"A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely."
- What is Firewalla VPN Server?
- What does Firewalla VPN do?
- How to Configure Firewalla VPN Server?
- Testing VPN Server
- VPN Alarm & Notification
- Active VPN Connections
- VPN Flows and Device Management
- Troubleshooting: Not able to connect to VPN?
- Advanced Tips
Firewalla also has a built-in VPN Client which can be used to talk to many 3rd Party VPN Services.
What is Firewalla VPN Server?
Firewalla VPN Server places the VPN server inside your house. It runs inside of the little Firewalla box. This VPN service can only be used when you are outside of the house. You get the same level of security protection as if you are at home, provided by Firewalla.
Connect to Firewalla VPN = You are at Home
Easy to setup
- You don't need to open additional ports on your router.
- You don't need to manually port forwarding random ports from your router to your home devices.
- You don't need to learn complicated technology to bring up a VPN server.
- One connection allows you to access all home devices.
Secure Access
- Securely surf the internet with the benefit of Ad blocking, blocking porn sites and malicious sites.
- Securely access your home camera, NAS (network attached storage), smart door knob/power plug (IoT devices), and more.
- Your own private VPN server, not shared with others.
Data Encryption
- Bypass censorship and internet filtering at work or another country.
- Prevent eavesdropping when you are on the road, at Starbucks.
Always at Home
- Take your video subscriptions anywhere. Stream Netflix, Hulu or any service just as you are at home. No restrictions.
- Access your banking / financial sites as if you are home.
- Bypass internet censorship or filtering when traveling to a foreign country.
Free
- Free VPN Server runs inside your home network. There is no monthly fee or additional charge.
What This VPN Server is NOT
- This is not the traditional VPN service that you use to hide from your service provider.
- You can not use this service to bypass Netflix restrictions. (Unless you are traveling and have a Firewalla at 'home')
What does Firewalla VPN do?
Surf the web as if you are at home when you are not
Firewalla VPN Server allows you to easily set up an encrypted connection from anywhere in the world to your home. Although you are outside on public network, your security protection is the same as at home.
- You can access the internet as secure as you are at home.
- If you are at a place that controls internet access, you can use this to get around it.
- You don't need to open additional ports on your router when you are outside and want to view your home camera or file system.
If you are looking for VPN out from your home to a 3rd party VPN provider, please check out the VPN Client feature: https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Access your home network from anywhere
While Firewalla VPN allows you to safely connect back home, it can also allow you to easily access all your network-enabled home devices, such as IoT devices, NAS file system, etc.
The Firewalla VPN server is a transport service provided by security certificates. It is much more difficult to be attacked than an HTTP service provided by your camera. It also encrypts all traffic between you and your home network. Whatever sites you are surfing or files you are accessing are kept in private, and won't be snooped by anyone in-between.
VPN Server Configuration
Firewalla VPN server supports two types of VPN, please refer to the links below to see how each of them can be configured:
Testing VPN Server
Now you have everything set up. To test if your VPN is working, you need to test it outside of your own network, i.e. a network separate from the one Firewalla is installed on (many routers do not have this feature called NAT-hairpin which can allow you to VPN back to your own network). For example, if you are testing this on your phone with a VPN client installed, the best way is to switch it to cellular mode.
VPN Alarm & Notification
Once VPN is set up and enabled, Firewalla will send you an alarm every time a device is connected to your VPN Server. In case someone got hold of your profile and password, you are notified when they use your VPN service.
Active VPN Connections
If you have the VPN Server feature enabled, Firewalla App is able to show you how many active VPN connections are connected to your Firewalla box, where they’ve been connected from, and how much data has been transferred between your Firewalla box (as VPN server) and the VPN clients.
On Firewalla App’s main screen, if anyone is connected to your Firewalla box via VPN, there will be a green tag shown on the VPN server button. Tap the VPN server button -> Active VPN connections, tap any connection to view more details of it. If you’d like to know exactly where the connection is initiated from, you can tap the Endpoint IP address and do a quick security lookup.
