Firezone logo light
Jamil Bou Kheir

Founder

April 2026 Devlog

April fixed a long-standing routing bug with overlapping resources, stopped macOS from quietly killing the Firezone menu bar app under memory pressure, made relay selection RTT-aware, and made Linux's network-change detection actually catch what users care about.

Filter-Aware Routing on Clients

A long-standing routing bug with overlapping resources was fixed.1 If you had two resources matching the same address—say, 1.1.0.0/16 allowing all TCP, and 1.1.0.0/24 allowing only TCP/22—traffic to 1.1.1.1:80 was being routed by the client to the more-specific /24 resource based purely on its prefix length. The gateway would then correctly reject it, and the user would see a connection failure even though there was a perfectly valid resource that allowed the traffic.

The client now factors filters into routing. For a given destination IP and protocol, it picks the most-specific resource that also allows the traffic, falling back to a deterministic ordering if none do. Filtering still happens on the gateway as the source of truth—the client doesn't drop packets locally—but the routing decision now matches what the gateway will actually allow.

macOS App Stays Running

If you used Firezone on macOS, you may have run into a frustrating bug: the menu bar icon would occasionally disappear while the tunnel kept running, leaving you with no UI and no session-expiry notifications until you relaunched the app. This happened when macOS auto-terminated the app under resource pressure (low disk, memory pressure)—it kills the GUI to free memory but leaves the network extension alive.

A dedicated launch agent now polls the app every 5 seconds and relaunches it if it's gone.2 A .running sentinel file tracks intent: if you actually quit the app via the menu, it doesn't relaunch. Automatic termination is also explicitly disabled in the app's Info.plist,3 so macOS shouldn't even try to kill it under normal conditions.

Faster Relays via Smarter Selection

Until now, when establishing a new connection, connlib picked a random relay from the set offered by the portal. That's fair, but doesn't account for round-trip time—you might get assigned a relay 200ms away when there's a 20ms one available.

Connlib now biases relay selection toward low-RTT options while still spreading load across all reasonable choices.4 Outliers (e.g. a relay 200ms away when most are 20–40ms) are excluded; the remaining set is sampled uniformly. For users on high-latency networks or in regions where multiple relays are available, this should result in noticeably better connection times and lower steady-state latency for relayed traffic.

Linux Network Change Detection

If you used Firezone on Linux with both Ethernet and WiFi connected and unplugged the Ethernet cable, Firezone wouldn't notice—the system stayed "connected" because WiFi was still up, and connlib's network state didn't reset. The fix listens for changes to the primary network interface specifically, so swapping connectivity from Ethernet to WiFi (or vice versa) now correctly resets the tunnel state.5 Roaming between WiFi networks while Ethernet stays primary doesn't fire spurious resets.

Microsoft Entra: Configurable Email Claim

For Entra tenants, the mail field in Microsoft Graph can be null or stale depending on how the tenant is configured, which led to sign-in failures we were seeing in support. Entra auth providers now expose a configurable email_claim field (defaults to upn, with options upn, email, or preferred_username),6 and Entra directory sync exposes a similar email_field setting. If your organization uses something other than userPrincipalName, you can configure it without filing a support ticket.

A separate Entra fix removed the aboutMe field from directory sync queries,7 which was causing sync failures on tenants without SharePoint Online licensing.

Other Notable Changes

  • IdP identities suspended or archived in your IdP are now actually deleted on the Firezone side at next sync.8 Previously, a stale row could linger.
  • A dedicated client sign-in error page now renders failures cleanly,9 avoiding a redirect loop that could occur on accounts with a default auth provider.
  • Google directory sync no longer fails the entire sync run when it encounters a forbidden group it can't fetch—it skips the group, logs it, and continues.10
  • firezone.dev now exposes a few agent-friendly affordances—an OpenAPI catalog at /.well-known/api-catalog, OAuth resource metadata at /.well-known/oauth-protected-resource, and markdown content negotiation on documentation pages—so AI agents and IDEs can discover and consume the public API programmatically.11
  • A public list of subprocessors is now published on the website for compliance teams that need it.12

Footnotes

  1. feat(connlib): route packets based on traffic filters

  2. feat(apple): keep app running

  3. fix(apple): disable automatic termination for macOS app

  4. feat(connlib): bias towards relays with low RTT

  5. fix(linux): correctly detect changes to primary network path

  6. feat(portal): expose claim field for entra auth/sync

  7. fix(portal): remove aboutMe from Entra dir sync queries

  8. fix(portal): delete identities on suspend/inactive

  9. feat(portal): dedicated client sign in error page

  10. fix(portal): skip forbidden groups in google sync

  11. feat(website): add agent-friendliness improvements to firezone.dev

  12. feat(website): subprocessors list

Firezone Newsletter

Sign up with your email to receive roadmap updates, how-tos, and product announcements from the Firezone team.

Sign up for our newsletter