Gateways

Gateways are what Clients connect to in order to access Resources in a Site. They're the data plane workhorse of the Firezone architecture, responsible for securely routing traffic between Clients and Resources. Gateways are lightweight, written in Rust, and run on any Linux host.

A Gateway holds no long-term state and is configured entirely from the admin portal — it authenticates with a token, connects outbound to the Firezone control plane, and establishes encrypted WireGuard tunnels directly to Clients.

Where to deploy Gateways

Ideally, Gateways should be deployed as close to the Resources they're serving as possible — in some cases, even on the same host. This ensures the lowest possible latency and highest possible throughput for Client connections.

When multiple Gateways are deployed within a Site, Firezone automatically selects the closest Gateway to route Client traffic based on the Client's geolocated IP address, minimizing latency. All Gateways and Resources in a Site must have unobstructed network connectivity to each other for automatic failover and load balancing to work correctly.

For production deployments, run at least three Gateways per Site for high availability during rolling upgrades. To get started, see Deploy Gateways for install guides and sizing guidelines.


Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026