If you spot any suspicious or unwanted VPN connections, tap the “View VPN Profile” button to revoke the access or reset the profile, or tap the “View Network Detail” / “View Device Detail” button to pause a specific type of traffic.
VPN Flows and Device Management
OpenVPN:
Devices connected to the Firewalla OpenVPN server can be managed together. On the Devices list -> Networks tab, find the OpenVPN network and tap to enter the network detail page, you can view the network flows, and manage rules on the entire network.
WireGuard:
For devices that are connected to the Firewalla WireGuard VPN server, you can manage them just like your local devices. The VPN devices will be shown up on the devices list, tap any of the VPN devices, you can view the network flows, and basic info and apply any rules or features individually.
Not able to connect to VPN?
If you still have problems, check the following:
Check 0: Wait a bit
- If you just installed Firewalla, it may take up to 1 hour to have the DDNS entry propagated. If you set up Firewalla VPN within 1 hour of the first power-up of the unit, please wait a bit.
- If you are running firewalla under NAT in router mode or in DHCP/simple mode, please make sure you do correct port forwarding on your main router. Tutorial: How to set up port forwarding for VPN Server
(Port forward is NOT needed if you are running in router mode and firewalla is your main router and has a public IP address)
Check 1: Running in Simple mode
If you have problems with port forwarding in simple mode, try this:
- Turn off global monitoring on Firewalla: https://help.firewalla.com/hc/en-us/articles/360008407613-Turn-on-off-Monitoring
- Reboot your router
- Try again and see if the VPN works.
- If works, turn back on global monitoring on Firewalla
Check 2: Do you have Public IP
1. Login to the router that the Firewalla is plugged in and look at the "WAN IP address" field.
2. Go to myip.com and compare that with (1)
If (1) and (2) are different, you don't have a public IP address. Call your ISP to get a public IP from them.
Check 3: Are you under double NAT
If you are under double NAT, that is, you have another router (second router) in front of the router (first router) that Firewalla is plugged into. If you have this configuration, you will need to do another port forwarding on the second router. Port forwarding the second router's public UDP 1194 port to the first router's 1194 port.
How do you know if you have double NAT?
First, look the physical connection of the router that Firewalla is plugged into. If this router is not given by the ISP, you may be under double NAT.
Next, check the following:
1. Login to the router that the Firewalla is plugged in and look at "WAN IP address" field.
2. go to myip.com and compare that with (1)
If (1) and (2) are different you are definitely under double NAT. In this case, please log in to the second router and manually setup port forwarding.
Check 4: Is your router running VPN
Some router may come with a default VPN server. If you want to use Firewalla VPN, please turn off your router VPN. Otherwise, the two VPN's will compete for 1194 port.
Check 5: If Firewalla is in DHCP mode, is your overlay network configured to be the same subnet as primary network?
In this case, VPN server may use the Firewalla's IP address in the overlay network to talk to VPN clients, instead of the IP address in primary network. When configuring port forwarding, you need to forward to the Firewalla's IP address in the overlay network. (You can check the IP address information in Settings -> Advanced -> Network Settings)
More Tips:
- If you use the VPN feature very often, we recommend that you do a static port mapping, because UPnP is not always reliable on certain routers.
- If you ever have needs to use port other than 1194, after you are done with port forwarding setup, don't forget to change your .ovpn profile (the line highlighted below):
client
dev tun
proto udp
remote xxx.d.yyy.com 1194
resolv-retry infinite
nobind
persist-key
Advanced Tips
- If your router can reserve an IP address for Firewalla, please do so. This will avoid problems if you have static port mapping.
- By default, Firewalla uses UPnP to map VPN ports, we have seen some routers are buggy, and may lose this port mapping to avoid this
- You can turn off and on VPN Server, this usually will fix the problem
- You should just add a static port mapping in your router if you use the VPN feature often.
