VPN mesh is a type of VPN topology designed to provide high availability and redundancy for VPN connections. In a VPN mesh, each VPN gateway has multiple connections to other VPN gateways, creating a fully interconnected network of VPN connections.
This service is currently in early access mode.
With Firewalla VPN Mesh, you can seamlessly link multiple Firewalla units together and enable your employees or family members to access anything, anywhere. Watch the video below for a step-by-step tutorial of how to set up and use a VPN mesh.
VPN Mesh is available through Firewalla Managed Security Portal (MSP), a new web interface designed to make it easy, convenient, and efficient to manage a fleet of Firewalla boxes. You can learn more in our introduction article all about Firewalla MSP.
Features
- Seamlessly connect multiple Firewalla sites.
- Have all your devices share the same VPN Mesh DNS entry.
- Easily manage and share VPN profiles with the people who need to use them with our new Users feature.
Limits
- MSP Professional Plan can create 1 VPN Mesh with up to 3 boxes per mesh, and Business Plan can create up to 3 VPN Meshes with up to 10 boxes per mesh.
- Only Boxes in Router mode can be added into a VPN Mesh.
- VPN Mesh is NOT supported on Firewalla Blue Plus.
Upcoming Features
- Capture flows between networks on different sites.
- Fine-tuned access control between networks on different sites.
- Generate alarms on connections between mesh networks.
FAQs
What is the difference between site-to-site VPN and VPN Mesh?
VPN Mesh is a centralized, fully connected VPN network topology that enables multiple Firewalla boxes to communicate with each other seamlessly.
In a traditional site-to-site VPN, the connections are manually configured to connect pairs of boxes, and the rules (routing and access control) are manually inserted. To connect all boxes together, site-to-site VPNs must be manually set up on each pair of Firewalla boxes.
On the other hand, in a VPN Mesh, the mesh service in Firewalla MSP will handle the membership and the discovery of VPN mesh nodes. This makes it easy for users to configure everything via and store important information like mesh live states and DNS entries in the container.
- VPN Mesh also provides a globally unique DNS name for every device in the whole mesh network that can be used to access devices from anywhere in the mesh network.
- The mesh management service will evaluate the inter-connectivity status in real time and determine the best route for boxes to access each other.
- VPN devices (e.g., your laptop connected to a public Wi-Fi) can join the mesh network as an independent node.
Is the VPN Mesh DNS domain name replicated for all Firewalla boxes?
Yes. All devices will have a domain name as <device_name>.<box_name>.<mesh_name> shared on all Firewalla boxes in the same mesh networks.
For example, if you have a device named "Server" on your Firewalla box "Home", connected to a mesh network "MyMesh", the mesh domain name for this device would be server.home.mymesh.
How do I find out my VPN Mesh Domain Names?
You can find this on each device's detail page in your MSP portal under the local domain.
How can I test the connections between different boxes?
Since the domain names are shared with all Firewalla boxes inside a mesh network, you can test the connection by pinging the domain names of devices on the other site.
How do I limit access on my VPN Mesh?
In a VPN Mesh, each box has access to other boxes under the same VPN Mesh. On each of your boxes, the other boxes in the same VPN Mesh will appear as VPN devices. You can create rules on those VPN devices to limit access.
For example, let's say you have a VPN Mesh with boxes Home, Work, and Client.
Block All Access From Another Box
If you'd like to block your Client box from accessing your Home box, create a rule to block traffic to all local networks on the VPN Device "Client" of the Home box.
Now, the Client box is blocked from accessing the Home box, but can still access the Work box. The Home and Work boxes can still access each other and the Client box. Repeat this step for other boxes you'd like to block.
Block Access From a Certain Device or Subnet of Another Box
For more granular control, you can block a specific device or subnet. If you'd like to block your Work's Office subnet (192.168.203.0/24) from accessing your Home box, create a rule to block the Office subnet on all devices of the Home box.
If you have a specific device you'd like to block access, use the specific IP address of that device instead of the subnet.
Known Issues
- If there are WireGuard site-to-site VPNs created on the boxes, the VPN mesh network can be established, but the boxes may have trouble connecting to each other. Please remove the site-to-site VPN profiles on both the box configured as the VPN server and the VPN client site boxes to ensure stable connections.
Comments
1 comment
It looks pretty cool, but nothing is mentioned regarding what VPN client is to be used with the config you download from the MSP site for each device.
Please sign in to leave a comment.