Gateway CLI Reference

This reference documents the environment variables and command-line flags accepted by the Firezone Gateway. Every flag can also be set with the corresponding FIREZONE_* environment variable, which is how Gateways are usually configured. For install steps see Deploy Gateways, and for firewall ports and host permissions see Ports and protocols.

Command-line flags

The token is taken as a positional argument (or the FIREZONE_TOKEN environment variable / systemd credential); all other options have both a flag and an environment-variable form.

> sudo ./firezone-gateway --help

Usage: firezone-gateway [OPTIONS] [TOKEN]

Arguments:
  [TOKEN]
          Token generated by the portal to authorize websocket connection

          [env: FIREZONE_TOKEN=]

Options:
  -n, --firezone-name <FIREZONE_NAME>
          Friendly name to display in the UI

          [env: FIREZONE_NAME=]

      --no-telemetry
          Disable sentry.io crash-reporting agent

          [env: FIREZONE_NO_TELEMETRY=]

      --no-check
          Don't preemptively check permissions

  -i, --firezone-id <FIREZONE_ID>
          Identifier generated by the portal to identify and display the device

          [env: FIREZONE_ID=]

      --log-format <LOG_FORMAT>
          [env: FIREZONE_LOG_FORMAT=]
          [default: human]
          [possible values: json, human]

      --flow-logs
          Enable logging of tunneled UDP and TCP flows

          [env: FIREZONE_FLOW_LOGS=]

      --no-inc-buf
          Do not try to increase the `core.rmem_max` and `core.wmem_max` kernel parameters

          [env: FIREZONE_NO_INC_BUF=]

  -m, --max-partition-time <MAX_PARTITION_TIME>
          Maximum length of time to retry connecting to the portal if we're having
          internet issues or it's down. Accepts human times. e.g. "5m" or "1h" or "30d"

          [env: FIREZONE_MAX_PARTITION_TIME=]

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

The --no-check flag skips the startup permission checks (TUN device, UDP sockets, netlink routing). Only use it if you've configured access in ways not covered by the checks — see host permissions.

Environment variable reference

Variable NameDefault ValueDescription
FIREZONE_TOKENToken generated by the portal to authorize the Gateway's connection. See the Deploy a Gateway page in the admin portal for where to find this. Can also be passed using a systemd credential named FIREZONE_TOKEN.
FIREZONE_IDmachine IDUnique identifier for this Gateway. Must be unique across all Gateways in your account. If not provided, a value derived from /etc/machine-id is used.
FIREZONE_NAMEhostnameFriendly name for this Gateway to display in the admin portal.
FIREZONE_LOG_FORMAThumanLog output format. Set to json for JSON-formatted logs, or human for human-readable logs.
FIREZONE_FLOW_LOGSfalseSet to true to enable flow logs of tunneled UDP and TCP connections.
FIREZONE_NO_INC_BUFfalseSet to true to prevent the Gateway from attempting to increase the system's net.core.wmem_max and net.core.rmem_max kernel parameters. See performance tuning for details.
FIREZONE_NO_TELEMETRYfalseSet to true to opt out of the Sentry crash-reporting agent.
FIREZONE_MAX_PARTITION_TIME24hMaximum length of time to keep retrying the portal connection during an outage before exiting. Accepts human durations like 5m, 1h, or 30d.
RUST_LOGinfoLog level for the Gateway. Common values: error, warn, info, debug, trace. Read more here.

Telemetry

By default, Gateways run a Sentry crash-reporting agent. To opt out, set FIREZONE_NO_TELEMETRY=true (or pass --no-telemetry).


Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026