesses without dedicated IT resources. That's where Firezone comes in. Firezone is a user-friendly, self-hosted VPN server that's designed to be easy to set up and manage. It uses the WireGuard protocol for fast, secure connections.
In this blog post, we will guide you through the process of setting up a Firezone VPN server on Google Cloud Platform (GCP) using Terraform. This solution is particularly relevant in the following scenarios:
For a remote branch office needing secure access to cloud resources: GCP currently doesn't support Client-to-Cloud VPN, only site-to-site. Our setup allows for secure remote access to GCP resources without the need for a dedicated physical location.
For an engineering team wanting a static IP: This is a common requirement for developers who want to ensure consistent access to resources, perform accurate tracking, or maintain whitelisted IP addresses. Using our setup, a static IP is assigned to the VPN server, providing a consistent access point for your team.
For anyone wanting to host their own VPN: This could be for a myriad of reasons, including better control over data privacy, customized access control, or specific compliance requirements. Our setup allows you to have full control over your VPN server hosted in GCP.
Whether you fit into one of these scenarios or have a different use case, this guide will help you set up a Firezone VPN server in GCP using Terraform. Let's get started.
Prerequisites
Before we delve into the prerequisites of our solution, let's take a moment to grasp the main components of how it operates. Our solution primarily utilizes three components: Firezone, WireGuard, and Google Cloud Platform (GCP).
Firezone, a Linux package, is at the heart of our solution. It provides a simple web interface to manage your WireGuard VPN and firewall. The management of the Firezone installation is facilitated by the firezone-ctl utility while the VPN and firewall's management is handled by the Web UI1.
WireGuard is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography. In our solution, Firezone acts as a frontend to the WireGuard kernel module, creating a WireGuard interface (default called wg-firezone) for the VPN's operation.
Our solution uses Google Cloud Platform (GCP), a suite of cloud computing services, to host and manage the VPN server. You also need to have a GCP account with a project set up. If you don't have one, you can create it here.
Lastly, make sure you have the following software installed on your local machine:
Firezone requires a fully-qualified domain name (e.g., firezone.company.com) for production use. You'll need to create the appropriate DNS record at your registrar to achieve this. Typically this is either an A, CNAME, or AAAA record depending on your requirements. You can learn more about this here.
Architecture Diagram
Setting Up the Firezone VPN Server
1. Clone repo from here.
to your GCP CLI machine.
2. Enable "Cloud Resource Manager API" and "Compute Engine API" on the GCP project.
3. Navigate to the directory containing the Terraform configuration files.
4. Initialize your Terraform workspace, which will download the provider plugins for GCP:
terraform init
5. Validate the configuration:
terraform validate
6. Review the execution plan:
terraform plan -out=tfplan -var 'project_id=your-gcp-project-id'
7. Apply the changes:
terraform apply "tfplan"
After Terraform deploys, you will get an IP address in the output. Use it to configure domain custom records.
instance_ip_address = "xxx.xxx.xxx.xxx"
8. Run the following command and find out the DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD:
gcloud compute instances get-serial-port-output [INSTANCE_NAME] --zone=[ZONE] --project=[PROJECT_ID] 2>&1 | awk '/DEFAULT_ADMIN_EMAIL|DEFAULT_ADMIN_PASSWORD/ {for(i=1;i<=NF;i++) if ($i ~ /DEFAULT_ADMIN_EMAIL|DEFAULT_ADMIN_PASSWORD/) print $i}' | grep -E "DEFAULT_ADMIN_EMAIL=|DEFAULT_ADMIN_PASSWORD=" | grep -v "Specify --start"
The output should look like:
DEFAULT_ADMIN_EMAIL=admin@firezone.com
DEFAULT_ADMIN_PASSWORD=xxxxxxxxxxxxxx
9. Go to your domain management service website (for Google Domains, go to https://domains.google.com. Take Google Domain as an example, go to manage, then navigate to DNS. Click on manage custom records. Fill out Host name, Type, and Data.
Host Name | Type | TTL | Data |
fz | A | 3600 | instance_ip_address (from step 7) |
Then you will be able to login and manage the Firezone server via fz.yourdomain.com.
Congratulations! You have set up a Firezone VPN server in GCP! Next, you can log in using the credentials retrieved from step 8 and perform the following steps for VPN usage:
Create User
Add Device
Wireguard Installation and Connect