What is the Firewalla VPN Client?
Firewalla VPN Client is a service running on your Firewalla box. When it is running, you can direct any of your home devices to a VPN connection.
Firewalla VPN Client is a service running on your Firewalla box, which can direct traffic in and out of devices in the local home through a VPN connection.
Firewalla enables you to create 3 types of VPN connections:
- Site to Site VPN
- Remote Access VPN
- 3rd-party VPN (Verified 3rd-party VPN services)
| Site to Site VPN** | Remote Access VPN | 3rd-Party VPN | |
|---|---|---|---|
| Network Access | Bi-directional | One way | One way |
| Certificate-only Setup | Yes | Yes | No |
| Box Requirement | 2 Firewalla Boxes | 2 Firewalla Boxes | 1 Firewalla Box |
| VPN Protocol |
OpenVPN WireGuard* (Beta) |
OpenVPN Wireguard* |
OpenVPN |
* Wireguard is only supported on the following Firewalla boxes: Gold, Purple, BluePlus.
** For details of Site to Site VPN, please refer to this document.
3rd-party VPN Server
Scenario:
You have many devices at home, all connected to a router that provides access to the Internet. You worry that your ISP can see your internet traffic and log your browsing history. Or you are in a location, where some websites you want to use are inaccessible to the location you are at.
Problem:
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and game consoles) with apps on different platforms separately. Some of your devices may not even be able to install a VPN client app. Or you want to watch Netflix on Apple TV, but being told that it's not supported in your location.
Solution:
Firewalla VPN Client enables you to connect your network to a 3rd party VPN Server. You don't need to install an individual VPN app on all devices. All you need to do is to enable the VPN Client on the Firewalla app, and select which device you want to connect to the 3rd party VPN Server.
Due to how each 3rd Party VPN server operates, Firewalla can not guarantee the performance, as it depends on the 3rd party VPN server, and how the 3rd party VPN server allocates bandwidth.
Remote Access VPN
Scenario:
When you are working from home, you need to access the company network to access files, printers, or connect to a computer.
Problem:
You want to have an easy way to access company resources remotely while you are at home. Your company wants to provide you with a secure way to access its network.
Solution:
Remote access VPN enables you to securely connect to the office network from anywhere. This is a one-way encrypted channel. This setup requires you to have 2 Firewalla boxes. One as the VPN server, the other as the VPN client. Here are more details on Firewalla VPN Server.
Site to Site VPN
Scenario:
Your company has offices at two different sites. Both the headquarters and the subsidiary (branch) office have their own separate network, with computers and servers connected.
Problem:
Someone sitting at a computer in the headquarter is not able to access the server on the subsidiary (branch) office, and vice versa.
Solution:
Site-to-site VPN allows you to connect the two networks. Devices in one network can reach devices in the other network under strong encryption.
For details of Site to Site VPN, please refer to this document.
How to use the Firewalla VPN Client?
Step 1: Create a VPN connection
- Go to: Home Screen -> VPN Client
- Tap on + Create VPN Connection to create a new profile/connection
NOTE: You can create up to 9 VPN connections in total.
Site to Site VPN:
For detail of Site to Site VPN, please refer to this document.
Remote Access VPN:
Create a VPN Connection with another Firewalla Box (with the VPN Server enabled) to establish a client -> server VPN. The client site can selectively send device traffic to the server site.
3rd-party VPN Server:
3rd-party VPN supports 3 types of protocols:
- OpenVPN
- WireGuard
- AnyConnect (Beta)
You can create VPN Connection with a 3rd -party VPN server by importing an existing VPN server profile, or filling in "configuration" from scratch based on the 3rd party VPN service you chose.
Note: Follow the manual of the 3rd party VPN to find the credential (username/password) or profile required for the VPN connection. Here is a detailed guide on several verified VPN providers.
AnyConnect (Beta)
For those of you who are using AnyConnect to connect your devices to your company/school, you can now create a VPN connection on the Firewalla box and then connect any of your devices (or your entire network) to it with one tap.
If your VPN service provider requires Multi-Factor Authentication, just turn on the option and the app will ask for a one-time password when connecting to the VPN.
