* VPN Client Feature requires Firewalla Box version 1.965 (Beta) + iOS App version 1.32 (Beta). Android App is coming shortly.
Beta Onboard Guide: https://help.firewalla.com/hc/en-us/community/posts/360001149673-Beta-Onboarding
What is Firewalla VPN Client?
Firewalla VPN Client is a service running on your Firewalla box. When it is running, you can direct any of your home devices to the VPN channel.
Firewalla enables you to create 3 types of VPN connection: Site to Site VPN, Remote Access VPN, 3rd-party VPN Server.
|Site to Site VPN||Remote Access VPN (Firewalla to Firewalla)||3rd-Party VPN|
|Network Access||Bi-directional||One way||One way|
|Certificate only Setup||Yes||Yes||No|
|Box-App Requirement||Both boxes need to be paired with the same Firewalla App||Two boxes can be paired with different Firewalla App||N/A|
There are some limitations for now:
- Support the OpenVPN protocol only.
- IPv6 traffic is NOT supported, and will NOT be routed to VPN. Please make sure your router IPv6 is turned off.
- In site to site VPN setup, the server can only run on Firewalla Blue, the client can run on either Firewalla Red or Blue.
- Home devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Home devices must be part of the Firewalla overlay network to use VPN.
- On a Firewalla box, both Firewalla VPN server and Firewalla VPN client can be running at the same time. However, they serve different purposes. The VPN Server running on Firewalla box only supports 1 Site to Site connection. The VPN Client running on Firewalla box supports up to 10 connections.
Here are some case studies to help you understand why you need to use a VPN and which type to choose.
Site to Site VPN
Your company has offices in two different sites, both the headquarters and the subsidiary (branch) office have its own separate network, with computers and servers connected.
Someone sitting at a computer in the headquarter is not able to access the server on the subsidiary (branch) office, and vice versa.
Site-to-site VPN allows you to connect the two networks. Devices in one network can reach devices in the other network under strong encryption.
Remote Access VPN
You have a home office. Occasionally, when you are at home, you need to have access to the company network, for accessing files, printers, or connecting to a computer.
You want to have an easy way to access company resources remotely while you are at home or on the road. Your company wants to provide you with a secure way to access its network.
Remote access VPN enables you to securely connect to the office network from anywhere. This is a one-way encrypted channel.
3rd-party VPN Server
You have many devices at home, all connected to a router that provides access to the Internet. You worry about your ISP can see your internet traffic and log your browsing history. Or you are in a location, where some websites you want to use are inaccessible to the location you are at.
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and game consoles) with Apps on different platform separately. Some of your devices may not even be able to install a VPN client App. Or you want to watch Netflix on Apple TV, but being told not supported in your location.
Firewalla VPN Client enables you to connect your network to the 3rd party VPN Server. You don't need to install individual VPN App on all devices. You only need the Firewalla app, with a single click, you can select which device connects to the 3rd party VPN Server.
How to use Firewalla VPN Client?
Step 1: Create a VPN connection
When you first tap on VPN Client, it will provide you 3 ways to create a VPN Connection. The first two types of Connection require a second Firewalla Box.
Site to Site VPN: Create VPN Connection with another Firewalla Box (Firewalla Blue with VPN Server enabled), to establish a bi-directional site to site VPN, two sites with Firewalla Box installed can inter-connect with each other.
Remote Access VPN: Create VPN Connection with another Firewalla Box (with VPN Server enabled), to establish a client -> server VPN. The Client site can selectively send device traffic to the server site.
3rd-party VPN Server: Create VPN Connection with 3rd -party VPN server by importing an existing VPN server profile or fill in configuration from scratch. Supports username+password authentication (beta).
Step 2: Select Devices to Apply
When the connection setup is completed, you can selectively channel your devices' network traffic through the VPN tunnel.
Note, devices must be part of the Firewalla overlay network, in order to use VPN.
- If you are using DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you are using Simple mode, you need to manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device.
Here is a tutorial on how to join the overlay network in Simple mode.
Step 3: Connect to VPN
Two ways to connect:
- Switch on the "Status" button, you'll see the status becomes "Connected".
- Or go to the device detail page, tap the VPN button to turn on VPN per device.
Third-Party VPN Compatibility fixes
1. find the line starting with "ca". In your profile, it is "ca ca.ipvanish.com.crt"
2. Copy the content in ca.ipvanish.com.crt, which should come together with your profiles from IPVanish web site
3. Replace the line of "ca" in the profile with the following content
[Paste the content of ca.ipvanish.com.crt] here.