Deploy a Gateway from a standalone binary

Use this method when none of the packaged install methods fit your environment and you want to run the Gateway binary directly — for example, on an unsupported distribution or a minimal host with a custom init system. You'll download the binary, set up packet forwarding and NAT masquerading yourself, and run it.

Before you start, open Sites → <your Site> → Deploy a Gateway in the admin portal, select the Custom tab, and copy the FIREZONE_TOKEN value. Review the sizing guidelines first.

Save the FIREZONE_TOKEN shown in the admin portal to a secure location before continuing — it won't be shown again.

Step 1: Download the binary

Download the latest Gateway binary for your architecture from the Firezone changelog.

Step 2: Set the required environment variables

export RUST_LOG=info
export FIREZONE_TOKEN=<your-token>
export FIREZONE_ID=<unique-id>

FIREZONE_ID must be unique across all Gateways in your account. See the Gateway CLI reference for all environment variables.

Step 3: Enable packet forwarding for IPv4 and IPv6

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.all.src_valid_mark=1
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1

Step 4: Enable masquerading for ethernet and Wi-Fi interfaces

Masquerading is recommended but not strictly required. You can skip this step if you'd rather manage packet routing for tunnel traffic yourself.

sudo iptables -C FORWARD -i tun-firezone -j ACCEPT > /dev/null 2>&1 || sudo iptables -A FORWARD -i tun-firezone -j ACCEPT
sudo iptables -C FORWARD -o tun-firezone -j ACCEPT > /dev/null 2>&1 || sudo iptables -A FORWARD -o tun-firezone -j ACCEPT
sudo iptables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || sudo iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
sudo iptables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || sudo iptables -t nat -A POSTROUTING -o w+ -j MASQUERADE
sudo ip6tables -C FORWARD -i tun-firezone -j ACCEPT > /dev/null 2>&1 || sudo ip6tables -A FORWARD -i tun-firezone -j ACCEPT
sudo ip6tables -C FORWARD -o tun-firezone -j ACCEPT > /dev/null 2>&1 || sudo ip6tables -A FORWARD -o tun-firezone -j ACCEPT
sudo ip6tables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || sudo ip6tables -t nat -A POSTROUTING -o e+ -j MASQUERADE
sudo ip6tables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || sudo ip6tables -t nat -A POSTROUTING -o w+ -j MASQUERADE

Step 5: Run the Gateway

sudo ./firezone-gateway-<version>-<architecture>

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026