Firewalla's VPN Server supports both OpenVPN and WireGuard VPN. This is our guide on configuring a WireGuard VPN. To learn more about Firewalla's VPN Server, please refer to this article: Firewalla VPN Server.
This feature is not available on Firewalla Red or Blue.
WireGuard is a newer VPN protocol than OpenVPN. Like OpenVPN, it's also open source. WireGuard is simpler and can have a higher encryption rate. (References: https://wireguard.comhttps://en.wikipedia.org/wiki/WireGuard)
- WireGuard is UDP-based (OpenVPN can run over TCP or UDP)
- On Firewalla Gold, WireGuard performs 1.5-2x faster than OpenVPN
- The WireGuard source code is newer and simpler than OpenVPN
- Firewalla supports Site to Site VPN via WireGuard
To configure the Firewalla WireGuard Server:
1. Enable WireGuard
Tap the VPN Server icon on your box's main page in the Firewalla app, then tap the WireGuard button to turn it on.
2. Configure Port Forwarding
Similar to OpenVPN, WireGuard requires its port to be accessible from outside your network.
- If you are using Firewalla in Router mode without double NAT or CGNAT, skip this step. Port Forwarding will be shown as complete.
- If you are using Firewalla in Simple or DHCP mode, and your main router has UPnP enabled (as most routers do), Firewalla will do everything for you.
- In all other cases, you will need to make some configurations:
- If you're under double NAT, you can manually set up port forwarding. Tutorial: How to set up port forwarding for VPN Server
- If you have a working IPv6 address or another WAN with a public IP address, you can change your DDNS to “IPv6 only” or use your other WAN. This is especially useful if you're under CGNAT and your ISP doesn't allow port forwarding. To do this, tap your server's Setup, then tap DDNS. You can then modify its IP Address Type and WAN Interface as needed
3. Connect to Firewalla WireGuard VPN Server
3.1 Use The WireGuard App
Step 1: Add Clients
To connect your mobile device or computer to the Firewalla VPN server, you'll first need a VPN profile.
On the Firewalla app, tap Setup -> Add a Client, and a client will be created automatically. Tap the client and it will show you a profile and a QR code.
Note:
- Up to 25 clients are supported on the Firewalla VPN Server. For Boxes in Beta & Alpha programs, up to 100 clients are supported.
- For Firewalla Gold Pro, we've increased the limit to 50 clients, and 200 clients for boxes in Beta / Early Access programs.
- You can remove a client by tapping 'Delete This Client' at the bottom of the client profile.
- Please do NOT use the same VPN profile on different WireGuard clients at the same time.
Step 2: Set Up The WireGuard App
To connect to the VPN server, you will need to install the WireGuard app on your mobile or desktop device. Here is the installation guide provided by WireGuard.
There are two ways to use the WireGuard app to connect your device to the WireGuard VPN Server:
- Create from file, or
- Create from QR code.
Depending on which method you select, you'll need to access either the VPN client profile or QR code from the Firewalla app. Here is an example of the WireGuard app on iOS:
3.2 Using Firewalla Site to Site VPN
A Site to Site VPN allows you to securely connect any two Firewalla boxes, such that devices in one network can reach devices in the other network under the protection of Firewalla. With WireGuard, the VPN connection can have a higher encryption rate and better performance.
To create a Site-to-Site VPN connection using WireGuard, open the client side box in the Firewalla app. Then, tap VPN Client -> Create VPN Connection -> Site to Site VPN -> select the server box you'd like to connect -> Select WireGuard. You can learn more about Site to Site VPN here.
4. VPN Device Management (Gold & Purple Only)
The WireGuard VPN server creates a local network on Firewalla. All the devices will join the network once connected to the VPN. Each VPN device corresponds to a VPN client you created in the VPN server setup.
On the Devices list, tap the WireGuard network or a VPN device. You can view network flows and basic info, receive alarms, and apply rules or features to the entire VPN network or to any VPN device individually, just like any local device. You can learn more about device management here.
5. Customize Your WireGuard Settings
5.1 On-Demand Activation
If you want to ensure a device (such as your kids’ phone) always connects to your Firewalla VPN server, you can turn On-Demand Activation on your WireGuard app (iOS or Mac only; for other OSs you will need to use a separate 3rd-party app). This will automatically turn on your VPN connection when your device connects to cellular data and/or Wi-Fi.
To make sure a device is always connected to your VPN server except for when it's on your home Wi-Fi, you can add an exception. While you're editing your WireGuard configuration, enable the cellular and Wi-Fi options under On-Demand Activation. Then, tap SSIDs. Tap Except these SSIDs, then enter the name of your home network.