If your VPN service provider allows you to generate your One-Time Passwords using a Secret or a QR code, just tap One-Time Password, and select Auto-Fill, then fill in the secret or tap the "[-]" icon on the right to scan the QR code provided by the VPN service provider, then save the configuration. Firewalla will auto-fill your OTP every time when connecting to the VPN, no more entering OTPs.
Step 2: Select Devices to Apply
When the connection setup is completed, you can selectively send your devices' network traffic through the VPN.
Note: devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- If you are using DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you are using Simple mode, you need to manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device. Here is a tutorial on how to join the overlay network in Simple mode.
- If you are using Router mode, no need to do anything extra
Step 3: Connect to VPN
There are two ways to connect:
- Switch on the "VPN" button, you'll see the status become "Connected".
- On any device/ network/ group detail page, tap the VPN button and select which VPN to connect to.
Up to 5 active VPN connections are supported.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set.
- Outbound Policy:
- Server site subnets: The app will list all the subnets on the server site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means the VPN-enabled devices will be using its default gateway for Internet access.
VPN means the VPN-enabled devices will be using the gateway on the VPN server site for Internet access
- Force DNS over VPN: on or off
For VPN-enabled devices, force using DNS over VPN or not(system default instead).
When it is on, Adblock, Family Mode, Safe Search, and DoH will not be working on devices connected to VPN - Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores
- Policy-Based Routes: firewalla policy-based routing can be used to route traffic to VPN or locally. See https://help.firewalla.com/hc/en-us/articles/4408977159187-Using-Firewalla-Policy-Based-Routing-with-VPN-and-Multi-WAN
Common Issues and Fixes:
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- On a Firewalla box, both the Firewalla VPN server and Firewalla VPN client can be running at the same time.
- Firewalla VPN Client only supports one remote address. If the .ovpn file from your provider has multiple "remote xxxx .." addresses, please delete all but one of them.
Verified 3rd-party VPN services
These are verified by our test team and also contributed by customers. Although we try our best to keep this updated, there may be times, we can't catch up to the service changes. If you do have issues, please post them to our forums https://help.firewalla.com
ExpressVPN
Fully compatible.
Follow the steps below to set up ExpressVPN on Firewalla:
1. log in to your account on the ExpressVPN website.
2. Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into Firewalla App -> VPN Client -> profile-> create 3rd party VPN.
3. Download the OpenVPN file and import the profile to the Configuration section. Or you can open the file, copy and paste the content under the text field.
4. Save the profile, and you are ready to connect.
Note: For username and password, please use the separate credential dedicated for VPN connection from their setup website. Do not use the account username and password used in the ExpressVPN app.
SurfShark
Fully compatible.
Follow the steps below to set up SurfShark on Firewalla:
1. Log in to Surfshark website. Find Surfshark service credentials. Pick a server(location) and download the configuration file.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your Surfshark account credentials.
3. Import the config file you downloaded previously. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
NordVPN
Fully compatible.
Follow the steps below to set up NordVPN on Firewalla:
1. Go to server picker on the NordVPN website. Tap on Show available protocols button. Download the configuration file depending on the connection protocol you want to use.
2. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your NordVPN account credentials. You can find your NordVPN service credentials (username and password) in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
3. Import the config file you downloaded previously from the NordVPN website. Or you can open the file, copy & paste the content under the text field.
4. Save the profile, and you are ready to connect.
Smart DNS Proxy
Fully compatible
IPVanish VPN (Requires additional configuration)
(Per IPVanish support, new IPVanish profile will have CA cert content embedded. Below steps should not be needed anymore, they are here in case you run into problems)
1. Please find below two profiles 'ipvanish-XX-XX-XXX-XXX.ovpn' & 'ca.ipvanish.com.crt'
2. Open file 'ca.ipvanish.com.crt' using text editor, copy all the content
3. Open file 'ipvanish-XX-XX-XXX-XXX.ovpn' using text editor, find the line "ca ca.ipvanish.com.crt"
4. Replace the line of "ca" in the ovpn file with the following content
<ca>
[Paste the content of ca.ipvanish.com.crt here]
</ca>
5. Save it and import the new file to Firewalla VPN client.
PureVPN (Requires additional configuration)
Remove these two entries before importing the PureVPN profile to Firewalla
route-delay 2
route 0.0.0.0 0.0.0.0
ProtonVPN
Follow the steps below to set up ProtonVPN on Firewalla:
1. Log in to the web-based dashboard at account.protonvpn.com using your account credentials (the ones you set during account creation).
