Gateway CLI Reference
This reference documents the environment variables and command-line flags
accepted by the Firezone Gateway. Every flag can also be set with the
corresponding FIREZONE_* environment variable, which is how Gateways are
usually configured. For install steps see Deploy Gateways, and for
firewall ports and host permissions see
Ports and protocols.
Command-line flags
The token is taken as a positional argument (or the FIREZONE_TOKEN environment
variable / systemd credential); all other options have both a flag and an
environment-variable form.
> sudo ./firezone-gateway --help
Usage: firezone-gateway [OPTIONS] [TOKEN]
Arguments:
[TOKEN]
Token generated by the portal to authorize websocket connection
[env: FIREZONE_TOKEN=]
Options:
-n, --firezone-name <FIREZONE_NAME>
Friendly name to display in the UI
[env: FIREZONE_NAME=]
--no-telemetry
Disable sentry.io crash-reporting agent
[env: FIREZONE_NO_TELEMETRY=]
--no-check
Don't preemptively check permissions
-i, --firezone-id <FIREZONE_ID>
Identifier generated by the portal to identify and display the device
[env: FIREZONE_ID=]
--log-format <LOG_FORMAT>
[env: FIREZONE_LOG_FORMAT=]
[default: human]
[possible values: json, human]
--flow-logs
Enable logging of tunneled UDP and TCP flows
[env: FIREZONE_FLOW_LOGS=]
--no-inc-buf
Do not try to increase the `core.rmem_max` and `core.wmem_max` kernel parameters
[env: FIREZONE_NO_INC_BUF=]
-m, --max-partition-time <MAX_PARTITION_TIME>
Maximum length of time to retry connecting to the portal if we're having
internet issues or it's down. Accepts human times. e.g. "5m" or "1h" or "30d"
[env: FIREZONE_MAX_PARTITION_TIME=]
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version
The --no-check flag skips the startup permission checks (TUN device, UDP
sockets, netlink routing). Only use it if you've configured access in ways not
covered by the checks — see host permissions.
Environment variable reference
| Variable Name | Default Value | Description |
|---|---|---|
FIREZONE_TOKEN | Token generated by the portal to authorize the Gateway's connection. See the Deploy a Gateway page in the admin portal for where to find this. Can also be passed using a systemd credential named FIREZONE_TOKEN. | |
FIREZONE_ID | machine ID | Unique identifier for this Gateway. Must be unique across all Gateways in your account. If not provided, a value derived from /etc/machine-id is used. |
FIREZONE_NAME | hostname | Friendly name for this Gateway to display in the admin portal. |
FIREZONE_LOG_FORMAT | human | Log output format. Set to json for JSON-formatted logs, or human for human-readable logs. |
FIREZONE_FLOW_LOGS | false | Set to true to enable flow logs of tunneled UDP and TCP connections. |
FIREZONE_NO_INC_BUF | false | Set to true to prevent the Gateway from attempting to increase the system's net.core.wmem_max and net.core.rmem_max kernel parameters. See performance tuning for details. |
FIREZONE_NO_TELEMETRY | false | Set to true to opt out of the Sentry crash-reporting agent. |
FIREZONE_MAX_PARTITION_TIME | 24h | Maximum length of time to keep retrying the portal connection during an outage before exiting. Accepts human durations like 5m, 1h, or 30d. |
RUST_LOG | info | Log level for the Gateway. Common values: error, warn, info, debug, trace. Read more here. |
Telemetry
By default, Gateways run a Sentry crash-reporting agent. To
opt out, set FIREZONE_NO_TELEMETRY=true (or pass --no-telemetry).
Need help? See all support options.