Learn how to set up a VPN on your Firewalla device with our step-by-step guide. We explain what a VPN is and how it can benefit you, as well as the different types of VPN protocols available. Follow our instructions to configure your VPN, whether you're using a third-party provider or using the VPN server included with your Firewalla. Firewalla VPN can help you stay secure and anonymous online.
"A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely."
- What is Firewalla VPN Server?
- What does Firewalla VPN do?
- VPN Server Configuration and IPv6
- Testing VPN Server
- VPN Alarm & Notification
- Active VPN Connections
- VPN Flows and Device Management
- Troubleshooting: Not able to connect to VPN
- My Connection to VPN Server Is slow
- Advanced Tips
Firewalla also has a built-in VPN Client, which can be used to talk to many 3rd Party VPN Services.
What is Firewalla VPN Server?
Firewalla VPN Server places a VPN server inside your home. This VPN service can only be used when you are outside of the house. You get the same level of security protection as if you are at home, provided by Firewalla.
Connect to Firewalla VPN = You are at Home
Easy to setup
- You don't need to open additional ports on your router.
- You don't need to manually port forwarding random ports from your router to your home devices.
- You don't need to learn complicated technology to bring up a VPN server.
- One connection allows you to access all home devices.
Secure Access
- Securely surf the internet with the benefits of Ad blocking, blocking porn sites and malicious sites.
- Safely access your home cameras, NAS (network attached storage), smart door knob/power plug (IoT devices), and more.
- Use your own private VPN server, that is not shared with others without any subscription.
Data Encryption
- Bypass censorship and internet filtering at work or in another country.
- Prevent eavesdropping when you are on the road, at Starbucks.
Surf like you are always Home
- Take your video subscriptions anywhere. Stream Netflix, Hulu or any service as if you are at home. No restrictions.
- Access your banking / financial sites as if you are home.
- Bypass internet censorship or filtering when traveling to a foreign country.
Free
- Free VPN Server runs inside your home network. There is no monthly fee or additional charge.
What This VPN Server is NOT
- This is not the traditional VPN service that you use to hide from your service provider.
- You can not use this service to bypass Netflix restrictions. (Unless you are traveling and have a Firewalla at 'home')
What does Firewalla VPN do?
Surf the web as if you are at home when you are not
Firewalla VPN Server allows you to easily set up an encrypted connection from anywhere in the world to your home. Even if you are on public network, your security protection is the same as at home when you connect to your Firewalla VPN Server.
- You can access the internet as secure as you are at home.
- If you are at a place that controls internet access, you can use this to get around it.
- You don't need to open additional ports on your router when you are outside and want to view your home camera or file system.
If you are looking for VPN out from your home to a 3rd party VPN provider, please check out the VPN Client feature: https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Access your home network from anywhere
Firewalla VPN Server allows you to safely connect back home, allowing easy access to all your network-enabled home devices, such as IoT devices, NAS file system, etc. It encrypts all traffic between you and your home network, making it much more difficult to attack. Whatever sites or files you are accessing are kept private and won't be snooped on by anyone in between.
VPN Server Configuration and IPv6
Firewalla VPN server supports two types of VPN– OpenVPN and Wireguard. Please refer to the links below for configuration instructions:
Firewalla supports running your VPN server using an IPv6 address. For example, if you use CGNAT as your primary WAN, which doesn't support port forwarding, you can set the WAN Interface for DDNS and your VPN server to your backup WAN or change the IP type to IPv6 Only. You may specify an IP address if you have multiple static IPs on the same WAN.
To manually specify the WAN interface and IP type, tap your server's Setup, then tap DDNS. You can then modify its IP Address Type and WAN Interface as needed.
Testing VPN Server
Now you have everything set up. To test if your VPN is working, you need to test it outside of your own network, i.e. a network separate from the one Firewalla is installed on (many routers do not have this feature called NAT-hairpin which can allow you to VPN back to your own network). For example, if you are testing this on your phone with a VPN client installed, the best way is to switch it to cellular mode.
VPN Alarm & Notification
Once Firewalla VPN Server is set up and enabled, Firewalla will automatically send you an alarm every time a device is connected to your VPN Server. If someone manages to get ahold of your profile and password (e.g. you lose your device), you are notified when they use your VPN service. If your profile is ever compromised, you can also reset the password or deactivate the profile and set up a new one.
