Linux GUI Client
The Linux GUI Client is designed for Linux desktop environments where a user is present to authenticate with your identity provider interactively.
If you're looking for a headless Client suitable for server or container-based installs, see the Linux headless Client user guide instead.
Prerequisites
- x86-64 or ARM64 CPU architecture
- Ubuntu 22.04 or higher, or CentOS 10 or higher. Other distributions may work, but are not officially supported.
- systemd-resolved. Ubuntu already uses this by default.
Installation
Add the Firezone APT repository:
sudo mkdir --parents /etc/apt/keyrings
wget -qO- https://artifacts.firezone.dev/apt/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/firezone.gpg
echo "deb [signed-by=/etc/apt/keyrings/firezone.gpg] https://artifacts.firezone.dev/apt/ stable main" | sudo tee /etc/apt/sources.list.d/firezone.list
Install the Client:
sudo apt update
sudo apt install firezone-client-gui
To finish the setup, reboot your machine. This is necessary to fully reflect
group membership changes. The GUI client cannot function until the current user
is in the firezone-client group.
Step 1: Install repositories
These are required for both GNOME extensions and the WebKit and other dependencies of the Firezone Client.
sudo dnf config-manager --set-enabled crbsudo dnf install epel-release
Step 2: Install system tray
GNOME Shell in CentOS does not have a system tray by default. Use these steps to install it. For other desktops like xfce4 or KDE, the system tray may already work properly.
sudo dnf install gnome-shell-extension-appindicator- Log out and back in to restart GNOME
gnome-extensions enable appindicatorsupport@rgcjonas.gmail.com- Optionally: To manage GNOME extensions via a GUI, install
gnome-extensions-app
Step 3: Install Firezone
- Download the RPM:
sudo dnf install systemd-resolved(Installing it explicitly prevents it from being auto-removed if Firezone is removed)sudo dnf install ./firezone-client-gui-*.rpmsudo usermod -aG firezone-client $USER- Reboot to finish adding yourself to the group. Logging out and back in is not enough. This also starts the new services for us.
sudo cp /etc/resolv.conf /etc/resolv.conf.before-firezoneBack up your resolv.conf file. If anything goes wrong with your DNS, you can copy this back into place.sudo ln --force --symbolic /run/systemd/resolve/stub-resolv.conf /etc/resolv.confThis putssystemd-resolved, and therefore Firezone, in control of the system's DNS.systemd-resolveddoes not do this automatically, since it's under/etc.- Run
Firezonefrom the app menu.
Firezone ships a first-party flake with a NixOS module for the GUI Client, so you can manage it declaratively alongside the rest of your system configuration. The module installs the desktop app, deep-link handler, and CLI, and runs the privileged tunnel as a hardened systemd service.
Add the flake as an input, pinning the release tag of the GUI Client:
# flake.nix
{
inputs.firezone.url = "github:firezone/firezone/gui-client-1.5.15";
}Then import the module and enable the service in your system configuration:
# configuration.nix
{ inputs, ... }:
{
imports = [ inputs.firezone.nixosModules.gui-client ];
# Substitute pre-built, Firezone-signed binaries instead of compiling the
# Client from source. Optional, but strongly recommended.
nix.settings = {
extra-substituters = [ "https://artifacts.firezone.dev/nix" ];
extra-trusted-public-keys = [
"artifacts.firezone.dev/nix-1:T4LHdL1HeA6LE9qgu0Po0j3RIlelKZz8pzqnzEAIRfI="
];
};
services.firezone.gui-client = {
enable = true;
# Required. Desktop users allowed to control the tunnel daemon. They are
# added to the firezone-client group; this takes effect on next login.
allowedUsers = [ "alice" ];
};
}
Rebuild, then log out and back in so the group membership takes effect:
sudo nixos-rebuild switch
Once you've logged back in, run Firezone from your application menu and follow
the usage steps below to sign in.
Substituter changes only take effect after a rebuild, so the very first build with the cache configured may still compile from source. If the cache is unreachable, Nix falls back to building from source — slower, but never broken.
Module options
The options for services.firezone.gui-client:
| Option | Default | Description |
|---|---|---|
enable | false | Install the GUI Client and enable the tunnel service. |
allowedUsers | (required) | Desktop users added to the firezone-client group, allowed to control the tunnel daemon. |
dnsControl | "systemd-resolved" | DNS control method: systemd-resolved, etc-resolv-conf, or disabled. |
extraEnvironment | { } | Extra FIREZONE_* environment variables for the tunnel daemon. |
The Client stores its session token via the Secret Service API. The module
enables gnome-keyring by default; desktops that ship their own provider
(e.g. KWallet) can override it with services.gnome.gnome-keyring.enable = lib.mkForce false. The tray icon uses the StatusNotifierItem protocol — GNOME
requires the AppIndicator extension for it to appear.
dnsControl = "systemd-resolved" (the default) requires
services.resolved.enable = true.
Usage
Signing in
- Start the GUI by running
Firezonefrom your desktop environment's application menu or from an interactive shell. - At the Welcome screen, click
Sign in. This will open the Firezone sign-in page in your default web browser. - Sign in using your account slug and identity provider
- On the first run, check
Always allowto allow your web browser to sign in to Firezone, then clickOpenorOpen link - Unlock your desktop's keyring, or create one if needed. Most desktops, including GNOME, encrypt the keyring with your login password, so your Firezone token is encrypted at rest.
- When you see the
Firezone connectednotification, Firezone is running.
The Welcome screen only appears during your first sign-in. After that, you can click on the Firezone icon in the system tray to open the tray menu and sign in.
Accessing a Resource
When Firezone is signed in, web browsers and other programs will automatically use it to securely connect to Resources.
To copy-paste the address of a Resource:
- Click on the Firezone tray icon to open the menu.
- Open a Resource's submenu and click on its address to copy it.
- Paste the address into your browser's URL bar and press Enter.
Quitting
- Click on the Firezone tray icon to open the menu.
- Click
Disconnect and QuitorQuit.
When Firezone is not running, you can't access private Resources, and the computer will use its normal DNS and Internet behavior.
If you were signed in, then you will still be signed in the next time you start Firezone.
Signing out
- Click on the Firezone tray icon to open the menu.
- Click
Sign out.
When you're signed out, you can't access private Resources, and the computer will use its normal DNS and Internet behavior.
Upgrading
See Upgrade Firezone to keep the Client up to date.
Diagnostic logs
See Diagnostic logs for where logs are stored and how to export them.
Uninstalling
To remove the Firezone Client, see Uninstall Firezone.
Troubleshooting
For Client troubleshooting, see the troubleshooting guide and select the Linux tab.
Known issues
- The update checker notification does not work for RPM installations #7646
- If you update Firezone while the GUI is running, you must manually restart the GUI #5790
- If a search domain is applied, the system search domains set manually or by DHCP are ignored. #8430.
Need help? See all support options.