Firewalla VPN Server

Follow

Comments

30 comments

  • Avatar
    "Stormy D"

    What is the VPN IP range for connected clients?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    It is a randomly generated /24 subnet under 10.0.0.0/8

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Kevin Lengel

    Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Global web filtering and parental controls are applied to VPN clients too.

    Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).

     

    So to enable filtering on VPN clients, please select "All devices" when configuring filters.

     

    Melvin

    2
    Comment actions Permalink
  • Avatar
    Kevin Lengel

    Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Yes unless there are reasons, for example, Red may not support some features due to hardware performance.

     

    Red, Blue, and Gold all run the same software and get updates periodically.

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    WJ Lima

    Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink
  • Avatar
    Sean Patzer

    Any thoughts or movement to using WireGuard as the VPN ? 

    1
    Comment actions Permalink
  • Avatar
    Alex

    Can I connect to the openvpn server when I only have ipv6 with ds-lite tunnel (no public ipv4 address)?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Alex, only ipv4 is supported at this moment.

    -1
    Comment actions Permalink
  • Avatar
    Support Team

    @Sean,

     

    We have been testing WireGuard internally, so far the result is promising.

     

    0
    Comment actions Permalink
  • Avatar
    Mark

    Will I be able to use my own domain name (that points to my external IP address) instead of using the one provided by Firewalla?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Yes

     

    You can just change the server name in the downloaded VPN profile to your own domain name, before importing to your VPN client.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    This needs to be updated for gold which auto configures port forwarding. (Maybe that is only in beta?)

    0
    Comment actions Permalink
  • Avatar
    Miguel Madeira Rodrigues

    Hi, how many VPN clients can connect to Firewalla Gold, simultaneously?

     

    Thank you

    3
    Comment actions Permalink
  • Avatar
    Chris Thomas

    Are the individual devices issued a unique key/cert which is used for authentication when connecting to the VPN?

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    There is one for all the devices.  We may go to multiple profile support in the future, but those likely to be used by business users. 

    1
    Comment actions Permalink
  • Avatar
    L R Naidu Kandulapati

    @firewalla may I know how many devices (my mobile and ipad when I'm at airport for example) simultaneously can connect at a time to the Firewalla Gold VPN?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You an connect many ... it is only limited by the amount of memory (a lot) and also your bandwidth (upload and download) 

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    I got WireGuard up and running on my Firewalla Gold. The problem I am having is I can't get internet connectivity. I had a similar problem on another device and the problem was in the network interface in the iptables rules.

    What is the issue here?

     

    Here is what I did.

    Install prerequisites and download source code

    sudo apt install libelf-dev libmnl-dev build-essential git -y
    sudo git clone https://git.zx2c4.com/wireguard-linux-compat
    sudo git clone https://git.zx2c4.com/wireguard-tools 

    Compile and install the module

    sudo make -C wireguard-linux-compat/src -j$(nproc)
    sudo make -C wireguard-linux-compat/src install

    Compile and install the wg(8) tool

    sudo make -C wireguard-tools/src -j$(nproc)
    sudo make -C wireguard-tools/src install

    Enable IP Forwarding 

    sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

    Reboot

    sudo reboot

    Verify that IP Forwarding is enabled

    sysctl net.ipv4.ip_forward 

    The result should be 

    sysctl net.ipv4.ip_forward = 1

    Generate Private And Public Keys For Server And Client

    sudo su
    cd /etc/wireguard
    umask 077
    wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey
    wg genkey | tee server_privatekey | wg pubkey > server_publickey
    ls  
    exit

    Verify the keys were generated

    peer1_privatekey 
    peer1_publickey
    server_privatekey
    server_publickey

    View the keys with

    cat server_publickey
    cat server_privatekey
    cat peer1_publickey
    cat peer1_privatekey

    Configure WireGuard Server

    Make a wg0.conf file in ‘/etc/wireguard/’ Make sure that the correct network is selected. Edit the wlan0 entry as needed. This will block internet connectivity on the remote device.