Active VPN Connections
If you have the VPN Server feature enabled, Firewalla app will show you how many VPN connections are currently active, where they’ve been connected from, and how much data has been transferred between your Firewalla box (as VPN server) and the VPN clients.
On Firewalla App’s main screen, if anyone is connected to your Firewalla box via VPN, there will be a green tag shown on the VPN server button. Tap the VPN server button -> Active VPN connections, tap any connection to view more details of it. If you’d like to know exactly where the connection is initiated from, you can tap the Endpoint IP address and do a quick security lookup.
If you spot any suspicious or unwanted VPN connections, tap the “View VPN Profile” button to revoke the access or reset the profile, or tap the “View Network Detail” / “View Device Detail” button to pause a specific type of traffic.
VPN Flows and Device Management
OpenVPN:
Devices connected to the Firewalla OpenVPN server can be managed together. On the Devices list -> Networks tab, find the OpenVPN network and tap to enter the network detail page, you can view the network flows, and manage rules on the entire network.
WireGuard:
For devices that are connected to the Firewalla WireGuard VPN server, you can manage them just like your local devices. The VPN devices will be shown up on the devices list, tap any of the VPN devices, you can view the network flows, and basic info and apply any rules or features individually.
Trouble Connecting to Firewalla VPN Server
If you still have problems, check the following:
Check 0: Wait a bit
- If you just installed Firewalla, it may take up to 1 hour to have the DDNS entry propagated. If you set up Firewalla VPN within 1 hour of the first power-up of the unit, please wait a bit.
- If you are running firewalla under NAT in router mode or in DHCP/simple mode, please make sure you do correct port forwarding on your main router. Tutorial: How to set up port forwarding for VPN Server
(Port forwarding is NOT needed if you are running in router mode and firewalla is your main router and has a public IP address)
Check 1: Simple mode only
If you have problems with port forwarding when Firewalla is in Simple mode, try this:
- Turn off global monitoring on Firewalla: https://help.firewalla.com/hc/en-us/articles/360008407613-Turn-on-off-Monitoring
- Reboot your router.
- Try again and see if the VPN works.
- If works, turn back on global monitoring on Firewalla.
Check 2: Do you have Public IP?
1. Login to the router that the Firewalla is plugged in and look at the "WAN IP address" field.
2. Go to myip.com and compare that with (1).
If (1) and (2) are different, you don't have a public IP address. The easiest solution is to call your ISP to get a public IP from them.
Check 3: Are you under double NAT?
If you have one router in front of another and they are both doing routing (Network Address Translation or NAT) you have double NAT. For example, this might look like this:
Router {router mode} > Firewalla {router mode} > switch
OR
Router A {router mode} > Router B {router mode with DHCP off} > Firewalla {DHCP mode} > switch
Generally, it is easier to configure things if you can avoid double NAT, but there are times when that just isn't possible.
If you have this configuration, you will need to forward the port the VPN will use on the first router to the second router. Port forwarding the second router's public UDP 1194 port to the first router's 1194 port.
How do you know if you have double NAT?
First, look the physical connection of the router that Firewalla is plugged into. If this router is not given by the ISP, you may be under double NAT.
Next, check the following:
- Login to the router that the Firewalla is plugged in and look at "WAN IP address" field.
- Go to myip.com and compare that with (1)
If (1) and (2) are different, you have a double NAT configuration. In this case, check the first outer has port forwarding to the second router and manually setup port forwarding. If Firewalla is the second router, you should now be able to verify that the VPN port shows as "Complete" (Check this under VPN Server > WireGuard / OpenVPN setup).
Check 4: Is your router running VPN?
Some router may come with a default VPN server. If you want to use Firewalla VPN, you should turn off your router's VPN.
Check 5: If Firewalla is in DHCP mode, is your overlay network configured to be the same subnet as the primary network? (Firewalla Red, Blue and Blue Plus only)
In this case, VPN server may use the Firewalla's IP address in the overlay network to talk to VPN clients, instead of the IP address in the Primary network. When configuring port forwarding, you need to forward to the Firewalla's IP address in the overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
More Tips:
- If you use the VPN feature very often, we recommend that you do a static port mapping, because UPnP is not always reliable on certain routers.
- If you ever need to change the VPN port you may have to regenerate your VPN profile.
Community Tips:
- If you're trying to access your Firewalla VPN Server using the T-Mobile cellular network and you cannot access your local devices, try lowering your MTU from the OpenVPN or WireGuard client on the device you're using. See this community post for more info.
