Firewalla VPN Client is a service running on your Firewalla box that enables you to direct any device on your network to a VPN connection; VPN clients provide a secure and encrypted connection between the user and the internet, making it difficult for outsiders to access sensitive information.
What is Firewalla VPN Client?
With a Firewalla VPN client, you can send any device (even if they can't install VPN software) or any type of traffic to a VPN Server/Service. You can create three types of VPN connections:
- Site to Site VPN
- Remote Access VPN
- 3rd-Party VPN (Verified 3rd-Party VPN services)
| Site to Site VPN** | Remote Access VPN | 3rd-Party VPN | |
|---|---|---|---|
| Network Access | Bi-directional | One way | One way |
| Certificate-Only Setup | Yes | Yes | No |
| Box Requirement | 2 Firewalla Boxes | 2 Firewalla Boxes | 1 Firewalla Box |
| VPN Protocol | OpenVPN WireGuard1 |
OpenVPN Wireguard1 |
OpenVPN Wireguard1 AnyConnect2 IPsec3 |
Notes:
1 Wireguard is not supported on Firewalla Red and Blue.
2 Firewalla AnyConnect VPN client supports SSL, not IKEv2.
3 Firewalla IPsec VPN client can only be configured via Firewalla MSP Pro and Business. For more info, see here.
**Please refer to this document for more information about Site to Site VPN.
Firewalla VPN Client is not available for boxes in Transparent Bridge Mode.
3rd-Party VPN Server
Scenario:
You have many devices on your main network, all connected to a router that provides access to the Internet. You worry that your ISP can see your internet traffic and log your browsing history. Or, you're in a location where some websites you want to use are inaccessible.
Problem:
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, etc) with apps on different platforms. Some of your devices may not even be able to install a VPN client app. Or, you want to watch Netflix on Apple TV, but it's not supported in your location.
Solution:
Firewalla VPN Client enables you to connect your network to a 3rd party VPN Server. You don't need to install individual VPN apps on all your devices– just enable the VPN Client on the Firewalla app and select which device you want to connect to the 3rd party VPN Server.
Due to how each 3rd party VPN Server operates, Firewalla cannot guarantee performance. The speed of your VPN connection depends on how the server allocates bandwidth.
Remote Access VPN
Scenario:
When working from home, you must access your company network to see files and printers or connect to a computer.
Problem:
You want to have an easy way to access company resources remotely while you are at home. Your company wants to provide a secure way to access its network.
Solution:
Remote access VPNs enable you to connect to your office network from anywhere securely. This is an encrypted channel that is only visible one way. This setup requires 2 Firewalla boxes– one as the VPN server, the other as the VPN client. Read more in our article about Firewalla's VPN Server.
Site to Site VPN
Scenario:
Your company has offices at two different sites. The headquarters and the subsidiary office have separate networks with computers and servers connected.
Problem:
Someone sitting at a computer in headquarters is not able to access the server at the subsidiary office, and vice versa.
Solution:
Site-to-site VPNs allow you to connect two separate networks. Devices in one network can reach devices in the other network under strong encryption. You can read more in our article about Firewalla Site to Site VPNs.
How do I use Firewalla VPN Client?
Step 1: Create a VPN connection
- Tap on the VPN Client button on your box's main page.
- Tap on + Create VPN Connection to create a new profile/connection. You can create up to 9 VPN connections in total.
- Select what type of VPN connection you'd like to create: Site to Site VPN, Remote Access VPN, or 3rd-Party VPN. If you have multiple VPN profiles, you can also create a VPN Group.
- If you select 3rd-Party VPN, you'll need to choose a protocol:
- OpenVPN: Import or manually fill in your VPN server profile information. Follow your VPN server's manual for the credentials (username and password) or profile required for the connection. Here is a detailed guide on several verified OpenVPN providers.
- WireGuard: Import the WireGuard profile or scan the QR code to create the connection. Or, copy and paste the configuration text to create the connection from scratch.
-
AnyConnect (for boxes in Router mode): Connect any of your devices (or your entire network) to a VPN server with one tap.
- If your VPN provider requires Multi-Factor Authentication, enable it. The app will ask for a one-time password (OTP) when connecting to the VPN.
- You can auto-fill your OTP by tapping One-Time Password > Auto-Fill > fill in the secret, or tap the "[-]" icon on the right to scan the QR code provided by your VPN service. Only works if your VPN provider allows you to generate your OTPs using a Secret or a QR code.
