VPN Client Feature requires:
Firewalla Box version 1.965 (Beta) + iOS App version 1.32 / Android App 2.44
To join Beta: settings->advanced->beta program and turn beta 'on'
What is Firewalla VPN Client?
Firewalla VPN Client is a service running on your Firewalla box. When it is running, you can direct any of your home devices to the VPN channel.
Firewalla enables you to create 3 types of VPN connection: Site to Site VPN, Remote Access VPN, 3rd-party VPN Server.
|Site to Site VPN||Remote Access VPN (Firewalla to Firewalla)||3rd-Party VPN|
|Network Access||Bi-directional||One way||One way|
|Certificate only Setup||Yes||Yes||No|
|Box-App Requirement||Both boxes need to be paired with the same Firewalla App||Two boxes can be paired with different Firewalla App||N/A|
There are some limitations for now:
- Support the OpenVPN protocol only.
- IPv6 traffic is NOT supported, and will NOT be routed to VPN. Please make sure your router IPv6 is turned off.
- In site to site VPN setup, the server can only run on Firewalla Blue, the client can run on either Firewalla Red or Blue.
- Home devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Home devices must be part of the Firewalla overlay network to use VPN.
- On a Firewalla box, both Firewalla VPN server and Firewalla VPN client can be running at the same time. However, they serve different purposes. The VPN Server running on Firewalla box only supports 1 Site to Site connection. The VPN Client running on Firewalla box supports up to 10 connections.
Here are some case studies to help you understand why you need to use a VPN and which type to choose.
Site to Site VPN
Your company has offices in two different sites, both the headquarters and the subsidiary (branch) office have its own separate network, with computers and servers connected.
Someone sitting at a computer in the headquarter is not able to access the server on the subsidiary (branch) office, and vice versa.
Site-to-site VPN allows you to connect the two networks. Devices in one network can reach devices in the other network under strong encryption.
Remote Access VPN
You have a home office. Occasionally, when you are at home, you need to have access to the company network, for accessing files, printers, or connecting to a computer.
You want to have an easy way to access company resources remotely while you are at home or on the road. Your company wants to provide you with a secure way to access its network.
Remote access VPN enables you to securely connect to the office network from anywhere. This is a one-way encrypted channel.
3rd-party VPN Server
You have many devices at home, all connected to a router that provides access to the Internet. You worry about your ISP can see your internet traffic and log your browsing history. Or you are in a location, where some websites you want to use are inaccessible to the location you are at.
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and game consoles) with Apps on different platform separately. Some of your devices may not even be able to install a VPN client App. Or you want to watch Netflix on Apple TV, but being told not supported in your location.
Firewalla VPN Client enables you to connect your network to the 3rd party VPN Server. You don't need to install individual VPN App on all devices. You only need the Firewalla app, with a single click, you can select which device connects to the 3rd party VPN Server.
How to use Firewalla VPN Client?
Step 1: Create a VPN connection
When you first tap on VPN Client, it will provide you 3 ways to create a VPN Connection. The first two types of Connection require a second Firewalla Box.
Site to Site VPN: Create VPN Connection with another Firewalla Box (Firewalla Blue with VPN Server enabled), to establish a bi-directional site to site VPN, two sites with Firewalla Box installed can inter-connect with each other.
Remote Access VPN: Create VPN Connection with another Firewalla Box (with VPN Server enabled), to establish a client -> server VPN. The Client site can selectively send device traffic to the server site.
3rd-party VPN Server: Create VPN Connection with 3rd -party VPN server by importing an existing VPN server profile, or filling in configuration from scratch.
*Note: the Import function on iOS may not work sometimes, you can always share the VPN profile to Firewalla App to import.
Step 2: Select Devices to Apply
When the connection setup is completed, you can selectively channel your devices' network traffic through the VPN tunnel.
Note, devices must be part of the Firewalla overlay network, in order to use VPN.
- If you are using DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you are using Simple mode, you need to manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device.
Here is a tutorial on how to join the overlay network in Simple mode.
Step 3: Connect to VPN
Two ways to connect:
- Switch on the "Status" button, you'll see the status becomes "Connected".
- Or go to the device detail page, tap the VPN button to turn on VPN per device.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set.
- Outbound Policy
- Force DNS over VPN
- Internet Kill Switch
When the Internet Outbound Policy is set to VPN, you'll be able to enable Internet Kill switch. Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters errors
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
Verified 3rd-party VPN services
Follow the steps below to set up ExpressVPN on Firewalla:
1. Login to your account on ExpressVPN website.
2. Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into Firewalla App -> VPN Client -> profile-> create 3rd party VPN.
3. Download OpenVPN file and import the profile to the Configuration section.
or you can open the file, copy and paste the content under the text field.
4. Save the profile, and you are ready to connect.
Note: For username and password, please use the separate credential dedicated for VPN connection from their setup website. Do not use the account username and password used in the ExpressVPN app.
Follow the steps below to set up NordVPN on Firewalla:
1. Go to server picker on NordVPN website. Tap on Show available protocols button. Download the configuration file depending on the connection protocol you want to use.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your NordVPN account credentials.
3. Import the config file you downloaded previously from NordVPN website. or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
Warning: Some NordVPN VPN servers may push a new parameter "subnet" to the client-side that is not supported by Firewalla VPN client yet. (subnet is supported in next release 1.966, which is currently in beta)
IPVanish VPN (Requires additional configuration)
(These steps should not be needed anymore, they are here in case you run into problems)
1. find the line starting with "ca". In your profile, it is "ca ca.ipvanish.com.crt"
2. Copy the content in ca.ipvanish.com.crt, which should come together with your profiles from IPVanish web site
3. Replace the line of "ca" in the profile with the following content
[Paste the content of ca.ipvanish.com.crt] here.
PureVPN (Requires additional configuration)
Remove these two entries before importing PureVPN profile to Firewalla
route 0.0.0.0 0.0.0.0
Contributed by our users:
https://surfshark.com : works flawlessly.
Private Internet Access: Compatible