What is Firewalla VPN Client?
Firewalla VPN Client is a service running on your Firewalla box. When it is running, you can direct any of your home devices to the VPN channel.
Firewalla enables you to create 3 types of VPN connection: Site to Site VPN, Remote Access VPN, and 3rd-party VPN (via 3rd-party server).
| Site to Site VPN | Remote Access VPN (Firewalla to Firewalla) | 3rd-Party VPN | |
|---|---|---|---|
| Network Access | Bi-directional | One way | One way |
| Certificate only Setup | Yes | Yes | No |
| Box-App Requirement | Both boxes need to be paired with the same Firewalla App | Two boxes can be paired with different Firewalla App | N/A |
There are some limitations for now:
0. IPv6 traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN protocol is supported.
- In site to site VPN setup, the server can not only run on Firewalla red.
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network to use VPN.
- On a Firewalla box, both Firewalla VPN server and Firewalla VPN client can be running at the same time. However, they serve different purposes. The VPN Server running on Firewalla box only supports 1 Site to Site connection. The VPN Client running on Firewalla box supports up to 10 connections.
Here are some case studies to help you understand why you need to use a VPN and which type to choose.
Site to Site VPN
Scenario:
Your company has offices in two different sites. Both the headquarter and the subsidiary (branch) office have its own separate network, with computers and servers connected.
Problem:
Someone sitting at a computer in the headquarter is not able to access the server on the subsidiary (branch) office, and vice versa.
Solution:
Site-to-site VPN allows you to connect the two networks. Devices in one network can reach devices in the other network under strong encryption.
Remote Access VPN
Scenario:
When you are working from home, you need to access the company network to access files, printers, or connect to a computer.
Problem:
You want to have an easy way to access company resources remotely while you are at home. Your company wants to provide you with a secure way to access its network.
Solution:
Remote access VPN enables you to securely connect to the office network from anywhere. This is a one-way encrypted channel.
3rd-party VPN Server
Scenario:
You have many devices at home, all connected to a router that provides access to the Internet. You worry that your ISP can see your internet traffic and log your browsing history. Or you are in a location, where some websites you want to use are inaccessible to the location you are at.
Problem:
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and game consoles) with apps on different platforms separately. Some of your devices may not even be able to install a VPN client app. Or you want to watch Netflix on Apple TV, but being told that it's not supported in your location.
Solution:
Firewalla VPN Client enables you to connect your network to a 3rd party VPN Server. You don't need to install an individual VPN app on all devices. All you need to do is to enable the VPN Client on the Firewalla app, and select which device you want to connect to the 3rd party VPN Server.
Due to how each 3rd Party VPN server operates, firewalla can not guarantee the performance, as it depends on the 3rd party VPN server, and how the 3rd party VPN server allocates bandwidth.
How to use Firewalla VPN Client?
Step 1: Create a VPN connection
Go to: Home Screen -> Settings -> Features -> VPN Client
When you configure this for the first time, tap on "Profile", then "+" to create a new profile/connection. You will see 3 options there. The first two types of connection require a second Firewalla box. And you will need to pair with both Firewalla boxes on your app.
Site to Site VPN:
Create a VPN Connection with another Firewalla Box (Red is not supported as the server site) to establish a bi-directional site-to-site VPN. The two sites with Firewalla Box installed can interconnect with each other.
Remote Access VPN:
Create a VPN Connection with another Firewalla Box (with VPN Server enabled) to establish a client -> server VPN. The client site can selectively send device traffic to the server site.
3rd-party VPN Server:
Create VPN Connection with a 3rd -party VPN server by importing an existing VPN server profile, or filling in configuration from scratch.
Note: Follow the manual of the 3rd party VPN to find the credential (username/password) required for the VPN connection. Here is a detailed guide on several verified VPN providers.
Step 2: Select Devices to Apply
When the connection setup is completed, you can selectively channel your devices' network traffic through the VPN tunnel.
Note: devices must be part of the Firewalla overlay network, in order to use VPN.
- If you are using DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you are using Simple mode, you need to manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device.
Here is a tutorial on how to join the overlay network in Simple mode.
Step 3: Connect to VPN
There are two ways to connect:
- Switch on the "Status" button, you'll see the status become "Connected".
- Or go to the device detail page, tap the VPN button to turn on VPN per device.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set.
- Outbound Policy
- Force DNS over VPN
- Internet Kill Switch
When the Internet Outbound Policy is set to VPN, you'll be able to enable the Internet Kill switch. Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters errors
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
Common Fixes:
1. Firewalla VPN Client only supports one remote address. If the .ovpn file from your provider has multiple "remote xxxx .." addresses, please delete all but one of them.
