Firewalla VPN Server supports both OpenVPN and WireGuard VPN. Here is the guide on how to configure WireGuard VPN. If you want to learn more about what is Firewalla VPN server, please refer to this article: Firewalla VPN Server
This feature is available in Firewalla Gold, Purple, and Blue Plus
WireGuard is a newer (when compared with OpenVPN) VPN protocol, and like OpenVPN is also open source. This protocol is simpler than OpenVPN and can have a higher encryption rate. (References https://wireguard.com https://en.wikipedia.org/wiki/WireGuard)
- WireGuard is UDP-based. (OpenVPN can run over TCP/UDP).
- On Firewalla Gold, the performance is 1.5 to 2 times faster than OpenVPN.
- WireGuard source code is new and it is a lot simpler than OpenVPN.
- Site to Site VPN is supported.
- There is a known issue that causes unstable WireGuard VPN connections if you are in dual-wan load balancing mode. If it occurs to you, please contact us at help@firewalla.com.
1. To Enable WireGuard
2. Configure Port Forwarding
Similar to OpenVPN, WireGuard requires the port to be accessed from outside your network.
- If you are using Firewalla Gold, and it is running in Router mode without double NAT, skip this step. The "Port Forwarding" will be shown as complete.
- If your router has UPnP enabled (as most routers do), Firewalla will do everything for you. If your router doesn't support UPnP, you will need to manually set up port forwarding on your home router. Tutorial: How to set up port forwarding for VPN Server
3. Connect to Firewalla WireGuard VPN Server
3.1 Using Wireguard App
To connect to Wireguard VPN, you will need to install the WireGuard app on your mobile or desktop device. Here is the installation guide provided by Wireguard.
Once you installed the WireGuard app, you'll need a profile to set up the VPN Connection.
Tap Setup -> Add a Client, a client will be created automatically.
- Note:
Up to 12 clients are now supported on the Firewalla VPN Server.
The client can be removed when you tap the client profile, click scroll down and click 'Delete This Client'.
Please do NOT use the same VPN profile on different WireGuard clients at the same time.
Tap the client, it will show you a profile and a QR code. There are two ways to use the WireGuard app to connect your device to WireGuard VPN Server:
- Create from file
- Create from QR code. Here is an example of the WireGuard app on iOS:
3.2 Using Firewalla Site to Site VPN
Site to Site VPN using Wireguard protocol allows you to access shared devices such as file servers, printers, and video cameras bi-directionally between any two sites managed by Firewalla, but with a higher encryption rate and better performance.
To create a site-to-site VPN connection using WireGuard, on the Firewalla app, go to the client side box, find VPN Client -> Create VPN Connection -> Site to Site VPN -> Select the server box you'd like to connect -> Select WireGuard.
Learn more about site to site VPN.
Comments
18 comments
Anyone else having issues With WireGuard on the new release?
To me it looks like it’s not resolving the DNS as I can’t connect to any site through the VPN.
I’ve tried changing the DNS in the network section for WireGuard to an external DNS and still nothing. I’ve reset the config and downloaded the file again. This is on two different profiles..
All sorted, complete delete including clients. Not sure what happened the first time.
This is great. Thanks for implementing it.
Can WireGuard and the OpenVPN solution coexist on the Firewalla?
Yes, OpenVPN and Wireguard can live together nicely.
Andy Brown, I was having the same issue. I had to edit the tunnel to set the firewalla box as an allowed ip.
Hi. I am having issues enabling wireguard. I tried it as soon it was released without problems, but decided to the disabled it since i was using opvn. Now, I am trying to reenable wireguard through the phone app and I get the error "Error setting firerouter config".
Apparently Firewalla WireGuard Server now allows six profiles.
I am having similar problems. wireguard VPN is getting activated without any issues but i am not able to access any site. I tried removing the client and VPN setup completely and also tried adding the Firewalla box IP to the tunnel but still no luck. Any pointers how to resolve? I've setup my Firewalla in `Router Mode` and Wifi Router at AP mode. Thus it doesn't have Port forwarding Option enabled.
look at "port forwarding" and make sure it says "Complete". If not, it is likely your main modem/router is not in bridge mode, or you do not have a public IP. and that can be checked here. https://help.firewalla.com/hc/en-us/articles/360055686674-How-to-see-if-you-have-a-public-IP-address-
Thanks for quick response. Yes, My Wifi Router (Orbi) is in AP Mode (essentially Bridge), Firewalla Gold is in Router Mode. On Both OpenVPN and WireGuard I could see Manual Setup required. If i m not wrong, port forwarding needs to be completed at router level. Orbi in Bridge mode disables this feature (or allows all ports from router since its in bridge mode). I tried adding UDP port on Firewalla App --> Networking --> NAT Settings --> New Port Forwarding but that didn't help.
Did a speed test via Wireguard. My plan is of 250Mbps, and the Wifi I was on at friend's place was 150M. I got 100Mbps via Wireguard.
Do Firewalla’s support site to site VPN?
@phillip yes but I think OpenVPN only for now.
So I tried open vpn and Winguard. It's does work and I can browse internet. However I thought it would like connecting to my local network and would have the same protection as I was at home. Is this not the case? I did a test to block twitter.com and it still let me through. After disconnecting from vpn and connected to my local wifi, it started blocking again. Does firewalls not block with rules while on vpn?
Works fine here. This is what I see from home ads blocked and Reddit blocked.
Turn on my IPvanish VPN which effectively bypasses my FWG and acts as though I am away from home. Ads are back and Reddit works. FWG no longer filtering.
Activate WireGuard sending the traffic from IPvanish through the FWG and all the rules.
This shows WireGuard is sending all my traffic through the FWG and the rules are working.
@Keith S - can you share more details about what you are experiencing?
So I can only test OpenVPN because WireGuard doesn't play well with dual WAN yet. Here's what I'm finding right now:
@Chris Hewitt. So basically I've setup and tried both wireguard and open vpn on the firewall. Then I downloaded my profiles and connected. So both vpn profiles are connected over 5g or LTE. I'm not on my local network. I have not tried to connect to my other clients on my local network but I wanted to try and see if visiting sites that I block would still be blocked. As Michael Bierman stated. I get the same result. As if I'm connected locally to my own network or wifi I get blocked sites within my rules. When I disconnect my local network and use 5g or LTE and connect to either vpn, I cN access internet and probably my local computers but I was specifically testing out my blocked sites and the Active Protect. So if I'm not getting blocked by my rules I have in place on vpn, then maybe I'm not being protected by Active protect either. Which is not useful
Hi How many clients can connect parallely when using a purple?
Please sign in to leave a comment.