Linux Headless Client
The Linux Headless Client is intended for environments without a graphical desktop session. It supports two authentication modes:
- Service account tokens -- long-lived, multi-owner tokens generated in the admin portal. Best for system-to-system connectivity where no user is present to authenticate. See Service Accounts.
- User tokens via browser-based sign-in -- short-lived tokens obtained by signing the running user into the portal in a browser. Useful when you want a human user to authenticate the Client on a server they manage without installing a GUI. See Browser-based authentication.
If you're looking for a desktop Client that authenticates with your identity provider through a graphical interface, see the Linux GUI Client.
Prerequisites
- Any Linux-based OS with kernel 3.10 or higher
- ARM64, ARMv7l, or x86_64 CPU
- A Firezone account, plus admin access to create a service account if you intend to authenticate with a service account token
- Root access or
sudofor Split DNS
Installation
Download the Linux headless Client from our changelog page, or use one of the direct links below:
- Download the Linux Client for
x86_64 - Download the Linux Client for
ARMv7l - Download the Linux Client for
ARM64
Mark the binary as executable:
chmod +x firezone-client-headless-linux_1.5.8_x86_64
Usage
Signing in
The Client must be authenticated before it can connect. Pick one of the two flows below depending on whether you want to authenticate as a service account or as a user.
With a service account token
Service account tokens are long-lived and ideal for unattended systems. Generate one using the instructions in the service account documentation, then start the Client with the token in the environment:
sudo FIREZONE_TOKEN=<TOKEN> ./firezone-client-headless-linux_1.5.8_x86_64
sudo is required to control the system's DNS.Set some environment variables to configure it:
export FIREZONE_NAME="Development API test client"
export FIREZONE_ID=$(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1)
export FIREZONE_TOKEN=<TOKEN>
export LOG_DIR="./"
sudo -E ./firezone-client-headless-linux_1.5.8_x86_64
See below for a full list of environment variables.
Browser-based authentication
If you want to authenticate the Client as a normal user with your identity
provider, use the sign-in subcommand. The Client prints a URL for you to open
in any browser; after signing in, the portal displays a token that you paste
back into the terminal. The token is then stored on disk at
/etc/dev.firezone.client/token (configurable with --token-path or
FIREZONE_TOKEN_PATH) and reused on subsequent runs.
sudo ./firezone-client-headless-linux_1.5.8_x86_64 sign-in \
--account-slug <YOUR_ACCOUNT_SLUG>
The --account-slug flag is optional; if omitted, the URL takes you to the
generic sign-in page where you can pick your account.
Once a token is saved you can start the Client without setting FIREZONE_TOKEN:
sudo ./firezone-client-headless-linux_1.5.8_x86_64
To remove a saved token, run sign-out:
sudo ./firezone-client-headless-linux_1.5.8_x86_64 sign-out
User tokens expire based on the client session lifetime configured for
your auth provider in the Firezone admin portal (not your identity provider's
own session lifetime). When the token expires the Client will fail to
authenticate, and you'll need to run sign-in again. For long-running
unattended deployments, prefer a service account token.
Accessing a Resource
When Firezone is signed in, HTTP clients, SQL clients, and other programs will automatically use it to securely connect to Resources.
Split DNS
By default, Split DNS is enabled for the Linux headless Client as of version 1.1.5.
To disable Split DNS for the Linux Client, set the FIREZONE_DNS_CONTROL
environment variable to disabled.
To control /etc/resolv.conf directly, set FIREZONE_DNS_CONTROL to
etc-resolv-conf.
Read more below to figure out which DNS control method is appropriate for your system.
systemd-resolved
On most modern Linux distributions, DNS resolution is handled by
systemd-resolved. If this is the case for you, do not set
FIREZONE_DNS_CONTROL. If you're not sure whether you use systemd-resolved,
you can check by running the following command:
systemctl status systemd-resolved
Ensure that /etc/resolv.conf is a symlink to
/run/systemd/resolve/stub-resolv.conf:
# Check if /etc/resolv.conf is already a symlink to /run/systemd/resolve/stub-resolv.conf
stat /etc/resolv.conf
# If it's not, create the symlink
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf.new
sudo mv /etc/resolve.conf.new /etc/resolv.conf
NetworkManager
In most cases, if you're using NetworkManager your system already uses
systemd-resolved, and you should leave FIREZONE_DNS_CONTROL unset, which
will use the default systemd-resolved DNS control method.
When NetworkManager detects that symlink exists, it will automatically use
systemd-resolved for DNS resolution and no other configuration is necessary.
/etc/resolv.conf
If you're not using systemd-resolved, Firezone supports using the
/etc/resolv.conf file to configure Split DNS as a fallback. To do this, set
FIREZONE_DNS_CONTROL to etc-resolv-conf, and the Linux Client will override
the /etc/resolv.conf file with the Firezone internal proxy.
When the Linux Client process exits, it will revert the /etc/resolv.conf file
back to its original state. If for some reason this isn't the case, you can
easily restore it by running the following command:
sudo mv /etc/resolv.conf.before-firezone /etc/resolv.conf
Read more about how DNS works in Firezone.