2. If Gold is used as the Client in a Site to Site VPN connection, make sure to create a rule to allow traffic from the peer site's subnet. Because Gold has a default Firewall rule that blocks untrusted inbound connections from outside your network.
For example, If a site-to-site VPN connection is created between MyGoldWalla(Server) and Gold C(Client). You'll be able to find all the subnet on the Gold S in the VPN profile. If you'd like Network Safe House to able to access devices on Gold C, then you'll need to create an allow rule on Gold C (the client), to allow IP Range "192.169.187.1/24" on your devices.
Verified 3rd-party VPN services
ExpressVPN
Fully compatible.
Follow the steps below to set up ExpressVPN on Firewalla:
1. Login to your account on ExpressVPN website.
2. Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into Firewalla App -> VPN Client -> profile-> create 3rd party VPN.
3. Download OpenVPN file and import the profile to the Configuration section. Or you can open the file, copy and paste the content under the text field.
4. Save the profile, and you are ready to connect.
Note: For username and password, please use the separate credential dedicated for VPN connection from their setup website. Do not use the account username and password used in the ExpressVPN app.
SurfShark
Fully compatible.
Follow the steps below to set up SurfShark on Firewalla:
1. Log in to Surfshark website. Find Surfshark service credentials. Pick a server(location) and download the configuration file.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your Surfshark account credentials.
3. Import the config file you downloaded previously. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
NordVPN
Fully compatible.
Follow the steps below to set up NordVPN on Firewalla:
1. Go to server picker on the NordVPN website. Tap on Show available protocols button. Download the configuration file depending on the connection protocol you want to use.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your NordVPN account credentials.
3. Import the config file you downloaded previously from the NordVPN website. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
Smart DNS Proxy
Fully compatible
IPVanish VPN (Requires additional configuration)
(These steps should not be needed anymore, they are here in case you run into problems)
1. find the line starting with "ca". In your profile, it is "ca ca.ipvanish.com.crt"
2. Copy the content in ca.ipvanish.com.crt, which should come together with your profiles from the IPVanish website.
For example
-----BEGIN CERTIFICATE-----
EDDDrTCCA5WgAJK******
************************************
*******RYNu2cUo0/****
VA==
-----END CERTIFICATE-----
3. Replace the line of "ca" in the ovpn file with the following content
<ca>
[Paste the content of ca.ipvanish.com.crt here]
</ca>
client
dev tun
proto udp
remote xxx.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
<ca>
-----BEGIN CERTIFICATE-----
EDDDrTCCA5WgAJK******
************************************
*******RYNu2cUo0/****
VA==
-----END CERTIFICATE-----
</ca>
verify-x509-name xxx.ipvanish.com name
PureVPN (Requires additional configuration)
Remove these two entries before importing PureVPN profile to Firewalla
route-delay 2
route 0.0.0.0 0.0.0.0
Contributed by our users:
https://surfshark.com : works flawlessly.
Private Internet Access: Compatible
Comments
50 comments
This is confusing. I am in beta mode and cannot find a VPN Client button on the Firewalla app. Can you be more clear as to the steps required to access this Button?
The Box & App should both be in Beta to use this feature.
Go Settings->Advanced -> Beta program, switch on "Join Box beta program"
If you are using iOS, make sure you have installed the latest version App 1.31(15) from TestFlight.
If you are using Android, the feature is coming shortly after, please be patient.
Was wondering when the ability of username and password authentication be available?
I downloaded the OpenVPN profile from my NordVPN account and imported it into the Firewalla app. The issue is that your app allows saving the NordVPN profile password but not the username so I cannot connect.
@Daniel, @Alamosoft
Sorry for the trouble. We are working on it. No committed date on that yet. We have a bunch of features coming together...
Melvin
Is there an example on how to create a new profile if I want to use a 3rd party VPN provider?
@Augustus,
Usually the ovpn file should be provided by the 3rd party VPN provider instead of writing your own.
And you can import the ovpn file or create a new profile (and copy/paste the content). We'll make a video on that soon.
And please be aware that this is still beta and username+password is not supported yet.
Melvin
Hi Firewalla Team,
if I SSH into /home/pi/.firewalla/run/ovpn_profile
could I place an ovpn and auth file in that folder that the firewalla device would recognize?
I have a 3rd party VPN but it requires Username and Password.
Not really. There are a couple of other places need to update.
I suggest you wait for our next release, which natively supports the username and password.
The release will be pushed to alpha branch in next 1-2 days.
Melvin
thanks Melvin!
Just testing this now. On Android there is no option to import a profile, also when pasting one in, the "save" button stays greyed out.
Using iOS is more successful, I can import a profile, did a UDP and TCP from NordVPN. Next I see that I need to move devices from simple mode to static IPs on 192.168 network, so I fix two of my devices, they now show on the overlay network, I enable them both, click save and it looks like it's working, but when I test my IP, they show my normal IP not the VPN address.
