VPN mesh is a type of VPN topology designed to provide high availability and redundancy for VPN connections. In a VPN mesh, each VPN gateway has multiple connections to other VPN gateways, creating a fully interconnected network of VPN connections.
- VPN Mesh requires Firewalla box version 1.976 with App version 1.54 or above.
- VPN Mesh is not supported on Firewalla Blue Plus.
This service is currently in early access mode.
With Firewalla VPN Mesh, you can seamlessly link multiple Firewalla units together and enable your employees or family members to access anything, anywhere. Watch the video below for a step-by-step tutorial of how to set up and use a VPN mesh.
VPN Mesh is available through Firewalla Managed Security Portal (MSP), a new web interface designed to make it easy, convenient, and efficient to manage a fleet of Firewalla boxes. You can learn more in our introduction article all about Firewalla MSP.
- Seamlessly connect multiple Firewalla sites (only boxes in router mode are supported – Firewalla Gold, Gold Plus, and Purple)
- Have all your devices share the same VPN Mesh DNS entry
- Easily manage and share VPN profiles with the people who need to use them with our new Users feature
MSP Professional Plan can create 1 VPN Mesh, and Business Plan can create up to 3 VPN Mesh.
- Capture flows between networks on different sites.
- Fine-tuned access control between networks on different sites.
- Generate alarms on connections between mesh networks.
What is the difference between site-to-site VPN and VPN Mesh?
VPN Mesh is a centralized, fully connected VPN network topology that enables multiple Firewalla boxes to communicate with each other seamlessly.
In a traditional site-to-site VPN, the connections are manually configured to connect pairs of boxes, and the rules (routing and access control) are manually inserted. To connect all boxes together, site-to-site VPNs must be manually set up on each pair of Firewalla boxes.
On the other hand, in a VPN Mesh, the mesh service in Firewalla MSP will handle the membership and the discovery of VPN mesh nodes. This makes it easy for users to configure everything via and store important information like mesh live states and DNS entries in the container.
- VPN Mesh also provides a globally unique DNS name for every device in the whole mesh network that can be used to access devices from anywhere in the mesh network.
- The mesh management service will evaluate the inter-connectivity status in real time and determine the best route for boxes to access each other.
- VPN devices (e.g., your laptop connected to a public Wi-Fi) can join the mesh network as an independent node.
Is the VPN Mesh DNS domain name replicated for all Firewalla boxes?
Yes. All devices will have a domain name as <device_name>.<box_name>.<mesh_name> shared on all Firewalla boxes in the same mesh networks.
For example, if you have a device named "Server" on your Firewalla box "Home", connected to a mesh network "MyMesh", the mesh domain name for this device would be server.home.mymesh.
How do I find out my VPN Mesh Domain Names?
You can find this on each device's detail page in your MSP portal under the local domain.
How can I test the connections between different boxes?
Since the domain names are shared with all Firewalla boxes inside a mesh network, you can test the connection by pinging the domain names of devices on the other site.
- If there are WireGuard site-to-site VPNs created on the boxes, the VPN mesh network can be established, but the boxes may have trouble connecting to each other. Please remove the site-to-site VPN profiles on both the box configured as the VPN server and the VPN client site boxes to ensure stable connections.