"A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely."
What is Firewalla VPN Server?
Firewalla VPN Server places the VPN server inside your house. It runs inside of the little Firewalla box. This VPN service can only be used when you are outside of the house. You get the same level of security protection as if you are at home, provided by Firewalla.
Connect to Firewalla VPN = You are at Home
Easy to setup
- You don't need to open additional ports on your router.
- You don't need to manually port forwarding random ports from your router to your home devices.
- You don't need to learn complicated technology to bring up a VPN server.
- One connection allows you to access all home devices.
Secure Access
- Securely surf the internet with the benefit of Ad blocking, blocking porn sites and malicious sites.
- Securely access your home camera, NAS (network attached storage), smart door knob/power plug (IoT devices), and more.
- Your own private VPN server, not shared with others.
Data Encryption
- Bypass censorship and internet filtering at work or another country.
- Prevent eavesdropping when you are on the road, at Starbucks.
Always at Home
- Take your video subscriptions anywhere. Stream Netflix, Hulu or any service just as you are at home. No restrictions.
- Access your banking / financial sites as if you are home.
- Bypass internet censorship or filtering when traveling to a foreign country.
Free
- Free VPN Server runs inside your home network. There is no monthly fee or additional charge.
What This VPN Server is NOT
- This is not the traditional VPN service that you use to hide from your service provider.
- You can not use this service to bypass Netflix restrictions. (Unless you are traveling and have a Firewalla at 'home')
What does Firewalla VPN do?
Surf the web as if you are at home when you are not
Firewalla VPN Server allows you to easily set up an encrypted connection from anywhere in the world to your home. Although you are outside on public network, your security protection is the same as at home.
- You can access the internet as secure as you are at home.
- If you are at a place that controls internet access, you can use this to get around it.
- You don't need to open additional ports on your router when you are outside and want to view your home camera or file system.
If you are looking for VPN out from your home to a 3rd party VPN provider, please check out the VPN Client feature: https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Access your home network from anywhere
While Firewalla VPN allows you to safely connect back home, it can also allow you to easily access all your network-enabled home devices, such as IoT devices, NAS file system, etc.
The Firewalla VPN server is a transport service provided by security certificates. It is much more difficult to be attacked than an HTTP service provided by your camera. It also encrypts all traffic between you and your home network. Whatever sites you are surfing or files you are accessing are kept in private, and won't be snooped by anyone in-between.
VPN Server Configuration
Here is how to configure Firewalla VPN server:
STEP 0: Turn on VPN Server
The very first step is to turn on the VPN server on your Firewalla box. Firewalla box will start a pre-installed OpenVPN server. When the VPN server starts, it will generate a unique key and this key is only for your box.
Once you do that, click on "Setup"; it will guide you through the setup.
STEP 1: Configure Port Forwarding
If your router has UPnP enabled (as most routers do), then it is simple, Firewalla will do everything for you. If your router doesn't support UPnP, you will need to manually set up port forwarding on your home router.
Tutorial: How to set up port forwarding for VPN Server
In this step, couple things are very important to check:
- Make sure the router that your Firewalla is plugged in has a public IP assigned by your ISP.
-
If Firewalla is in DHCP mode, and your overlay network is configured to be the same subnet as primary network:
VPN server may use the Firewalla's IP address in the overlay network to talk with VPN clients, instead of the IP address in primary network. When configuring port forwarding on router, make sure you forward to the Firewalla's IP address in the overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
STEP 2: Install VPN client
To use VPN, you will need to install an OpenVPN compatible client on your mobile or desktop device. We have created instruction pages for different types of devices, with links to download VPN clients.
STEP 3: Configure VPN client
Once you installed the client, you'll need a profile and a password in order to use the VPN client. The profile and password are generated by Firewalla. They are device-independent and can be shared. Refer to the instruction pages in Step 2 on how to add profile to the client.
Testing VPN Server
Now you have everything set up. To test if your VPN is working, you need to test it outside of your own network, i.e. a network separate from the one Firewalla is installed on (many routers do not have this feature called NAT-hairpin which can allow you to VPN back to your own network). For example, if you are testing this on your phone with a VPN client installed, the best way is to switch it to cellular mode.
Still not able to connect to VPN?
If you still have problems, check the following:
Check 0: Wait a bit
- If you just installed Firewalla, it may take up to 1 hour to have the DDNS entry propagated. If you set up Firewalla VPN within 1 hour of the first power-up of the unit, please wait a bit.
Check 1: Running in Simple mode
If you have problems with port forwarding in simple mode, try this:
- Turn off global monitoring on Firewalla: https://help.firewalla.com/hc/en-us/articles/360008407613-Turn-on-off-Monitoring
- Reboot your router
- Try again and see if the VPN works.
- If works, turn back on global monitoring on Firewalla
Check 2: Do you have Public IP
1. Login to the router that the Firewalla is plugged in and look at the "WAN IP address" field.
2. Go to myip.com and compare that with (1)
If (1) and (2) are different, you don't have a public IP address. Call your ISP to get a public IP from them.