My connection to the Firewalla VPN Server is slow
Your VPN client connection will always be equal to, or possibly slightly less than, the slower of:
- The upload speed of the ISP connection where your Firewalla is running.
- The speed of your remote connection to the VPN Server.
So if your Firewalla has an 80Mbps upload connection, your VPN client is going to be limited to something slightly under that, regardless of how fast your remote connection is, because the VPN is putting traffic through your home network and there is always some overhead associated with that as well. If you happen to have a connection to your Firewalla VPN server that is slower than that (say you have a poor connection on your phone), that will be the gating factor.
Other factors that can affect your VPN speed include:
- The CPU power of your client device (whether it can encrypt or decrypt fast enough).
- The server rating of your Firewalla unit (see the hardware performance comparison chart here).
- If others are using the bandwidth where your Firewalla is running.
Advanced Tips
- If your router can reserve an IP address for Firewalla, please do so. This will avoid problems if you have static port mapping.
- By default, Firewalla uses UPnP to map VPN ports, we have seen some routers are buggy and may lose this port mapping to avoid this
- You can turn off and on the VPN Server, this usually will fix the problem
- You should just add a static port mapping in your router if you use the VPN feature often.
- VPN Split Tunneling https://help.firewalla.com/hc/en-us/community/posts/360047915253
- If you are using Firewalla Gold, you can manage the VPN Server Network in Network Manager, and edit the VPN subnet if you want.
- Some LTE providers require a smaller MTU value for VPN connections to work. To change your WireGuard MTU, follow the instructions here.
Note
- On Windows, we recommend disconnecting VPN on Windows when you are on your home network.
- On iOS, if you have trouble connecting and see a message like this:
Please go to OpenVPN > Settings > Advanced Settings > and choose "Legacy".
Comments
30 comments
What is the VPN IP range for connected clients?
It is a randomly generated /24 subnet under 10.0.0.0/8
Melvin
Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.
Global web filtering and parental controls are applied to VPN clients too.
Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).
So to enable filtering on VPN clients, please select "All devices" when configuring filters.
Melvin
Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?
Yes unless there are reasons, for example, Red may not support some features due to hardware performance.
Red, Blue, and Gold all run the same software and get updates periodically.
Melvin
Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?
See this https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Any thoughts or movement to using WireGuard as the VPN ?
Can I connect to the openvpn server when I only have ipv6 with ds-lite tunnel (no public ipv4 address)?
@Alex, only ipv4 is supported at this moment.
@Sean,
We have been testing WireGuard internally, so far the result is promising.
Will I be able to use my own domain name (that points to my external IP address) instead of using the one provided by Firewalla?
Yes
You can just change the server name in the downloaded VPN profile to your own domain name, before importing to your VPN client.
This needs to be updated for gold which auto configures port forwarding. (Maybe that is only in beta?)
Hi, how many VPN clients can connect to Firewalla Gold, simultaneously?
Thank you
Are the individual devices issued a unique key/cert which is used for authentication when connecting to the VPN?
There is one for all the devices. We may go to multiple profile support in the future, but those likely to be used by business users.
@firewalla may I know how many devices (my mobile and ipad when I'm at airport for example) simultaneously can connect at a time to the Firewalla Gold VPN?
You an connect many ... it is only limited by the amount of memory (a lot) and also your bandwidth (upload and download)
I got WireGuard up and running on my Firewalla Gold. The problem I am having is I can't get internet connectivity. I had a similar problem on another device and the problem was in the network interface in the iptables rules.
What is the issue here?
Here is what I did.
Install prerequisites and download source code
Compile and install the module
Compile and install the wg(8) tool
Enable IP Forwarding
sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.confReboot
Verify that IP Forwarding is enabled
The result should be
Generate Private And Public Keys For Server And Client
Verify the keys were generated
View the keys with
Configure WireGuard Server
Make a wg0.conf file in ‘/etc/wireguard/’ Make sure that the correct network is selected. Edit the wlan0 entry as needed. This will block internet connectivity on the remote device.
This is where I think my setup is failing - I tried br0, eth0, eth1, eth2, eth3 - none worked.
Configure Wireguard Client
Make a peer1.conf file in ‘/etc/wireguard/’
Export The Client Configuration To Your Phone Using QR Code
A QR code will be generated, scan this code and import it to the WireGuard app on a phone.
