Firewalla VPN Server supports both OpenVPN and WireGuard VPN. Here is the guide on how to configure WireGuard VPN. If you want to learn more about what Firewalla's VPN server is, please refer to our article on the topic: Firewalla VPN Server.
This feature is available in Firewalla Gold, Purple, and Blue Plus.
WireGuard is a newer (when compared with OpenVPN) VPN protocol, and like OpenVPN, it's also open source. This protocol is simpler than OpenVPN and can have a higher encryption rate. (References:https://wireguard.comhttps://en.wikipedia.org/wiki/WireGuard)
- WireGuard is UDP-based. (OpenVPN can run over TCP/UDP).
- On Firewalla Gold, the performance is 1.5 to 2 times faster than OpenVPN.
- WireGuard source code is new and simpler than OpenVPN.
- Site to Site VPN is supported.
- There is a known issue that causes unstable WireGuard VPN connections if you are in dual-WAN load balancing mode. If it occurs, please contact us at email@example.com.
1. Enable WireGuard
Go to VPN Server on the Firewalla app, and tap the WireGuard button to turn it on.
2. Configure Port Forwarding
Similar to OpenVPN, WireGuard requires the port to be accessed from outside your network.
- If you are using Firewalla in Router mode without double NAT, skip this step. Port Forwarding will be shown as complete.
- If you are using Firewalla in Simple or DHCP mode, and your main router has UPnP enabled (as most routers do), Firewalla will do everything for you. If your router doesn't support UPnP, you will need to manually set up port forwarding on your home router. Tutorial: How to set up port forwarding for VPN Server
3. Connect to Firewalla WireGuard VPN Server
3.1 Using Wireguard App
Step 1: Add Clients
To connect your mobile device or computer to the Firewalla VPN server, you'll need a VPN profile to set up the VPN Connection.
On Firewalla App, tap Setup -> Add a Client, and a client will be created automatically. Tap the client and it will show you a profile and a QR code.
- Up to 12 clients are now supported on the Firewalla VPN Server.
- The client can be removed when you tap the client profile, click scroll down, and click 'Delete This Client'.
- Please do NOT use the same VPN profile on different WireGuard clients at the same time.
Step 2: Set Up The WireGuard App:
To connect to the VPN server, you will need to install the WireGuard app on your mobile or desktop device. Here is the installation guide provided by Wireguard.
There are two ways to use the WireGuard app to connect your device to the WireGuard VPN Server:
- Create from file
- Create from QR code
Here is an example of the WireGuard app on iOS:
3.2 Using Firewalla Site to Site VPN
Site to Site VPN using Wireguard protocol allows you to access shared devices such as file servers, printers, and video cameras bi-directionally between any two sites managed by Firewalla, but with a higher encryption rate and better performance.
To create a Site to Site VPN connection using WireGuard, on the Firewalla app, go to the client side box, find VPN Client -> Create VPN Connection -> Site to Site VPN -> select the server box you'd like to connect -> Select WireGuard.
Learn more about site-to-site VPN.
4. VPN Device Management (Gold & Purple Only)
The WireGuard VPN server creates a local network on Firewalla, and all the devices will join the network once connected to VPN. Each VPN device corresponds to a VPN client you created in the VPN server setup.
On the Devices list, tap the WireGuard network or a VPN device. You can view the network flows and basic info, receive alarms, and apply rules or features to the entire VPN network or to any VPN device individually, just like any other local device.
Anyone else having issues With WireGuard on the new release?
To me it looks like it’s not resolving the DNS as I can’t connect to any site through the VPN.
I’ve tried changing the DNS in the network section for WireGuard to an external DNS and still nothing. I’ve reset the config and downloaded the file again. This is on two different profiles..
All sorted, complete delete including clients. Not sure what happened the first time.
This is great. Thanks for implementing it.
Can WireGuard and the OpenVPN solution coexist on the Firewalla?
Yes, OpenVPN and Wireguard can live together nicely.
Andy Brown, I was having the same issue. I had to edit the tunnel to set the firewalla box as an allowed ip.
Hi. I am having issues enabling wireguard. I tried it as soon it was released without problems, but decided to the disabled it since i was using opvn. Now, I am trying to reenable wireguard through the phone app and I get the error "Error setting firerouter config".
Apparently Firewalla WireGuard Server now allows six profiles.
I am having similar problems. wireguard VPN is getting activated without any issues but i am not able to access any site. I tried removing the client and VPN setup completely and also tried adding the Firewalla box IP to the tunnel but still no luck. Any pointers how to resolve? I've setup my Firewalla in `Router Mode` and Wifi Router at AP mode. Thus it doesn't have Port forwarding Option enabled.
look at "port forwarding" and make sure it says "Complete". If not, it is likely your main modem/router is not in bridge mode, or you do not have a public IP. and that can be checked here. https://help.firewalla.com/hc/en-us/articles/360055686674-How-to-see-if-you-have-a-public-IP-address-
Thanks for quick response. Yes, My Wifi Router (Orbi) is in AP Mode (essentially Bridge), Firewalla Gold is in Router Mode. On Both OpenVPN and WireGuard I could see Manual Setup required. If i m not wrong, port forwarding needs to be completed at router level. Orbi in Bridge mode disables this feature (or allows all ports from router since its in bridge mode). I tried adding UDP port on Firewalla App --> Networking --> NAT Settings --> New Port Forwarding but that didn't help.
Did a speed test via Wireguard. My plan is of 250Mbps, and the Wifi I was on at friend's place was 150M. I got 100Mbps via Wireguard.
Do Firewalla’s support site to site VPN?
@phillip yes but I think OpenVPN only for now.
So I tried open vpn and Winguard. It's does work and I can browse internet. However I thought it would like connecting to my local network and would have the same protection as I was at home. Is this not the case? I did a test to block twitter.com and it still let me through. After disconnecting from vpn and connected to my local wifi, it started blocking again. Does firewalls not block with rules while on vpn?
Works fine here. This is what I see from home ads blocked and Reddit blocked.
Turn on my IPvanish VPN which effectively bypasses my FWG and acts as though I am away from home. Ads are back and Reddit works. FWG no longer filtering.
Activate WireGuard sending the traffic from IPvanish through the FWG and all the rules.
This shows WireGuard is sending all my traffic through the FWG and the rules are working.
@Keith S - can you share more details about what you are experiencing?
So I can only test OpenVPN because WireGuard doesn't play well with dual WAN yet. Here's what I'm finding right now:
@Chris Hewitt. So basically I've setup and tried both wireguard and open vpn on the firewall. Then I downloaded my profiles and connected. So both vpn profiles are connected over 5g or LTE. I'm not on my local network. I have not tried to connect to my other clients on my local network but I wanted to try and see if visiting sites that I block would still be blocked. As Michael Bierman stated. I get the same result. As if I'm connected locally to my own network or wifi I get blocked sites within my rules. When I disconnect my local network and use 5g or LTE and connect to either vpn, I cN access internet and probably my local computers but I was specifically testing out my blocked sites and the Active Protect. So if I'm not getting blocked by my rules I have in place on vpn, then maybe I'm not being protected by Active protect either. Which is not useful
Hi How many clients can connect parallely when using a purple?
Please sign in to leave a comment.