Check 3: Are you under double NAT
If you are under double NAT, that is, you have another router (second router) in front of the router (first router) that Firewalla is plugged into. If you have this configuration, you will need to do another port forwarding on the second router. Port forwarding the second router's public UDP 1194 port to the first router's 1194 port.
How do you know if you have double NAT?
First, look the physical connection of the router that Firewalla is plugged into. If this router is not given by the ISP, you may be under double NAT.
Next, check the following:
1. Login to the router that the Firewalla is plugged in and look at "WAN IP address" field.
2. go to myip.com and compare that with (1)
If (1) and (2) are different you are definitely under double NAT. In this case, please log in to the second router and manually setup port forwarding.
Check 4: Is your router running VPN
Some router may come with a default VPN server. If you want to use Firewalla VPN, please turn off your router VPN. Otherwise, the two VPN's will compete for 1194 port.
Check 5: If Firewalla is in DHCP mode, is your overlay network configured to be the same subnet as primary network?
In this case, VPN server may use the Firewalla's IP address in the overlay network to talk to VPN clients, instead of the IP address in primary network. When configuring port forwarding, you need to forward to the Firewalla's IP address in the overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
More Tips:
- If you use the VPN feature very often, we recommend that you do a static port mapping, because UPnP is not always reliable on certain routers.
- Firewalla Blue VPN profile may expire (depending on the revision of the software) around 30 days. If you encounter this issue, please just regenerate a new one. Go to VPN->setup->scroll to bottom, reset the profile and password.
- If you ever have needs to use port other than 1194, after you are done with port forwarding setup, don't forget to change your .ovpn profile (the line highlighted below):
client
dev tun
proto udp
remote xxx.d.yyy.com 1194
resolv-retry infinite
nobind
persist-key
VPN Alarm & Notification
Once VPN is set up and enabled, Firewalla will send you an alarm every time a device is connected to your VPN Server. In case someone got hold of your profile and password, you are notified when they use your VPN service.
Advanced Tips
- If your router can reserve IP address for Firewalla, please do so. This will avoid problems if you have static port mapping.
- By default, firewalla uses UPnP to map VPN ports, we have seen some routers are buggy, and may lose this port mapping to avoid this
- You can turn off and on VPN Server, this usually will fix the problem
- You should just add a static port mapping in your router if you use the VPN feature often.
- VPN Split Tunneling https://help.firewalla.com/hc/en-us/community/posts/360047915253
Comments
21 comments
What is the VPN IP range for connected clients?
It is a randomly generated /24 subnet under 10.0.0.0/8
Melvin
Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.
Global web filtering and parental controls are applied to VPN clients too.
Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).
So to enable filtering on VPN clients, please select "All devices" when configuring filters.
Melvin
Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?
Yes unless there are reasons, for example, Red may not support some features due to hardware performance.
Red, Blue, and Gold all run the same software and get updates periodically.
Melvin
Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?
See this https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Any thoughts or movement to using WireGuard as the VPN ?
Can I connect to the openvpn server when I only have ipv6 with ds-lite tunnel (no public ipv4 address)?
@Alex, only ipv4 is supported at this moment.
@Sean,
We have been testing WireGuard internally, so far the result is promising.
Will I be able to use my own domain name (that points to my external IP address) instead of using the one provided by Firewalla?
Yes
You can just change the server name in the downloaded VPN profile to your own domain name, before importing to your VPN client.
This needs to be updated for gold which auto configures port forwarding. (Maybe that is only in beta?)
Hi, how many VPN clients can connect to Firewalla Gold, simultaneously?
Thank you
Are the individual devices issued a unique key/cert which is used for authentication when connecting to the VPN?
There is one for all the devices. We may go to multiple profile support in the future, but those likely to be used by business users.
@firewalla may I know how many devices (my mobile and ipad when I'm at airport for example) simultaneously can connect at a time to the Firewalla Gold VPN?
You an connect many ... it is only limited by the amount of memory (a lot) and also your bandwidth (upload and download)
I got WireGuard up and running on my Firewalla Gold. The problem I am having is I can't get internet connectivity. I had a similar problem on another device and the problem was in the network interface in the iptables rules.
What is the issue here?
Here is what I did.
Install prerequisites and download source code
Compile and install the module
Compile and install the wg(8) tool
Enable IP Forwarding
Reboot
Verify that IP Forwarding is enabled
The result should be
Generate Private And Public Keys For Server And Client
Verify the keys were generated
View the keys with
Configure WireGuard Server
Make a wg0.conf file in ‘/etc/wireguard/’ Make sure that the correct network is selected. Edit the wlan0 entry as needed. This will block internet connectivity on the remote device.
This is where I think my setup is failing - I tried br0, eth0, eth1, eth2, eth3 - none worked.
Configure Wireguard Client
Make a peer1.conf file in ‘/etc/wireguard/’
Export The Client Configuration To Your Phone Using QR Code
A QR code will be generated, scan this code and import it to the WireGuard app on a phone.
Finalize Installation
After the client profile has been imported to a phone run these commands to finish the installation
Checking Status
Should result in
(No real keys are shown here.)
Please sign in to leave a comment.