-
IPsec (Firewalla MSP Professional/Business only): For Gold series boxes managed by Firewalla MSP, you can configure IPsec as the VPN protocol for 3rd-party VPNs. Due to its complexity, IPsec can only be configured via the MSP interface. Learn more about Firewalla MSP's VPN Client here.
For some examples on setting up IPsec, please consult these guides:
Step 2: Select Devices to Apply
After the connection is set up, you can selectively send your devices' network traffic through the VPN.
Step 3: Connect to VPN
There are two ways to connect:
- From the VPN Client page, tap on the connection you want to establish. Switch the VPN on, and the status will become "Connected."
- Tap the VPN button on the detail page of the device, network, or group you want to connect to, then select a VPN.
Firewalla supports up to 5 active VPN connections.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set from the profile detail page.
Outbound Policy (Site to Site or Remote Access VPN Only):
- Server site subnets: All the subnets on the server site. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
-
Internet: Choose how VPN-enabled devices access the Internet.
- VPN means VPN-enabled devices will use their gateway on the VPN server site for Internet access.
- Direct means VPN-enabled devices will use their default gateway for Internet access. Please note that Routes directing traffic to the VPN will also follow the Internet Outbound Policy. This means that if the policy is set to "Direct," any traffic sent to the VPN will still exit through the WAN, even if it's routed to the VPN.
Force DNS over VPN: Force VPN-enabled devices to use DNS over VPN or not.
- When it is on, DNS requests will be forwarded to the VPN server. Unbound, DNS over HTTPS, and Family Protect (3rd-party Mode) will not work on devices connected to VPN Client. While these DNS protocols won't take effect, other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
- When it is off, DNS requests will work as if there were no VPN connection, but traffic to the requested destinations will go over VPN. This means all your DNS traffic will be intercepted and protected by Firewalla. More details can be found here: Firewalla DNS Services Introduction.
Internet Kill Switch: Automatically disconnect a device if the VPN is down. This option is ONLY available when the Internet option is set to VPN. When it is on, Firewalla will be able to:
- Detect and generate an alarm if the VPN Connection encounters any error
- Auto-disconnect the device's internet access if the VPN is down
- Detect and generate an alarm if the VPN Connection restores
Delete This Profile: Delete a VPN profile permanently. All related rules will be removed from the box.
Additionally, you can create Policy-Based Routes to direct traffic locally or over a VPN. For more details, see our article on Firewalla Policy-Based Routing.
VPN Groups for Failover
For boxes running in Router Mode, Firewalla supports creating VPN groups, allowing you to connect to a group of multiple VPN clients for improved availability.
To create one, tap Create VPN Connection > VPN Group. Set a group name, choose the profiles you'd like to include, and save. You can also tap Edit in the top right corner of the VPN Group page to change the order of the VPN profiles.
Firewalla will connect to all VPN clients in the group at the same time. When the primary VPN profile fails, it will forward the traffic to the next available profile in the list.
Note: Port forwarding and Unbound over VPN are not currently supported with VPN groups; you may need to continue using individual VPN profiles for these features.
Common Issues and Fixes
- Firewalla VPN client does NOT support IPv6. IPv6 traffic will be blocked by Firewalla when the VPN is connected.
- Devices (i.e., laptop/phone/pad, etc.) should not use local DNS servers.
- On a Firewalla box, both the Firewalla VPN server and the Firewalla VPN client can run simultaneously.
- Firewalla VPN Client only supports one remote address. If the .ovpn file from your VPN service provider has multiple "remote xxxx..." addresses, please delete all but one of them.
Verified 3rd-party VPN services
These are verified by our test team and contributed by customers. Although we try to keep this updated, sometimes we can't catch up with service changes. If you have issues, please post them to our forums.
- ExpressVPN
- Surfshark
- NordVPN
- Smart DNS Proxy
- IPVanish VPN (Requires additional configuration)
- PureVPN (Requires additional configuration)
- ProtonVPN
ExpressVPN
Fully compatible.
Follow the steps below to set up ExpressVPN on Firewalla:
- Log into your account on the ExpressVPN website.
- Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into the Firewalla app -> VPN Client -> Profile -> Create 3rd Party VPN.
- Download the OpenVPN file and import the profile to the Configuration section. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
Note: For the username and password, please use the separate credentials dedicated to VPN connections from their setup website. Do not use your ExpressVPN app account username and password.
Surfshark
Fully compatible.
Follow the steps below to set up Surfshark on Firewalla:
- Log into the Surfshark manual setup. Find your Surfshark service credentials. Pick a server (location) and download the configuration file.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your Surfshark account credentials.
- Import the config file you downloaded previously. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
NordVPN
Fully compatible.