Finalize Installation
After the client profile has been imported to a phone run these commands to finish the installation
Checking Status
Should result in
(No real keys are shown here.)
How many other clients ( Red, Blue/Plus, Gold) can be connected simultaneously to Gold VPN server?
Hoow many clients can connect to my home network via VPN on a purple?
Anyone had luck to connect a Synology NAS to FW VPN Server?
I am running a wireguard server on my Gold and I can connect to it just fine. I get internet and can access my local devices. However, I'm only able to access local devices using their ip and not their dns record. I have mdns reflector activated but I dont know what else to do.
Any thoughts?
Thanks!
@Palta, you can access them via either local domain or search domain. Have you tried this? Difference between Search Domain & Local Domain
@Firewalla, I did try. Both my search and local domains are .local.
I setup the DNS server of the Wireguard VPN Server to be 10.0.0.1 (which is the same as the one in my local network), otherwise it doesn't even work with IPs. Adblock is working.
Any other thoughts? Thanks!
My mobile provider only support IPv6. Are there any plans to support Wireguard Vpn over IPv6?
I suspect it’s planned but it’s very hard to implement. Here is why.
If you are using WireGuard with IPv6, then you will need to generate a unique local IPv6 unicast address prefix based on the algorithm in RFC 4193. The addresses that you use with WireGuard will be associated with a virtual tunnel interface. You will need to complete a few steps to generate a random, unique IPv6 prefix within the reserved fd00::/8 block of private IPv6 addresses.
According to the RFC, the recommended way to obtain a unique IPv6 prefix is to combine the time of day with a unique identifying value from a system like a serial number or device ID. Those values are then hashed and truncated resulting in a set of bits that can be used as a unique address within the reserved private fd00::/8 block of IPs.
To get started generating an IPv6 range for your WireGuard Server, collect a 64-bit timestamp using the date utility with the following command:
date +%s%N
You will receive a number like the following, which is the number of seconds (the %s in the date command), and nanoseconds (the %N) since 1970-01-01 00:00:00 UTC combined together:
1650301699497770167
Record the value somewhere for use later in this section. Next, copy the machine-id value for your server from the /var/lib/dbus/machine-id file. This identifier is unique to your system and should not change for as long as the server exists.
cat /var/lib/dbus/machine-id
You will receive output like the following:
/var/lib/dbus/machine-id
610cef4946ed46da8f71dba9d66c67fb
Now you need to combine the timestamp with the machine-id and hash the resulting value using the SHA-1 algorithm. The command will use the following format:
printf | sha1sum
Run the command substituting in your timestamp and machine identity values:
printf 1650301699497770167610cef4946ed46da8f71dba9d66c67fb | sha1sum
You will receive a hash value like the following:
442adea1488d96388dae9ab816045b24609a6c18 -
Note that the output of the sha1sum command is in hexadecimal, so the output uses two characters to represent a single byte of data. For example 4f and 26 in the example output are the first two bytes of the hashed data.
The algorithm in the RFC only requires the least significant (trailing) 40 bits, or 5 bytes, of the hashed output. Use the cut command to print the last 5 hexadecimal encoded bytes from the hash:
printf 442adea1488d96388dae9ab816045b24609a6c18 | cut -c 31-
The -c argument tells the cut command to select only a specified set of characters. The 31- argument tells cut to print all the characters from position 31 to the end of the input line.
You should receive output like the following:
24609a6c18
In this example output, the set of bytes is: 24 60 9a 6c 18.
Now you can construct your unique IPv6 network prefix by appending the 5 bytes you have generated with the fd prefix, separating every 2 bytes with a : colon for readability. Because each subnet in your unique prefix can hold a total of 18,446,744,073,709,551,616 possible IPv6 addresses, you can restrict the subnet to a standard size of /64 for simplicity.
Using the bytes previously generated with the /64 subnet size the resulting prefix will be the following:
Unique Local IPv6 Address Prefix
fd24:609a:6c18::/64
This fd24:609a:6c18::/64 range is what you will use to assign individual IP addresses to your WireGuard tunnel interfaces on the server and peers. To allocate an IP for the server, add a 1 after the final :: characters. The resulting address will be fd24:609a:6c18::1/64. Peers can use any IP in the range, but typically you’ll increment the value by one each time you add a peer e.g. fd24:609a:6c18::2/64.
Any plans to support IPv6??
Please sign in to leave a comment.