    This is where I think my setup is failing - I tried br0, eth0, eth1, eth2, eth3 - none worked.

    cat << EOF | sudo tee /etc/wireguard/wg0.conf
    [Interface]
    Address = 10.9.0.1/24
    # ListenPort = xxxxx      customize as needed
    ListenPort = 51820
    # DNS = 192.168.x.xx     customize as needed
    DNS = 192.168.1.1
    # PrivateKey = server_privatekey 
    PrivateKey = $(sudo cat /etc/wireguard/server_privatekey) 

    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    [Peer]
    #Peer-1
    # PublicKey = peer1_publickey
    PublicKey = $(sudo cat /etc/wireguard/peer1_publickey)
    AllowedIPs = 10.9.0.2/32 
    PersistentkeepAlive = 60 
    EOF 

    Configure Wireguard Client

    Make a peer1.conf file in ‘/etc/wireguard/’

    cat << EOF | sudo tee /etc/wireguard/peer1.conf
    [Interface]
    Address = 10.9.0.2/32
    # DNS = 192.168.x.x       Customize as needed
    DNS = 192.168.1.1
    # PrivateKey = peer1_privatekey 
    PrivateKey = $(sudo cat /etc/wireguard/peer1_privatekey)

    [Peer]
    # PublicKey = server_publickey 
    PublicKey = $(sudo cat /etc/wireguard/server_publickey) 
    # Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort   Customize as needed
    Endpoint = IPaddress/DDNS:51820
    AllowedIPs = 0.0.0.0/0, ::/0
    PersistentkeepAlive = 60 
    EOF

    Export The Client Configuration To Your Phone Using QR Code

    sudo apt install qrencode -y
    sudo qrencode -t ansiutf8 < /etc/wireguard/peer1.conf

    A QR code will be generated, scan this code and import it to the WireGuard app on a phone. 

    Finalize Installation

    After the client profile has been imported to a phone run these commands to finish the installation

    sudo systemctl enable wg-quick@wg0
    sudo chown -R root:root /etc/wireguard/
    sudo chmod -R og-rwx /etc/wireguard/*

    Checking Status

    wg

    Should result in

    interface: wg0

      public key: lGeCviEfYfWnYeuHezgxD36b0flvUuAqi94+yzkPT2Q=
      private key: (hidden)
      listening port: 51820

    peer: +ZHiLrF4uU1LJaIz36tAwNPfw7snMe1PVdn/FCBRbR8=
      endpoint: 192.168.1.1:51820
      allowed ips: 10.9.0.2/32
      latest handshake: 16 minutes, 21 seconds ago
      transfer: 17.22 KiB received, 14.82 KiB sent
      persistent keepalive: every 1 minute

     

     

    (No real keys are shown here.)

    0
    Comment actions Permalink
  • Avatar
    Abhishak Malviya

    How many other clients ( Red, Blue/Plus, Gold) can be connected  simultaneously to Gold VPN server?

    1
    Comment actions Permalink
  • Avatar
    Steve

    Hoow many clients can connect to my home network via VPN on a purple?

    0
    Comment actions Permalink
  • Avatar
    geotrouvetout67

    Anyone had luck to connect a Synology NAS to FW VPN Server?

    1
    Comment actions Permalink
  • Avatar
    Palta

    I am running a wireguard server on my Gold and I can connect to it just fine. I get internet and can access my local devices. However, I'm only able to access local devices using their ip and not their dns record. I have mdns reflector activated but I dont know what else to do. 

    Any thoughts? 

    Thanks!

    0
    Comment actions Permalink
  • Avatar
    Firewalla Team

    @Palta, you can access them via either local domain or search domain. Have you tried this?  Difference between Search Domain & Local Domain

     

    0
    Comment actions Permalink
  • Avatar
    Palta

    @Firewalla, I did try. Both my search and local domains are .local.

