Firezone is an open-source VPN replacement built on WireGuard® that implements zero-trust network access (ZTNA) principles. It enables organizations to secure access to internal resources — including cloud infrastructure, on-premises networks, SaaS applications, and private web apps — through policy-based access controls. Key capabilities include: - **WireGuard-based tunneling**: Provides encrypted connectivity reported to be 3-4x faster than OpenVPN. - **Zero-trust access policies**: Access is governed by configurable policies that can enforce conditions such as device location and time of day. - **Identity provider (IdP) sync**: Users and groups automatically synchronize with OIDC-compatible identity providers, supporting MFA enforcement and streamlined onboarding/offboarding. - **Hole-punching technology**: Resources are hidden from the public internet, reducing the attack surface without requiring open inbound firewall ports. - **Gateway architecture**: Lightweight Linux binaries (Gateways) can be deployed anywhere using Docker, Terraform, Kubernetes, or Pulumi, with automatic load balancing and failover across multiple Gateways. - **Cross-platform clients**: Native clients available for macOS, Windows, Linux, Android, ChromeOS, and iOS with no manual configuration required. - **Malicious DNS blocking**: Supports blocking DNS queries to known malicious domains. - **Audit logging**: Every authorized connection is logged and viewable by user, resource, or policy. Firezone is open-source, allowing full codebase auditing. It is available as a free tier with commercial options.