2. Select Downloads in the left navigation bar on the ProtonVPN dashboard. Find the OpenVPN configuration files section and choose (platform: Router; Protocol: UDP). Download the configuration file from ProtonVPN.
3. Open Firewalla App -> VPN Client -> profile -> create 3rd party VPN. Enter your OpenVPN/IKEv2 username and password. Copy the credentials using the “Copy” buttons on the right and paste them into the "username", "password" fields.
4. Import configuration file to Firewalla APP.
Contributed by our users:
https://surfshark.com : works flawlessly.
Private Internet Access: Compatible
Comments
64 comments
@Firewalla Team - Hey guys the wait is nearby the end as Wireguard will be part of Linux Kernel 5.6!
Can you make it soon happen on Firewalla devices as a modern, more secure and light faster option as resides on kernel itself?!?!
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd2463ac7d7ec51d432f23bf0e893fb371a908cd
Will be a great gift to all of us!
Is Firewalla VPN server to Firewalla Client (3rd party VPN) possible...in short, can you direct all your traffic from the firewalla server to 3rd party VPN.
Did anyone manage to get this to work with VPN Unlimited? I managed to import the openVPN profile, but after filling the user and pass it won't connect.
NordVPN – Best VPN Service Provider | NordVPN Review
https://mstwotoes.com/nordvpn-best-vpn-service-provider-nordvpn-review/
Confirmed TorGuard is working. Issues importing the OVPN file, so cut and paste the code.
@neil's solution also work for profiles generated by Mullvad VPN, which is simply leaving only one "remote xxx" entry in the .ovpn file
A couple of questions:
1. How is the compatibility with TorGuard [1]?
2. How does Firewalla deal with failure concerning the 3rd party VPN? Does it automatically reconnect? Is all external traffic blocked until successfully reconnected to avoid leakage outside of the 3rd party VPN?
3. Is there any monitoring regarding 3rd party VPN performance... in case you are paranoid about the performance of your 3rd party VPN provider :-)
4. Is there anyway to have multiple concurrent VPNs? So e.g. traffic bound for the UK goes via the UK VPN, and traffic bound for country X goes via the X VPN?
[1] https://torguard.net/
@Simon
1. We have not tested the compatibility with TorGuard.
2. There is a kill switch feature provided in Firewalla that you can choose to pause device traffic if VPN connection is broken and resume the traffic when the connection is auto recovered. This option can prevent leakage.
3. We don't have performance test at this moment.
4. policy-based VPN routing will be supported on Gold.
@Melvin, Thanks for the quick answers. Do you have a link to the kill switch feature? Probably useful for other people browsing this VPN section :-)
Another question, currently I'm connecting to my 3rd party VPN via Linux running on my router. However, from time to time the system randomly gets unstable and I must manually reset. There is no feature to e.g. automatically reset every day, etc. Does Firewalla have such an automatic reset feature which can be used as a last ditch attempt to gain a better quality of service if all else fails?
@Simon
Here it is:
https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-#h_073b9487-d00c-4bf0-9aea-d80f8d537366
Firewalla doesn't have the auto reset feature. Since you are techie, I guess you can just ssh and add a root cronjob to restart every night :)
Hi have tried with TIGER VPN (https://www.tigervpn.com) and it looks like it works by using the standard configuration files and applying the following extra steps.
TIGER VPN (Requires additional configuration)
(These steps should not be needed anymore, they are here in case you run into problems)
1. find the line starting with "ca". In your profile, it is "ca ca.crt"
2. Copy the content in ca.crt, which should come together with your profiles from TigerVPN web site
3. Replace the line of "ca" in the profile with the following content:
<ca>
[Paste the content of ca.crt] here.
