Firewalla VPN Server

Follow

Comments

21 comments

  • Avatar
    Stormy Daniel

    What is the VPN IP range for connected clients?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    It is a randomly generated /24 subnet under 10.0.0.0/8

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Kevin Lengel

    Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Global web filtering and parental controls are applied to VPN clients too.

    Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).

     

    So to enable filtering on VPN clients, please select "All devices" when configuring filters.

     

    Melvin

    1
    Comment actions Permalink
  • Avatar
    Kevin Lengel

    Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Yes unless there are reasons, for example, Red may not support some features due to hardware performance.

     

    Red, Blue, and Gold all run the same software and get updates periodically.

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    WJ Lima

    Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink
  • Avatar
    Sean Patzer

    Any thoughts or movement to using WireGuard as the VPN ? 

    1
    Comment actions Permalink
  • Avatar
    Alex

    Can I connect to the openvpn server when I only have ipv6 with ds-lite tunnel (no public ipv4 address)?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Alex, only ipv4 is supported at this moment.

    -1
    Comment actions Permalink
  • Avatar
    Support Team

    @Sean,

     

    We have been testing WireGuard internally, so far the result is promising.

     

    0
    Comment actions Permalink
  • Avatar
    Mark

    Will I be able to use my own domain name (that points to my external IP address) instead of using the one provided by Firewalla?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Yes

     

    You can just change the server name in the downloaded VPN profile to your own domain name, before importing to your VPN client.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    This needs to be updated for gold which auto configures port forwarding. (Maybe that is only in beta?)

    0
    Comment actions Permalink
  • Avatar
    Miguel Madeira Rodrigues

    Hi, how many VPN clients can connect to Firewalla Gold, simultaneously?

     

    Thank you

    1
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Are the individual devices issued a unique key/cert which is used for authentication when connecting to the VPN?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is one for all the devices.  We may go to multiple profile support in the future, but those likely to be used by business users. 

    0
    Comment actions Permalink
  • Avatar
    L R Naidu Kandulapati

    @firewalla may I know how many devices (my mobile and ipad when I'm at airport for example) simultaneously can connect at a time to the Firewalla Gold VPN?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You an connect many ... it is only limited by the amount of memory (a lot) and also your bandwidth (upload and download) 

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    I got WireGuard up and running on my Firewalla Gold. The problem I am having is I can't get internet connectivity. I had a similar problem on another device and the problem was in the network interface in the iptables rules.

    What is the issue here?

     

    Here is what I did.

    Install prerequisites and download source code

    sudo apt install libelf-dev libmnl-dev build-essential git -y
    sudo git clone https://git.zx2c4.com/wireguard-linux-compat
    sudo git clone https://git.zx2c4.com/wireguard-tools 

    Compile and install the module

    sudo make -C wireguard-linux-compat/src -j$(nproc)
    sudo make -C wireguard-linux-compat/src install

    Compile and install the wg(8) tool

    sudo make -C wireguard-tools/src -j$(nproc)
    sudo make -C wireguard-tools/src install

    Enable IP Forwarding 

    sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

    Reboot

    sudo reboot

    Verify that IP Forwarding is enabled

    sysctl net.ipv4.ip_forward 

    The result should be 

    sysctl net.ipv4.ip_forward = 1

    Generate Private And Public Keys For Server And Client

    sudo su
    cd /etc/wireguard
    umask 077
    wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey
    wg genkey | tee server_privatekey | wg pubkey > server_publickey
    ls  
    exit

    Verify the keys were generated

    peer1_privatekey 
    peer1_publickey
    server_privatekey
    server_publickey

    View the keys with

    cat server_publickey
    cat server_privatekey
    cat peer1_publickey
    cat peer1_privatekey

    Configure WireGuard Server

    Make a wg0.conf file in ‘/etc/wireguard/’ Make sure that the correct network is selected. Edit the wlan0 entry as needed. This will block internet connectivity on the remote device.

    This is where I think my setup is failing - I tried br0, eth0, eth1, eth2, eth3 - none worked.

    cat << EOF | sudo tee /etc/wireguard/wg0.conf
    [Interface]
    Address = 10.9.0.1/24
    # ListenPort = xxxxx      customize as needed
    ListenPort = 51820
    # DNS = 192.168.x.xx     customize as needed
    DNS = 192.168.1.1
    # PrivateKey = server_privatekey 
    PrivateKey = $(sudo cat /etc/wireguard/server_privatekey) 

    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    [Peer]
    #Peer-1
    # PublicKey = peer1_publickey
    PublicKey = $(sudo cat /etc/wireguard/peer1_publickey)
    AllowedIPs = 10.9.0.2/32 
    PersistentkeepAlive = 60 
    EOF 

    Configure Wireguard Client

    Make a peer1.conf file in ‘/etc/wireguard/’

    cat << EOF | sudo tee /etc/wireguard/peer1.conf
    [Interface]
    Address = 10.9.0.2/32
    # DNS = 192.168.x.x       Customize as needed
    DNS = 192.168.1.1
    # PrivateKey = peer1_privatekey 
    PrivateKey = $(sudo cat /etc/wireguard/peer1_privatekey)

    [Peer]
    # PublicKey = server_publickey 
    PublicKey = $(sudo cat /etc/wireguard/server_publickey) 
    # Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort   Customize as needed
    Endpoint = IPaddress/DDNS:51820
    AllowedIPs = 0.0.0.0/0, ::/0
    PersistentkeepAlive = 60 
    EOF

    Export The Client Configuration To Your Phone Using QR Code

    sudo apt install qrencode -y
    sudo qrencode -t ansiutf8 < /etc/wireguard/peer1.conf

    A QR code will be generated, scan this code and import it to the WireGuard app on a phone. 

    Finalize Installation

    After the client profile has been imported to a phone run these commands to finish the installation

    sudo systemctl enable wg-quick@wg0
    sudo chown -R root:root /etc/wireguard/
    sudo chmod -R og-rwx /etc/wireguard/*

    Checking Status

    wg

    Should result in

    interface: wg0

      public key: lGeCviEfYfWnYeuHezgxD36b0flvUuAqi94+yzkPT2Q=
      private key: (hidden)
      listening port: 51820

    peer: +ZHiLrF4uU1LJaIz36tAwNPfw7snMe1PVdn/FCBRbR8=
      endpoint: 192.168.1.1:51820
      allowed ips: 10.9.0.2/32
      latest handshake: 16 minutes, 21 seconds ago
      transfer: 17.22 KiB received, 14.82 KiB sent
      persistent keepalive: every 1 minute

     

     

    (No real keys are shown here.)

    0
    Comment actions Permalink

Please sign in to leave a comment.