Follow the steps below to set up NordVPN on Firewalla:
- Go to the server picker on the NordVPN website. Tap on the Show available protocols button. Download the configuration file for the connection protocol you want to use.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your NordVPN service credentials. Note, these are not the same as your NordVPN username and password. You can find your NordVPN service credentials (username and password) in the Nord Account dashboard. Copy the credentials using the "Copy" buttons on the right.
- Import the config file you downloaded previously from the NordVPN website. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
Smart DNS Proxy
Fully compatible.
IPVanish VPN (Requires additional configuration)
WireGuard via IPVanish:
- IPVanish supports WireGuard configuration profiles. For more information and a user-submitted tutorial video, please check this Reddit post.
Per IPVanish support, new IPVanish profiles will have CA cert content embedded.
The steps below should no longer be necessary, but they are here in case of problems.
- Find the two profiles below: "ipvanish-XX-XX-XXX-XXX.ovpn" and "ca.ipvanish.com.crt".
- Open the file 'ca.ipvanish.com.crt' using a text editor and copy all the content.
- Open file 'ipvanish-XX-XX-XXX-XXX.ovpn' using a text editor and find the line "caca.ipvanish.com.crt".
-
Replace the line with the following content:
<ca> [Paste the content of ca.ipvanish.com.crt here] </ca> - Save it and import the new file into your Firewalla VPN Client.
PureVPN (Requires additional configuration)
Before importing your PureVPN profile to Firewalla, open the profile in a text editor and remove these two entries:
route-delay 2
route 0.0.0.0 0.0.0.0You'll also need to find your username and password on PureVPN. Here's how to easily find your existing VPN password.
ProtonVPN
Fully compatible.
Follow the steps below to set up ProtonVPN on Firewalla:
- Log into the web-based dashboard at account.protonvpn.com using your account credentials (the ones you set up during account creation).
- Select Downloads in the left navigation bar on the ProtonVPN dashboard. Find the OpenVPN configuration files section and choose (standard server configs; platform: Router; Protocol: UDP). Download the configuration file from ProtonVPN.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your OpenVPN/IKEv2 username and password. Copy the credentials using the "Copy" buttons on the right and paste them into the "username" and "password" fields.
- Enter your ProtonVPN OpenVPN/IKEv2 Username and Password into the Firewalla app when creating a 3rd Party VPN. Then import the configuration file into the Firewalla app.
Unverified 3rd-party VPN services
These are some tips from contributions from our users:
-
PIA: Firewalla VPN Client is compatible with Private Internet Access (PIA) but some users report you may need to add this line to the PIA profile:
pull-filter ignore "auth-token"
see https://forum.netgate.com/topic/128325/solved-openvpn-reconnect-auth_failed/5
- Wireguard via NordVPN: Tutorial on using WireGuard via NordVPN and this one.
Comments
84 comments
Hi Firewalla Team,
if I SSH into /home/pi/.firewalla/run/ovpn_profile
could I place an ovpn and auth file in that folder that the firewalla device would recognize?
I have a 3rd party VPN but it requires Username and Password.
Is there an example on how to create a new profile if I want to use a 3rd party VPN provider?
@Daniel, @Alamosoft
Sorry for the trouble. We are working on it. No committed date on that yet. We have a bunch of features coming together...
Melvin
I downloaded the OpenVPN profile from my NordVPN account and imported it into the Firewalla app. The issue is that your app allows saving the NordVPN profile password but not the username so I cannot connect.
The Box & App should both be in Beta to use this feature.
Go Settings->Advanced -> Beta program, switch on "Join Box beta program"
If you are using iOS, make sure you have installed the latest version App 1.31(15) from TestFlight.
If you are using Android, the feature is coming shortly after, please be patient.
@neil's solution also work for profiles generated by Mullvad VPN, which is simply leaving only one "remote xxx" entry in the .ovpn file
Can i setup multiple VPN profiles and assign different devices to each profile and most importantly have them both active at the same time? More specific example. I have host a, b, c and d. I would like to have hosts A and B assigned to VPN_Profile1 Express VPN and hosts C and D assigned to VPN_Profile2 Other 3rd party VPN.
Thanks!
Help needed on VPNSecure.
I have a lifetime subscription on this VPN Service.
I downloaded there ovpn serverfiles that looks like this :
client
proto udp
dev tun
remote lu1.isponeder.com 1282
cipher AES-256-CBC
verb 3
mute 20
keepalive 10 120
comp-lzo
float
persist-key
persist-tun
resolv-retry infinite
nobind
auth-nocache
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
This doesn't work - no connection within 30 seconds. No other error?
