Troubleshooting Guide

Start with this guide for solutions to common issues faced by Firezone admins and end-users.

Gateway not connecting

If you're trying to deploy a new Gateway and it's not connecting, try running some of the troubleshooting commands below to diagnose the issue.

If you deployed the Gateway using one of our Terraform examples, the Gateways are configured using the systemd deployment method.

Obtain a shell on the affected Gateway and check the status of the service:

sudo systemctl status firezone-gateway

Check the logs with:

sudo journalctl -u firezone-gateway.service

Headless Client DNS

The headless Clients control system DNS to provide Split DNS. Use these checks to confirm whether Firezone is managing DNS, and to revert it manually if the Client crashes without cleaning up. The control method is set with FIREZONE_DNS_CONTROL — see Configure DNS.

Check whether Firezone is controlling DNS

resolvectl dns

With Firezone's Split DNS active, the tun-firezone link lists Firezone's resolver:

Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3
Link 3 (tun-firezone): 100.100.111.1 fd00:2021:1111:8000:100:100:111:0

Without it, only the normal system links appear:

Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3

Check whether Firezone is being used (Linux)

Check if curl reports a remote IP in Firezone's range when you connect to a Resource:

> curl --silent --output /dev/null --write-out %{remote_ip}\\n https://example.com
100.96.0.2

Firezone Resources use the ranges 100.96.0.0/11 and fd00:2021:1111:8000::/107.

Revert DNS control after a crash

The systemd-resolved (Linux) and nrpt (Windows) methods revert themselves when the Client closes gracefully. The Linux etc-resolv-conf method can fail to revert if the Client crashes. Revert manually:

sudo mv /etc/resolv.conf.before-firezone /etc/resolv.conf

Client apps

Troubleshooting steps for the desktop and mobile Client apps. Select your platform:

Firezone is signed in, but I can't access Resources

If the Firezone client shows that you are signed in, but you can't access Resources, it's possible that the WinTUN driver is corrupted or in a failed state.

To fix, perform these steps:

  1. Uninstall Firezone and any other WireGuard-based VPN software from your computer.
  2. Reset your network settings by going to Settings → Network and Internet → Additional network settings → Network Reset → Reset now.
  3. Reinstall Firezone and any other software you previously uninstalled.

Check if the Firezone Client Tunnel service is running

In the Start Menu, search for "Windows Powershell". Open it and run this command:

Get-Service -Name FirezoneClientTunnelService

Good output

Status   Name               DisplayName
------   ----               -----------
Running  FirezoneClientI... Firezone Tunnel Service

Bad output

Status   Name               DisplayName
------   ----               -----------
Stopped  FirezoneClientI... Firezone Tunnel Service

If the service isn't running or behaving not as expected, you can restart it with the following command:

Restart-Service -Name FirezoneClientTunnelService

Relaunch Firezone from the Start Menu afterwards.

Check if Firezone is controlling DNS

In the Start Menu, search for "Windows Powershell". Open it and run this command:

Get-DnsClientNrptPolicy

Firezone Split DNS example:

Namespace                        : .
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      : {100.100.111.1, fd00:2021:1111:8000:100:100:111:0}
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

If Firezone's Split DNS is not active, the output will be empty.

Revert Firezone DNS control

If Firezone crashes and does not revert control of the system's DNS, you can revert it manually with this command:

Get-DnsClientNrptRule | where Comment -eq firezone-fd0020211111 | foreach { Remove-DnsClientNrptRule -Name $_.Name -Force }
  1. Right-click on the Start Menu
  2. Click "Terminal (Admin)" to open a Powershell terminal with admin privileges
  3. When UAC asks "Do you want to allow this app to make changes to your device?" click Yes
  4. Enter the above command, then re-run the Get-DnsClientNrptPolicy check above to confirm DNS control was reverted.

Viewing logs

The Firezone Client is split into 2 main processes: A Tunnel service which runs the tunnel, and a GUI which allows the user to control Firezone.

  • Tunnel service logs are stored at %PROGRAMDATA%\dev.firezone.client\data\logs\, where %PROGRAMDATA% is almost always C:\ProgramData
  • GUI logs are stored at %LOCALAPPDATA%\dev.firezone.client\data\logs, where %LOCALAPPDATA% is, e.g. C:\Users\username\AppData\Local

Known issues

  • Search domains: If a search domain is applied, the system search domains set manually or by DHCP are ignored. #8430.
  • Windows on Arm64: The Windows Client is not yet available for Arm64 devices. #2992.

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026