    I setup the DNS server of the Wireguard VPN Server to be 10.0.0.1 (which is the same as the one in my local network), otherwise it doesn't even work with IPs. Adblock is working. 

    Any other thoughts? Thanks!

    0
    Comment actions Permalink
  • Avatar
    Darth Sonic

    My mobile provider only support IPv6. Are there any plans to support Wireguard Vpn over IPv6?

    2
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    I suspect it’s planned but it’s very hard to implement. Here is why.

    If you are using WireGuard with IPv6, then you will need to generate a unique local IPv6 unicast address prefix based on the algorithm in RFC 4193. The addresses that you use with WireGuard will be associated with a virtual tunnel interface. You will need to complete a few steps to generate a random, unique IPv6 prefix within the reserved fd00::/8 block of private IPv6 addresses.

    According to the RFC, the recommended way to obtain a unique IPv6 prefix is to combine the time of day with a unique identifying value from a system like a serial number or device ID. Those values are then hashed and truncated resulting in a set of bits that can be used as a unique address within the reserved private fd00::/8 block of IPs.

    To get started generating an IPv6 range for your WireGuard Server, collect a 64-bit timestamp using the date utility with the following command:

    date +%s%N

    You will receive a number like the following, which is the number of seconds (the %s in the date command), and nanoseconds (the %N) since 1970-01-01 00:00:00 UTC combined together:

    1650301699497770167

    Record the value somewhere for use later in this section. Next, copy the machine-id value for your server from the /var/lib/dbus/machine-id file. This identifier is unique to your system and should not change for as long as the server exists.

    cat /var/lib/dbus/machine-id

    You will receive output like the following:

    /var/lib/dbus/machine-id
    610cef4946ed46da8f71dba9d66c67fb
    Now you need to combine the timestamp with the machine-id and hash the resulting value using the SHA-1 algorithm. The command will use the following format:

    printf | sha1sum
    Run the command substituting in your timestamp and machine identity values:

    printf 1650301699497770167610cef4946ed46da8f71dba9d66c67fb | sha1sum

    You will receive a hash value like the following:

    442adea1488d96388dae9ab816045b24609a6c18 -

    Note that the output of the sha1sum command is in hexadecimal, so the output uses two characters to represent a single byte of data. For example 4f and 26 in the example output are the first two bytes of the hashed data.

    The algorithm in the RFC only requires the least significant (trailing) 40 bits, or 5 bytes, of the hashed output. Use the cut command to print the last 5 hexadecimal encoded bytes from the hash:

    printf 442adea1488d96388dae9ab816045b24609a6c18 | cut -c 31-

    The -c argument tells the cut command to select only a specified set of characters. The 31- argument tells cut to print all the characters from position 31 to the end of the input line.

    You should receive output like the following:

    24609a6c18

    In this example output, the set of bytes is: 24 60 9a 6c 18.

    Now you can construct your unique IPv6 network prefix by appending the 5 bytes you have generated with the fd prefix, separating every 2 bytes with a : colon for readability. Because each subnet in your unique prefix can hold a total of 18,446,744,073,709,551,616 possible IPv6 addresses, you can restrict the subnet to a standard size of /64 for simplicity.

    Using the bytes previously generated with the /64 subnet size the resulting prefix will be the following:

    Unique Local IPv6 Address Prefix
    fd24:609a:6c18::/64
    This fd24:609a:6c18::/64 range is what you will use to assign individual IP addresses to your WireGuard tunnel interfaces on the server and peers. To allocate an IP for the server, add a 1 after the final :: characters. The resulting address will be fd24:609a:6c18::1/64. Peers can use any IP in the range, but typically you’ll increment the value by one each time you add a peer e.g. fd24:609a:6c18::2/64.

    0
    Comment actions Permalink
  • Avatar
    Rsv

    Any plans to support IPv6??

    1
    Comment actions Permalink

Please sign in to leave a comment.