Environment variable reference
| Variable Name | Default Value | Description |
|---|---|---|
FIREZONE_TOKEN | Token used to authenticate the Client. Either a service account token from the admin portal or a user token obtained via sign-in. If unset, the Client reads the token from FIREZONE_TOKEN_PATH. | |
FIREZONE_TOKEN_PATH | /etc/dev.firezone.client/token | Filesystem path the Client reads the token from when FIREZONE_TOKEN is unset, and the path the sign-in subcommand writes to. |
FIREZONE_ACTIVATE_INTERNET_RESOURCE | Whether to activate the Internet Resource for this Client. Default is blank, which is disabled. Set to 1 or true to enable. | |
FIREZONE_NAME | <system hostname> | Friendly name for this client to display in the UI. |
FIREZONE_ID | Identifier used by the portal to identify this client for metadata and display purposes. | |
FIREZONE_DNS_CONTROL | (blank) | The DNS control method to use. The default is systemd-resolved. Set this to disabled to disable DNS control, or etc-resolv-conf to use the /etc/resolv.conf file. Do not use etc-resolv-conf if /etc/resolv.conf is not a regular file, e.g. if it's a symlink to /run/systemd/resolve/stub-resolv.conf |
LOG_DIR | File logging directory. Should be a path that's writeable by the current user. If unset, logs will be written to stdout only. | |
RUST_LOG | info | Log level for the client. Set to debug for verbose logging. Read more about configuring Rust log levels here. |
Help output
> sudo ./firezone-client-headless-linux_1.5.8_x86_64 --help
Command-line args for the headless Client
Usage: firezone-client-headless-linux_1.5.8_x86_64 [OPTIONS] [COMMAND]
Commands:
sign-in Sign in via browser-based authentication
sign-out Sign out by removing the stored token
help Print this message or the help of the given subcommand(s)
Options:
--dns-control <DNS_CONTROL>
Possible values:
- disabled: Explicitly disable DNS control
- etc-resolv-conf: Back up `/etc/resolv.conf` and replace it with our own
- systemd-resolved: Cooperate with `systemd-resolved`
[env: FIREZONE_DNS_CONTROL=]
[default: systemd-resolved]
-l, --log-dir <LOG_DIR>
File logging directory. Should be a path that's writeable by the current user
[env: LOG_DIR=]
-m, --max-partition-time <MAX_PARTITION_TIME>
Maximum length of time to retry connecting to the portal if we're having internet issues or it's down. Accepts human times. e.g. "5m" or "1h" or "30d"
[env: MAX_PARTITION_TIME=]
--firezone-name <FIREZONE_NAME>
Friendly name for this client to display in the UI
[env: FIREZONE_NAME=]
-i, --firezone-id <FIREZONE_ID>
Identifier used by the portal to identify and display the device
[env: FIREZONE_ID=]
--activate-internet-resource
Activate the Internet Resource.
To actually use the Internet Resource, the user must also have a policy granting access to the Internet Resource.
[env: FIREZONE_ACTIVATE_INTERNET_RESOURCE=]
--no-telemetry
Disable sentry.io crash-reporting agent
[env: FIREZONE_NO_TELEMETRY=]
--token-path <TOKEN_PATH>
A filesystem path where the token can be found
[env: FIREZONE_TOKEN_PATH=]
[default: /etc/dev.firezone.client/token]
-h, --help
Print help (see a summary with '-h')
-V, --version
Print version
The sign-in subcommand accepts --auth-base-url (FIREZONE_AUTH_BASE_URL,
default https://app.firezone.dev) and --account-slug
(FIREZONE_ACCOUNT_SLUG). The sign-out subcommand accepts -f, --force to
skip the confirmation prompt.
Upgrading
- Download a newer binary from one of the links above.
- Stop the running Client.
- Replace the existing binary with the new one.
- Start the Client with the same environment variables as before.
Diagnostic logs
Firezone writes log files to disk. These logs stay on your computer and are not transmitted anywhere. If you encounter a bug, sending us the files may help us fix the bug.
Uninstalling
- Stop the running Client
- Delete the binary
Troubleshooting
Check if Firezone is controlling DNS with systemd-resolved DNS
resolvectl dns
Firezone Split DNS:
Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3
Link 3 (tun-firezone): 100.100.111.1 fd00:2021:1111:8000:100:100:111:0
Normal system DNS:
Global:
Link 2 (enp0s6): 10.0.2.3 fec0::3
Check if Firezone is controlling DNS with /etc/resolv.conf
Firezone Split DNS:
# BEGIN Firezone DNS configuration
# If you modify this file, delete the above magic header line so that Firezone will
# obey your new default DNS config.
# If you see this text and Firezone is not running, then the last run of Firezone crashed.
# The original `resolv.conf` is backed up at /etc/resolv.conf.before-firezone
nameserver 100.100.111.1
search .
options edns0
options trust-ad
Normal system DNS:
nameserver 192.168.1.1
Check if Firezone is being used
Check if curl reports a remote IP in Firezone's range when you connect to a
Resource:
> curl --silent --output /dev/null --write-out %{remote_ip}\\n https://example.com
100.96.0.2
Firezone resources use the ranges 100.96.0.0/11 and
fd00:2021:1111:8000::/107.
Revert /etc/resolv.conf DNS control
The systemd-resolved method reverts by itself when Firezone closes. However,
the etc-resolv-conf method can fail to revert if Firezone crashes.
Starting and stopping Firezone gracefully will cause it to try reverting
/etc/resolv.conf.
You can manually revert with:
sudo mv /etc/resolv.conf.before-firezone /etc/resolv.conf
Known issues
- If a search domain is applied, the system search domains set manually or by DHCP are ignored. #8430.
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.