</ca>
Now it should work like a charm.
After lots of effort I still cannot get the surfshark VPN to work properly. Has anyone been able to actually get it working as described above?
Help needed on VPNSecure.
I have a lifetime subscription on this VPN Service.
I downloaded there ovpn serverfiles that looks like this :
client
proto udp
dev tun
remote lu1.isponeder.com 1282
cipher AES-256-CBC
verb 3
mute 20
keepalive 10 120
comp-lzo
float
persist-key
persist-tun
resolv-retry infinite
nobind
auth-nocache
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
This doesn't work - no connection within 30 seconds. No other error?
Then i reached out to there support and they give me another file for routers :
client
proto udp
dev tun
remote lu1.isponeder.com 1282
cipher AES-256-CBC
verb 3
mute 20
keepalive 10 120
comp-lzo
float
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
With this file is it the same problem - no connection within 30 seconds - no error given.
Could somenone help me with this?
What is the default filestructure that Firewalla needs to establish connection???
Can i setup multiple VPN profiles and assign different devices to each profile and most importantly have them both active at the same time? More specific example. I have host a, b, c and d. I would like to have hosts A and B assigned to VPN_Profile1 Express VPN and hosts C and D assigned to VPN_Profile2 Other 3rd party VPN.
Thanks!
Are you considering support Wireguard as VPN client? Wireguard performs much better when CPU don't have AES-NI.
The Gold has AES-NI; The problem with OpenVPN is its single thread, while Wireguard can use multiple cores. As for raw encryption, likely both are the same. Wireguard VPN client will be there after Wireguard VPN server.
Is it possible to connect to a server that I have that is running openvpn with the gold?
Hello, I am trying to configure iVPN on Gold to use the 3rd Party VPN function on the router.
I need to upload some config file into the Firewalla App, no idea what this looks like or whats required.
Has anyone managed to get this working for https://www.ivpn.net ?
Any help really appreciated.
Thanks, Donald
https://www.reddit.com/r/firewalla/comments/mafkvl/cyberghost_vpn_compatible_with_some_additional/
Just wanted to offer for the @firewalla team that you can successfully configure CyberGhost VPN, but it requires similar steps to IPVanish.
Basically you modify the .opvn file and in place of the ca line you do the ca.crt enclosed by <ca> </ca>; then rinse and repeat for cert(client.crt) and key(client.key).
Working great for me.
Do we know when WireGuard client is due?
Can confirm ProtonVPN works on Gold as client VPN. Just went with a country profile, UDP, and the IKEv2 username/password. Didn't change anything in ovpn file. Pretty seamless so far.
Hello
Please consider working with JumboPrivacy as a 3rd party VPN service provider.
Thanks Luke
@Luke, is it OpenVPN-based? if it is, then what kind of problems are you getting? if it is WireGuard, 1.973 and app 1.47 should support it
I've been using OpenVPN for my VPN client. It has been working great. (FYI)
Mullvad wireguard 3 connections, Cyberghost Openvpn 1 connection, and ProtonVPN 1 connection are running on 1 Firewalla Blue Plus DHCP mode serving 25 devices.
I'm worried because the heat is quite high. Can it survive for years?
I finally took the time to get my PureVPN configuration sorted out on my Firewalla and figured I'd share since the Firewalla documentation is lacking.
For those looking for setting this up with Private Internet Access (PIA), I can confirm that it works with the OpenVPN setup, but you need to use a specific configuration as the FWG doesn't appear to support the CBC modes.
I use the generator on the PIA site to generate an OVPN configuration file with the following:
Region: Pick the region you want
Port: Select UDP/1198 with RSA-2048 and AES-128-GCM
I haven't tested the stronger version of this because it's a bit of a pain to change the configuration in Firewalla (you have to delete and recreate the entire profile vs. just re-importing the configuration file to existing config.
Is it possible to do route blackholing such that if the VPN connection on the VPN network segment goes down, no traffic is routed out of the device for the VPN VLAN but other VLANs are not impacted? Thanks!
@bob - the "internet kill switch" in the VPN connection settings should do exactly that
Please sign in to leave a comment.