Troubleshooting: Can't connect to the Firewalla VPN Server

 If your Firewalla VPN Server is not working, read through this document to diagnose and fix the issue.

Before getting started, please note that:

1. WireGuard is connectionless, which means that it doesn't maintain a persistent connection. Your devices' WireGuard VPN client may show as connected even if the connection doesn't actually function.
   
2. WireGuard profiles can't be shared. Doing so may severely affect your connection experience.

Step 0: You need a public IP 

The Firewalla VPN server needs a public IP (IPv4/IPv6) address for you to connect back. See how to check if you have a public IP. If you have a public IPv4 address, you are good to go. 

• Scenario A: Firewalla only has a global IPv6 address. You can change VPN server's DDNS to IPv6 Only, in order to connect. Firewalla DNS server uses DDNS (Dynamic DNS), which is a service that dynamically maps domain names to your public IP addresses. See our VPN Server article for more information on using IPv6. 
  Note: when it's IPv6 only on Firewalla VPN server's DDNS, the client device must have a public IPv6 address in order to connect. You can use website like https://www.whatsmyip.org or https://ipinfo.io to confirm if client device has public IPv6 address.
  
• Scenario B: Firewalla doesn't have IPv4 and IPv6 public IP. (e.g. an address within the range 100.64.0.0-100.127.255.255, which is used by some ISPs but considered private), follow Step 1: Check Upstream Port forwarding Configuration to see if you are eligible for a work around. 

Step 1: Check Upstream Port forwarding Configuration

If your Firewalla gets a private IPv4 address and you can't use IPv6 DDNS, your VPN server might not be reachable from the outside. You'll see a "Need Manual Setup" message on the VPN Server's detail page.

• Scenario A: Your Firewalla is directly connected to your ISP modem. If your Firewalla is the only router behind the modem and still has a private IP, your ISP is likely using CGNAT (Carrier-Grade NAT). In this case, it's not possible to make your Firewalla accessible from the internet.
  Solution: You need to reach out to ISP to ask for an IPv4/IPv6 public IP.

• Scenario B: You have another router upstream of your Firewalla. A router between your Firewalla and the outside world may be blocking access to your VPN server.
  Solution: You need to set up port forwarding on that upstream router. This creates a path for external traffic to reach your Firewalla's VPN server. Tap the "Need Manual Setup" button in the Firewalla app for detailed, step-by-step instructions. See How to set up port forwarding for VPN Server for more general guidance.
  

Step 2: Check DDNS resolution result

VPN connection failures may occur if your client device cannot properly resolve your Firewalla's DDNS hostname to its current public IP address.

• On a computer: Use the command line to check the DNS resolution.

  • For IPv4, use nslookup <yourFirewalla-DDNS>.

  • For IPv6, use nslookup <yourFirewalla-DDNS> AAAA.

• On a mobile device: Install a network tool app like "Network Analyzer" and use its DNS lookup function.

Compare the resolution result with public IP address seen on the VPN Server's detail page, different result/failures in resolution is an issue. You need to further investigate on client's device DNS settings to resolve. Some networks (especially corporate or school networks) may block or interfere with DDNS resolution. If you suspect this, try testing from a different network connection.

Step 3: Verify your connection

If you think you are able to connect to your Firewalla VPN Server but you can’t reach devices on local networks: 

1. Use a site like https://www.whatsmyip.org or https://ipinfo.io to check if your client public IP address matches your Firewalla’s public IP when connected over VPN. 
2. Check your VPN client app for any logs/errors that show if you connected or not and see if you can determine a reason. 
3. Ping the VPN network's gateway IP. If the ping is successful, you're connected to the VPN, and the issue is likely a firewall rule blocking access to other local devices.
4. Before connect to VPN, note your client device's public IP via example in step 1. After connecting to VPN, on the Firewalla app's VPN Server page, look for your device's IP under "Active VPN Connections." If this panel is hidden, it means there are no active connections to the server.
5. [WireGuard only] - Check your Firewalla's device list to confirm that the VPN client device is shown as online.

Common Issues

• Cannot connect to VPN server when device is on local network: 
  Not all routers support connecting to the Firewalla VPN Server from inside the same network (this is sometimes called "hairpin NAT"). If you test your VPN while connected to the same network, it may fail even though it works properly when you're outside your network. Solve this problem by using an external network for testing. For example, you can simply disable Wi-Fi on your phone and test your VPN connection using LTE.
• UPnP port forwarding is wiped by upstream router (OpenVPN only): 
  If you are using OpenVPN server, and your Firewalla is behind a router with UPnP turned on, this can cause a conflict. UPnP port forwarding could be wiped by an upstream router. Try turning off the VPN and then turning it back on after 5 seconds. This will refresh the UPnP port. If this doesn't work, reboot Firewalla. You can avoid this entirely by configuring a static port forward on your router to Firewalla instead of using UPnP. See How to set up port forwarding for VPN Server to configure upstream router's port forwarding.