5.2 Adjust MTU (Advanced)
If your LTE provider requires a smaller MTU value, you can customize the MTU value per client profile on the WireGuard VPN Server.
To change the MTU:
- Go to your box's main screen > tap VPN Server > WireGuard Setup > select a client profile.
- Below the QR code, tap MTU > enter the required MTU value > tap Save.
- After the change, re-import the profile to your client device, then re-establish your VPN connection.
Note: Please use caution when changing this setting. Most WireGuard clients do not require specifying an MTU value.
Comments
20 comments
Anyone else having issues With WireGuard on the new release?
To me it looks like it’s not resolving the DNS as I can’t connect to any site through the VPN.
I’ve tried changing the DNS in the network section for WireGuard to an external DNS and still nothing. I’ve reset the config and downloaded the file again. This is on two different profiles..
All sorted, complete delete including clients. Not sure what happened the first time.
This is great. Thanks for implementing it.
Can WireGuard and the OpenVPN solution coexist on the Firewalla?
Yes, OpenVPN and Wireguard can live together nicely.
Andy Brown, I was having the same issue. I had to edit the tunnel to set the firewalla box as an allowed ip.
Hi. I am having issues enabling wireguard. I tried it as soon it was released without problems, but decided to the disabled it since i was using opvn. Now, I am trying to reenable wireguard through the phone app and I get the error "Error setting firerouter config".
Apparently Firewalla WireGuard Server now allows six profiles.
I am having similar problems. wireguard VPN is getting activated without any issues but i am not able to access any site. I tried removing the client and VPN setup completely and also tried adding the Firewalla box IP to the tunnel but still no luck. Any pointers how to resolve? I've setup my Firewalla in `Router Mode` and Wifi Router at AP mode. Thus it doesn't have Port forwarding Option enabled.
look at "port forwarding" and make sure it says "Complete". If not, it is likely your main modem/router is not in bridge mode, or you do not have a public IP. and that can be checked here. https://help.firewalla.com/hc/en-us/articles/360055686674-How-to-see-if-you-have-a-public-IP-address-
Thanks for quick response. Yes, My Wifi Router (Orbi) is in AP Mode (essentially Bridge), Firewalla Gold is in Router Mode. On Both OpenVPN and WireGuard I could see Manual Setup required. If i m not wrong, port forwarding needs to be completed at router level. Orbi in Bridge mode disables this feature (or allows all ports from router since its in bridge mode). I tried adding UDP port on Firewalla App --> Networking --> NAT Settings --> New Port Forwarding but that didn't help.
Did a speed test via Wireguard. My plan is of 250Mbps, and the Wifi I was on at friend's place was 150M. I got 100Mbps via Wireguard.
Do Firewalla’s support site to site VPN?
@phillip yes but I think OpenVPN only for now.
So I tried open vpn and Winguard. It's does work and I can browse internet. However I thought it would like connecting to my local network and would have the same protection as I was at home. Is this not the case? I did a test to block twitter.com and it still let me through. After disconnecting from vpn and connected to my local wifi, it started blocking again. Does firewalls not block with rules while on vpn?
Works fine here. This is what I see from home ads blocked and Reddit blocked.
Turn on my IPvanish VPN which effectively bypasses my FWG and acts as though I am away from home. Ads are back and Reddit works. FWG no longer filtering.
Activate WireGuard sending the traffic from IPvanish through the FWG and all the rules.
This shows WireGuard is sending all my traffic through the FWG and the rules are working.
@Keith S - can you share more details about what you are experiencing?
So I can only test OpenVPN because WireGuard doesn't play well with dual WAN yet. Here's what I'm finding right now:
@Chris Hewitt. So basically I've setup and tried both wireguard and open vpn on the firewall. Then I downloaded my profiles and connected. So both vpn profiles are connected over 5g or LTE. I'm not on my local network. I have not tried to connect to my other clients on my local network but I wanted to try and see if visiting sites that I block would still be blocked. As Michael Bierman stated. I get the same result. As if I'm connected locally to my own network or wifi I get blocked sites within my rules. When I disconnect my local network and use 5g or LTE and connect to either vpn, I cN access internet and probably my local computers but I was specifically testing out my blocked sites and the Active Protect. So if I'm not getting blocked by my rules I have in place on vpn, then maybe I'm not being protected by Active protect either. Which is not useful
Hi How many clients can connect parallely when using a purple?
Would be nice if I could setup a site-to-site with other firewalla units owned by others.
@Sean you could exchange VPN Profiles That way you could even set some access rules.
Please sign in to leave a comment.