- VPN Split Tunneling https://help.firewalla.com/hc/en-us/community/posts/360047915253
- If you are using Firewalla Gold, you can manage the VPN Server Network in Network manager, and edit the VPN subnet if you want.
Note
- If you are using Windows machine, the best is to disconnect VPN on Windows when you are already home.
Comments
30 comments
What is the VPN IP range for connected clients?
It is a randomly generated /24 subnet under 10.0.0.0/8
Melvin
Will clients connecting back into the firewalla's vpn get the web filtering / parental control policies setup as if the user was on the home network normally? This seems like the best feature that should be marketted if it's how it works.
Global web filtering and parental controls are applied to VPN clients too.
Device-level web filtering and parental controls are not, because VPN clients are not recognized as devices (it's on todo list).
So to enable filtering on VPN clients, please select "All devices" when configuring filters.
Melvin
Great! Will devices sold today be able to support the software update that enables the "Todo" list feature for per vpn device control?
Yes unless there are reasons, for example, Red may not support some features due to hardware performance.
Red, Blue, and Gold all run the same software and get updates periodically.
Melvin
Can Firewalla Blue work with a Red for VPN for Site to Site VPN? Is there a Site to Site VPN guide?
See this https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-
Any thoughts or movement to using WireGuard as the VPN ?
Can I connect to the openvpn server when I only have ipv6 with ds-lite tunnel (no public ipv4 address)?
@Alex, only ipv4 is supported at this moment.
@Sean,
We have been testing WireGuard internally, so far the result is promising.
Will I be able to use my own domain name (that points to my external IP address) instead of using the one provided by Firewalla?
Yes
You can just change the server name in the downloaded VPN profile to your own domain name, before importing to your VPN client.
This needs to be updated for gold which auto configures port forwarding. (Maybe that is only in beta?)
Hi, how many VPN clients can connect to Firewalla Gold, simultaneously?
Thank you
Are the individual devices issued a unique key/cert which is used for authentication when connecting to the VPN?
There is one for all the devices. We may go to multiple profile support in the future, but those likely to be used by business users.
@firewalla may I know how many devices (my mobile and ipad when I'm at airport for example) simultaneously can connect at a time to the Firewalla Gold VPN?
You an connect many ... it is only limited by the amount of memory (a lot) and also your bandwidth (upload and download)
I got WireGuard up and running on my Firewalla Gold. The problem I am having is I can't get internet connectivity. I had a similar problem on another device and the problem was in the network interface in the iptables rules.
What is the issue here?
Here is what I did.
Install prerequisites and download source code
Compile and install the module
Compile and install the wg(8) tool
Enable IP Forwarding
sudo perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.confReboot
Verify that IP Forwarding is enabled
The result should be
Generate Private And Public Keys For Server And Client
Verify the keys were generated
View the keys with
Configure WireGuard Server
Make a wg0.conf file in ‘/etc/wireguard/’ Make sure that the correct network is selected. Edit the wlan0 entry as needed. This will block internet connectivity on the remote device.
This is where I think my setup is failing - I tried br0, eth0, eth1, eth2, eth3 - none worked.
Configure Wireguard Client
Make a peer1.conf file in ‘/etc/wireguard/’
Export The Client Configuration To Your Phone Using QR Code
A QR code will be generated, scan this code and import it to the WireGuard app on a phone.
Finalize Installation
After the client profile has been imported to a phone run these commands to finish the installation
Checking Status
Should result in
(No real keys are shown here.)
How many other clients ( Red, Blue/Plus, Gold) can be connected simultaneously to Gold VPN server?
Hoow many clients can connect to my home network via VPN on a purple?
Anyone had luck to connect a Synology NAS to FW VPN Server?
I am running a wireguard server on my Gold and I can connect to it just fine. I get internet and can access my local devices. However, I'm only able to access local devices using their ip and not their dns record. I have mdns reflector activated but I dont know what else to do.
