"A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely."
What is Firewalla VPN Server?
Firewalla VPN Server places the VPN server inside your house. it runs inside of that little Firewalla box. This VPN service must be used by you when you are outside of the house. And you get the same level of security protection as if you are at home, provided by Firewalla.
Connect to Firewalla VPN = You are at Home
Easy to setup
- You don't need to open additional ports on your router.
- You don't need to manually port forwarding random ports from your router to home device.
- You don't need to learn complicated technology to bring up a VPN server.
- One connection allows you to access all home devices.
Secure Access
- Securely surfing the internet with the benefit of Ad blocking, blocking porn sites and malicious sites.
- Securely accessing your home camera, NAS (network attached storage), smart door knob/power plug (IoT devices), and more.
- Your own private VPN server, not shared with others.
Data Encryption
- Bypass censorship and internet filtering at work or another country.
- Prevent eavesdropping when you are on the road, at Starbucks.
Always at Home
- Take your video subscriptions anywhere. Stream Netflix, Hulu or any service just as you are at home. No restrictions.
- Access your banking / financial sites just as if you are home.
- Bypass internet censorship or filtering when traveling to a foreign country.
Free
- Free VPN Server runs inside your home network, there is no monthly fee or additional charge.
This VPN Server is NOT
- This is not the traditional VPN service where you use to hide from your service provider.
- You can not use this service to bypass Netflix restrictions. (Unless you are traveling and have a Firewalla at 'home')
What does Firewalla VPN do?
Surfing the web just as if you are at home when you are not
Firewalla VPN Server allows you to easily set up an encrypted connection from anywhere in the world to your home. Although you are outside on public network, your security protection is just as if you are at home.
- You can access the internet as secure as you are at home.
- If you are at a place that controls internet access, you can use this to get around that.
- You don't need to open additional ports on your router when you are outside and want to view your home camera or file system.
If you are looking for VPN out from your home to a 3rd party VPN provider, please see the VPN Client feature https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Access your home network from anywhere
While Firewalla VPN allows you to safely connect back home, it can also allow you easily access all your network-enabled home devices, such as IoT devices, NAS file system, etc.
The Firewalla VPN server is a transport service provided by security certificates, it is much moredifficult to be attacked than an HTTP service provided by your camera. It also encrypts all traffic between you and your home network, whatever sites you are surfing or files you are accessing are kept in private, won't be snooped by anyone in-between.
VPN Server Configuration
Here is how to configure Firewalla VPN server:
The very first step is to turn on the VPN server on your Firewalla box (Step 0). Firewalla box will start a pre-installed OpenVPN server. When the VPN server starts, it will generate a unique key and this key is only for your box.
Once you done that, click on the "Setup" arrow and it will guide you through the setup.
STEP 1: Configure Port Forwarding
If your router has UPNP enabled (as most routers do), it is simple, Firewalla will do everything for you. If your router doesn't support UPNP, Firewalla will need you to manually set up port forwarding on your home router.
Tutorial: How to set up port forwarding for VPN Server
In this step, couple things are very important to check:
- Make sure the router that your Firewalla is plugged in has a public IP assigned by your ISP.
-
If Firewalla is in DHCP mode, and your overlay network is configured to be the same subnet as primary network:
VPN server may use the Firewalla's IP address in overlay network to talk with VPN clients, instead of the IP address in primary network. When configuring port forwarding on router, make sure forward to the Firewalla's IP address in overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
STEP 2: Install VPN client
To use VPN, you will need to install an OpenVPN compatible client on your mobile or desktop device. We have created separate pages for a different type of devices. The download link for VPN client is included in the page.
STEP 3: Configure VPN client
Once you installed the client, you'll need a profile and a password in order to use the VPN client. The profile and password are generated by Firewalla, they are device-independent and can be shared. How to add the profile to the client, detail steps are outlined in the above device links.
Testing VPN Server
Now you have everything set up, to test if your VPN is working or not, you need to test it outside of your own network (or the separate network that Firewalla is installed on). Many routers do not have this feature called NAT-hairpin, which doesn't allow you to VPN back to your own network. (the best way is to go to LTE/4G/3G on your phone).
Still not able to connect to VPN?
If you still have problems, do following checks to diagnose the root cause.
Check 0: Wait a bit
- If you just installed Firewalla, it may take up to 1 hour to have the DDNS entry propagated. If you setup firewalla VPN within 1 hour of the first power-up of the unit, please wait a bit.
Check 1: Running in Simple mode
If you have problems with port forwarding in simple mode, try this:
- Turn off global monitoring on Firewalla: https://help.firewalla.com/hc/en-us/articles/360008407613-Turn-on-off-Monitoring
- Reboot your router
- Try again and see if the VPN works.
- If works, turn back on global monitoring on Firewalla
Check 2: Do you have Public IP
1. Login to the router that the Firewalla is plugged in and look at "WAN IP address" field.
2. Go to myip.com and compare that with (1)
If (1) and (2) are different, you don't have a public IP address. Call your ISP to get a public IP from them.
Check 3: Are you under double NAT
If you are under double NAT, that is, you have another router (second router) in front of the router (first router) that Firewalla is plugged into. If you have this configuration, you will need to do another port forwarding on the second router. Port forwarding the second router public UDP 1194 port to the first router's 1194 port.
How do you know if you have double NAT?
First, look the physical connection of the router that Firewalla is plugged into, if this router is not given by ISP, you may under double NAT.
Next, check the following:
1. Login to the router that the Firewalla is plugged in and look at "WAN IP address" field.
2. go to myip.com and compare that with (1)
If (1) and (2) are different you are definitely under double NAT. In this case, please log in to the second router and manually setup port forwarding.
Check 4: Is your router running VPN
Some router may come with a default VPN server, if you want to use Firewalla VPN, please turn off your router VPN. Otherwise, the two VPN will compete for 1194 port.
Check 5: If Firewalla is in DHCP mode, is your overlay network configured to be the same subnet as primary network?
In this case, VPN server may use the Firewalla's IP address in overlay network to talk with VPN clients, instead of the IP address in primary network. When configuring port forwarding, need to forward to the Firewalla's IP address in overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
Import Tips:
- If you use the VPN feature very often, we recommend you do a static port mapping. Because UPnP is not always reliable on certain routers.
- Firewalla Blue VPN profile may expire (depend on the revision of the software) around 30 days. If you encounter this issue, please just regenerate a new one,VPN->setup->scroll to bottom, reset the profile and password.
- If you ever have needs to port other than 1194, after you are done with port forwarding setup, don't forget to change your .ovpn profile (the line highlighted below):
client
dev tun
proto udp
remote xxx.d.yyy.com 1194
resolv-retry infinite
nobind
persist-key
VPN Alarm & Notification
Once VPN is setup and enabled, Firewalla will send you alarm every time a device is connected to your VPN Server. In case someone got your profile and password, you are notified when they use your VPN service.
Comments
9 comments
What is the VPN IP range for connected clients?
It is a randomly generated /24 subnet under 10.0.0.0/8
Melvin
Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.
Global web filtering and parental controls are applied to VPN clients too.
Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).
So to enable filtering on VPN clients, please select "All devices" when configuring filters.
Melvin
Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?
Yes unless there are reasons, for example, Red may not support some features due to hardware performance.
Red, Blue, and Gold all run the same software and get updates periodically.
Melvin
Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?
See this https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Any thoughts or movement to using WireGuard as the VPN ?
Please sign in to leave a comment.