Then i reached out to there support and they give me another file for routers :
client
proto udp
dev tun
remote lu1.isponeder.com 1282
cipher AES-256-CBC
verb 3
mute 20
keepalive 10 120
comp-lzo
float
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
With this file is it the same problem - no connection within 30 seconds - no error given.
Could somenone help me with this?
What is the default filestructure that Firewalla needs to establish connection???
This is confusing. I am in beta mode and cannot find a VPN Client button on the Firewalla app. Can you be more clear as to the steps required to access this Button?
Hi have tried with TIGER VPN (https://www.tigervpn.com) and it looks like it works by using the standard configuration files and applying the following extra steps.
TIGER VPN (Requires additional configuration)
(These steps should not be needed anymore, they are here in case you run into problems)
1. find the line starting with "ca". In your profile, it is "ca ca.crt"
2. Copy the content in ca.crt, which should come together with your profiles from TigerVPN web site
3. Replace the line of "ca" in the profile with the following content:
<ca>
[Paste the content of ca.crt] here.
</ca>
Now it should work like a charm.
@Simon
Here it is:
https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-#h_073b9487-d00c-4bf0-9aea-d80f8d537366
Firewalla doesn't have the auto reset feature. Since you are techie, I guess you can just ssh and add a root cronjob to restart every night :)
Another question, currently I'm connecting to my 3rd party VPN via Linux running on my router. However, from time to time the system randomly gets unstable and I must manually reset. There is no feature to e.g. automatically reset every day, etc. Does Firewalla have such an automatic reset feature which can be used as a last ditch attempt to gain a better quality of service if all else fails?
@Melvin, Thanks for the quick answers. Do you have a link to the kill switch feature? Probably useful for other people browsing this VPN section :-)
@Simon
1. We have not tested the compatibility with TorGuard.
2. There is a kill switch feature provided in Firewalla that you can choose to pause device traffic if VPN connection is broken and resume the traffic when the connection is auto recovered. This option can prevent leakage.
3. We don't have performance test at this moment.
4. policy-based VPN routing will be supported on Gold.
A couple of questions:
1. How is the compatibility with TorGuard [1]?
2. How does Firewalla deal with failure concerning the 3rd party VPN? Does it automatically reconnect? Is all external traffic blocked until successfully reconnected to avoid leakage outside of the 3rd party VPN?
3. Is there any monitoring regarding 3rd party VPN performance... in case you are paranoid about the performance of your 3rd party VPN provider :-)
4. Is there anyway to have multiple concurrent VPNs? So e.g. traffic bound for the UK goes via the UK VPN, and traffic bound for country X goes via the X VPN?
[1] https://torguard.net/
Are you considering support Wireguard as VPN client? Wireguard performs much better when CPU don't have AES-NI.
Did anyone manage to get this to work with VPN Unlimited? I managed to import the openVPN profile, but after filling the user and pass it won't connect.
Is Firewalla VPN server to Firewalla Client (3rd party VPN) possible...in short, can you direct all your traffic from the firewalla server to 3rd party VPN.
@Firewalla Team - Hey guys the wait is nearby the end as Wireguard will be part of Linux Kernel 5.6!
Can you make it soon happen on Firewalla devices as a modern, more secure and light faster option as resides on kernel itself?!?!
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd2463ac7d7ec51d432f23bf0e893fb371a908cd
Will be a great gift to all of us!
Yes, please share remote support to help@firewalla.com
Thanks!
Melvin
Melvin,
I think it's working as it should. Until I specified my phone's DNS server to be the Firewalla overlay IP, the DNS didn't change when activating the VPN client for my phone (in the Firewalla app).
If that doesn't sounds right, let me know, and I'll see about setting up the remote support love.
Thanks,
David
@David,
This doesn't sound right. It should be reroute to VPN DNS as long as your are using overlay network.
Can you send remote support to help@firewalla.com so that we can take a look?
Thanks,
Melvin
@Melvin,
The DNS server of the 3rd party VPN was not used until I told my device to use the overlay DNS address (192.168.218.1) instead of anything else.
I agree that the 3rd party VPN DNS should only be used when the device is using the VPN client.
I was just pointing out that I didn't see any instructions on how to ensure the 3rd party VPN service's DNS server was used. (My Android defaulted to using Google's DNS when I set up the static IP, and using the physical DNS address 192.168.4.1 didn't switch to the 3rd party VPN when I enabled it for the phone)
NordVPN – Best VPN Service Provider | NordVPN Review
https://mstwotoes.com/nordvpn-best-vpn-service-provider-nordvpn-review/
Please sign in to leave a comment.