- What is a Firewalla VPN Client?
What is the Firewalla VPN Client?
Firewalla VPN Client is a service running on your Firewalla box. When it is running, you can direct any of your home devices to a VPN connection.
Firewalla enables you to create 3 types of VPN connections: Site to Site VPN, Remote Access VPN, and 3rd-party VPN (via 3rd-party server).
Note: Site to Site VPN and Remove Access VPN requires you have another Firewalla Box with a VPN server running. Here are more details on Firewalla VPN Server.
|Site to Site VPN||Remote Access VPN||3rd-Party VPN|
|Network Access||Bi-directional||One way||One way|
|Certificate only Setup||Yes||Yes||No|
|Box Requirement||2 Firewalla Boxes||2 Firewalla Boxes||1 Firewalla Box|
3rd-party VPN Server
You have many devices at home, all connected to a router that provides access to the Internet. You worry that your ISP can see your internet traffic and log your browsing history. Or you are in a location, where some websites you want to use are inaccessible to the location you are at.
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and game consoles) with apps on different platforms separately. Some of your devices may not even be able to install a VPN client app. Or you want to watch Netflix on Apple TV, but being told that it's not supported in your location.
Firewalla VPN Client enables you to connect your network to a 3rd party VPN Server. You don't need to install an individual VPN app on all devices. All you need to do is to enable the VPN Client on the Firewalla app, and select which device you want to connect to the 3rd party VPN Server.
Due to how each 3rd Party VPN server operates, Firewalla can not guarantee the performance, as it depends on the 3rd party VPN server, and how the 3rd party VPN server allocates bandwidth.
Site to Site VPN (OpenVPN Only)
Your company has offices in two different sites. Both the headquarters and the subsidiary (branch) office have their own separate network, with computers and servers connected.
Someone sitting at a computer in the headquarter is not able to access the server on the subsidiary (branch) office, and vice versa.
Site-to-site VPN allows you to connect the two networks. Devices in one network can reach devices in the other network under strong encryption. This setup requires you to have 2 Firewalla boxes. One as the VPN server, the other as the VPN client.
Remote Access VPN
When you are working from home, you need to access the company network to access files, printers, or connect to a computer.
You want to have an easy way to access company resources remotely while you are at home. Your company wants to provide you with a secure way to access its network.
Remote access VPN enables you to securely connect to the office network from anywhere. This is a one-way encrypted channel. This setup requires you to have 2 Firewalla boxes. One as the VPN server, the other as the VPN client.
How to use the Firewalla VPN Client?
Step 1: Create a VPN connection
Go to: Home Screen -> Settings -> Features -> VPN Client
When you configure this for the first time, tap on "Profile", then "+" to create a new profile/connection. You will see 3 options there. The first two types of connection require a second Firewalla box. And you will need to pair with both Firewalla boxes on your app.
As of release 1.973, the Firewalla VPN client is supporting two protocols: OpenVPN and WireGuard VPN. Wireguard VPN Client only supports Remote Access VPN and 3rd-party VPN.
Site to Site VPN (OpenVPN Only):
Create a VPN Connection with another Firewalla Box (with the VPN Server enabled) to establish a bi-directional site-to-site VPN. The two sites with Firewalla Box installed can interconnect with each other.
Remote Access VPN:
Create a VPN Connection with another Firewalla Box (with the VPN Server enabled) to establish a client -> server VPN. The client site can selectively send device traffic to the server site.
3rd-party VPN Server:
Create VPN Connection with a 3rd -party VPN server by importing an existing VPN server profile, or filling in configuration from scratch.
Note: Follow the manual of the 3rd party VPN to find the credential (username/password) required for the VPN connection. Here is a detailed guide on several verified VPN providers.
Step 2: Select Devices to Apply
When the connection setup is completed, you can selectively send your devices' network traffic through the VPN.
Note: devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- If you are using DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you are using Simple mode, you need to manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device. Here is a tutorial on how to join the overlay network in Simple mode.
- If you are using Router mode, no need to do anything extra
Step 3: Connect to VPN
There are two ways to connect:
- Switch on the "VPN" button, you'll see the status become "Connected".
- Or go to the device detail page, tap the VPN button to turn on VPN per device.
As of Release 1.973, you can connect different devices to different VPNs at the same time. On any device/ network/ group detail page, tap the VPN button and select which VPN to connect to.
Up to 5 active VPN connections are supported.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set.
- Outbound Policy
- Force DNS over VPN
- Internet Kill Switch
When the Internet Outbound Policy is set to VPN, you'll be able to enable the Internet Kill switch. Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters errors
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
Common Issues and Fixes:
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN protocol is supported for Site to Site VPN.
- In a site-to-site VPN setup, the server can not only run on Firewalla red.
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- On a Firewalla box, both the Firewalla VPN server and Firewalla VPN client can be running at the same time.
- Firewalla VPN Client only supports one remote address. If the .ovpn file from your provider has multiple "remote xxxx .." addresses, please delete all but one of them.
If Gold is used as the Client in a Site to Site VPN connection, make sure to create a rule to allow traffic from the peer site's subnet. Because Gold has a default Firewall rule that blocks untrusted inbound connections from outside your network.
For example, If a site-to-site VPN connection is created between MyGoldWalla(Server) and Gold C(Client). You'll be able to find all the subnet on the Gold S in the VPN profile. If you'd like Network Safe House to be able to access devices on Gold C, then you'll need to create an allow rule on Gold C (the client), to allow IP Range "188.8.131.52/24" on your devices.
Verified 3rd-party VPN services
Follow the steps below to set up ExpressVPN on Firewalla:
1. log in to your account on the ExpressVPN website.
2. Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into Firewalla App -> VPN Client -> profile-> create 3rd party VPN.
3. Download the OpenVPN file and import the profile to the Configuration section. Or you can open the file, copy and paste the content under the text field.
4. Save the profile, and you are ready to connect.
Note: For username and password, please use the separate credential dedicated for VPN connection from their setup website. Do not use the account username and password used in the ExpressVPN app.
Follow the steps below to set up SurfShark on Firewalla:
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your Surfshark account credentials.
3. Import the config file you downloaded previously. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
Follow the steps below to set up NordVPN on Firewalla:
1. Go to server picker on the NordVPN website. Tap on Show available protocols button. Download the configuration file depending on the connection protocol you want to use.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your NordVPN account credentials. You can find your NordVPN service credentials (username and password) in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
3. Import the config file you downloaded previously from the NordVPN website. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
IPVanish VPN (Requires additional configuration)
(These steps should not be needed anymore, they are here in case you run into problems)
1. find the line starting with "ca". In your profile, it is "ca ca.ipvanish.com.crt"
2. Copy the content in ca.ipvanish.com.crt, which should come together with your profiles from the IPVanish website.
3. Replace the line of "ca" in the ovpn file with the following content
[Paste the content of ca.ipvanish.com.crt here]
remote xxx.ipvanish.com 443
verify-x509-name xxx.ipvanish.com name
PureVPN (Requires additional configuration)
Remove these two entries before importing the PureVPN profile to Firewalla
route 0.0.0.0 0.0.0.0
Follow the steps below to set up ProtonVPN on Firewalla:
1. Log in to the web-based dashboard at account.protonvpn.com using your account credentials (the ones you set during account creation).
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your OpenVPN/IKEv2 username and password. Copy the credentials using the “Copy” buttons on the right and paste them into the "username", "password" fields.
Contributed by our users:
https://surfshark.com : works flawlessly.
Private Internet Access: Compatible