Any thoughts?
Thanks!
@Palta, you can access them via either local domain or search domain. Have you tried this? Difference between Search Domain & Local Domain
@Firewalla, I did try. Both my search and local domains are .local.
I setup the DNS server of the Wireguard VPN Server to be 10.0.0.1 (which is the same as the one in my local network), otherwise it doesn't even work with IPs. Adblock is working.
Any other thoughts? Thanks!
My mobile provider only support IPv6. Are there any plans to support Wireguard Vpn over IPv6?
I suspect it’s planned but it’s very hard to implement. Here is why.
If you are using WireGuard with IPv6, then you will need to generate a unique local IPv6 unicast address prefix based on the algorithm in RFC 4193. The addresses that you use with WireGuard will be associated with a virtual tunnel interface. You will need to complete a few steps to generate a random, unique IPv6 prefix within the reserved fd00::/8 block of private IPv6 addresses.
According to the RFC, the recommended way to obtain a unique IPv6 prefix is to combine the time of day with a unique identifying value from a system like a serial number or device ID. Those values are then hashed and truncated resulting in a set of bits that can be used as a unique address within the reserved private fd00::/8 block of IPs.
To get started generating an IPv6 range for your WireGuard Server, collect a 64-bit timestamp using the date utility with the following command:
date +%s%N
You will receive a number like the following, which is the number of seconds (the %s in the date command), and nanoseconds (the %N) since 1970-01-01 00:00:00 UTC combined together:
1650301699497770167
Record the value somewhere for use later in this section. Next, copy the machine-id value for your server from the /var/lib/dbus/machine-id file. This identifier is unique to your system and should not change for as long as the server exists.
cat /var/lib/dbus/machine-id
You will receive output like the following:
/var/lib/dbus/machine-id
610cef4946ed46da8f71dba9d66c67fb
Now you need to combine the timestamp with the machine-id and hash the resulting value using the SHA-1 algorithm. The command will use the following format:
printf | sha1sum
Run the command substituting in your timestamp and machine identity values:
printf 1650301699497770167610cef4946ed46da8f71dba9d66c67fb | sha1sum
You will receive a hash value like the following:
442adea1488d96388dae9ab816045b24609a6c18 -
Note that the output of the sha1sum command is in hexadecimal, so the output uses two characters to represent a single byte of data. For example 4f and 26 in the example output are the first two bytes of the hashed data.
The algorithm in the RFC only requires the least significant (trailing) 40 bits, or 5 bytes, of the hashed output. Use the cut command to print the last 5 hexadecimal encoded bytes from the hash:
printf 442adea1488d96388dae9ab816045b24609a6c18 | cut -c 31-
The -c argument tells the cut command to select only a specified set of characters. The 31- argument tells cut to print all the characters from position 31 to the end of the input line.
You should receive output like the following:
24609a6c18
In this example output, the set of bytes is: 24 60 9a 6c 18.
Now you can construct your unique IPv6 network prefix by appending the 5 bytes you have generated with the fd prefix, separating every 2 bytes with a : colon for readability. Because each subnet in your unique prefix can hold a total of 18,446,744,073,709,551,616 possible IPv6 addresses, you can restrict the subnet to a standard size of /64 for simplicity.
Using the bytes previously generated with the /64 subnet size the resulting prefix will be the following:
Unique Local IPv6 Address Prefix
fd24:609a:6c18::/64
This fd24:609a:6c18::/64 range is what you will use to assign individual IP addresses to your WireGuard tunnel interfaces on the server and peers. To allocate an IP for the server, add a 1 after the final :: characters. The resulting address will be fd24:609a:6c18::1/64. Peers can use any IP in the range, but typically you’ll increment the value by one each time you add a peer e.g. fd24:609a:6c18::2/64.
Any plans to support IPv6??
Please sign in to leave a comment.