Question, do I need a blue Firewalls for this to work?
Im beta user. When I clicked on to use 3rd party VPN, it didn't show me to import file. Only manual configuration is showed. If that's the case, how do we manual config it? Thank you.
Ok I spoke too soon, I went out and came back home and t looks like it works now.
Melvin, the latest Beta update (with notes "allows import of profiles") on Android still doesn't work. The import button now appears but when I browse to my Nord VPN UDP saved file, it's greyed out for me. Contrasting with my iOS experience, which works fine and am able to install a VPN profile fine. Just to add I'm on Android 9 using a Motorola G6
@Andy,
Thanks for trying. The import bug should have been fixed in latest version (2.44.26), please have a try.
@Keny1st7427,
Please upgrade to latest beta release (2.44.26), it has the import function.
@Melvin Tu, newest beta works great! Thanks for the quick release. Great job!
Any tips for getting ProtonVPN profiles working? My profile is verified working using a different client, but when Firewalla connects it just disconnects after a minute or so. Is there a way to view the connection logs?
I am trying to connect to ExpressVPN. I cannot load the configuration as my .ovpn file is greyed out.
@George
Which app version are you using? It should be an old issue, and already fixed in latest app.
Melvin
I am using the latest beta version
@George,
Can you send a screenshot of the import profile dialog, (which has the ovpn file in the window) to help@firewalla.com?
I tried in latest beta and latest production app, it works.
Thanks,
Melvin
Is there a way to use the 3rd party VPN service's DNS servers when connected via the VPN Client?
I am in Simple Mode, with my device's IP manually set to the overlay, and its DNS server set to 192.168.4.1 (my physical network gateway IP). Perhaps setting the DNS server to the Firewalla's overlay IP (192.168.218.1)?
Edit: setting the DNS server to the Firewalla's overlay IP seemed to work. When not using the VPN client, https://dnsleaktest.com/ says I'm using an AmazonAWS server, and when VPN is on, a different server whose location matches the location of my 3rd party VPN Server I'm connected to.
@David,
The DNS server of 3rd party VPN will be used automatically when VPN client is connected and VPN mode is turned on in device.
When VPN mode is turned off in device, even if the device is still in overlay network and VPN client is still connected, it will NOT use the DNS server of 3rd party VPN. (Basically device traffic will not be sent through VPN)
So do you want to use the 3rd party DNS server even if VPN mode is not turned on?
Melvin
@Melvin,
The DNS server of the 3rd party VPN was not used until I told my device to use the overlay DNS address (192.168.218.1) instead of anything else.
I agree that the 3rd party VPN DNS should only be used when the device is using the VPN client.
I was just pointing out that I didn't see any instructions on how to ensure the 3rd party VPN service's DNS server was used. (My Android defaulted to using Google's DNS when I set up the static IP, and using the physical DNS address 192.168.4.1 didn't switch to the 3rd party VPN when I enabled it for the phone)
@David,
This doesn't sound right. It should be reroute to VPN DNS as long as your are using overlay network.
Can you send remote support to help@firewalla.com so that we can take a look?
Thanks,
Melvin
Melvin,
I think it's working as it should. Until I specified my phone's DNS server to be the Firewalla overlay IP, the DNS didn't change when activating the VPN client for my phone (in the Firewalla app).
If that doesn't sounds right, let me know, and I'll see about setting up the remote support love.
Thanks,
David
Yes, please share remote support to help@firewalla.com
Thanks!
Melvin
Start heavy test on using ProtonVPN! At the moment this is the way which make it work on Firewalla BLUE!
Stay tuned!
Platform: Router
Protocol: UDP
Config: Server Config >> select country and click on download near to download profile!
INFO: Manual import profile as the Android App didn't import it automatically no matter if you click import profile! Manual import is working well and the config is readable as well!
Name your profile and put the required username and password!
Hello Firewalla Team.
I am struggling to configure the VPN client with ProtonVPN.
Using iOS app.
I downloaded from ProtonVPN the ‘Router’ and ‘UDP’ config file, as Ernesto highlighted in comment above. However once imported the config and entered username and password I receive an ‘Invalid Content’ pop up in the app and cannot progress further.
Any advice appreciated.
Kind Regards
**UPDATE - SOLUTION**
I found a solution, I edited ProtonVPN's configuration file. I removed all but one of the lines that lists the same IP address but different ports.
i.e. From this
remote xx.xxx.xxx.xxx 80
remote xx.xxx.xxx.xxx 443
remote xx.xxx.xxx.xxx 4569
remote xx.xxx.xxx.xxx 1194
remote xx.xxx.xxx.xxx 5060
to This
remote xx.xxx.xxx.xxx 1194
Please sign in to leave a comment.