AmneziaWG VPN Server Configuration

Firewalla's VPN Server supports OpenVPN, WireGuard, and AmneziaWG protocols. This is our guide on configuring an AmneziaWG VPN. To learn more about Firewalla's VPN Server, please refer to this article: Firewalla VPN Server. 

This feature is still in beta and is only available on box version >= 1.982.

AmneziaWG is WireGuard-based, a fast and reliable VPN protocol due to its compact codebase and high efficiency. However, WireGuard traffic packets can be easily identified and blocked. AmneziaWG solves this issue by obfuscating its traffic to be disguised as popular UDP protocols. (References: https://docs.amnezia.org/documentation/amnezia-wg/, https://github.com/amnezia-vpn/amneziawg-go)

• Like WireGuard, AmneziaWG is UDP-based (OpenVPN can run over TCP or UDP) and is rated to perform 1.5-2x faster than OpenVPN (on Firewalla Gold series)
• AmneziaWG only modifies packet headers and adds "junk" data to obfuscate traffic and bypass VPN blocking.
• AmneziaWG is only available for VPN Server. Support for VPN Client is coming soon.
• Compared to WireGuard, AmneziaWG may use a bit more network bandwidth and be a bit slower due to obfuscation; AmneziaWG is likely to perform better when used in places where WireGuard is blocked.

To configure the Firewalla AmneziaWG Server:

1. Enable AmneziaWG

2. Configure Port Forwarding

3. Connect to Firewalla AmneziaWG VPN Server

4. VPN Device Management

5. Customize Your AmneziaWG Settings

1. Enable AmneziaWG

Tap the VPN Server icon on your Firewalla's main screen, then tap the AmneziaWG button to turn it on. 

2. Configure Port Forwarding 

Similar to OpenVPN and WireGuard, AmneziaWG requires its port to be accessible from outside your network.

• If you are using Firewalla in Router mode without double NAT or CGNAT, skip this step. Port Forwarding will be shown as complete.
• In all other cases, you will need to make some configurations:
  • If you're under double NAT, you can manually set up port forwarding. Tutorial: How to set up port forwarding for VPN Server
  • If you have a working IPv6 address or another WAN with a public IP address, you can change your DDNS to “IPv6 only” or use your other WAN. This is especially useful if you're under CGNAT and your ISP doesn't allow port forwarding. To do this, tap your server's Setup, then tap DDNS. You can then modify its IP Address Type and WAN Interface as needed

3. Connect to Firewalla AmneziaWG VPN Server

Step 1: Add Clients in the Firewalla App

To connect your mobile device or computer to the Firewalla VPN server, you'll first need a VPN profile.

On the Firewalla app, tap Setup -> Add a Client, and a client will be created automatically. Tap the client, and it will show you a profile and a QR code.

Note:

• All WireGuard and AmneziaWG VPN Server clients count toward the same total client limit.
  • Production Firewalla Boxes: 
    • Up to 25 total clients
    • Firewalla Gold Pro: Up to 50 total clients
  • Beta & Early Access Firewalla Boxes: 
    • Up to 100 total clients
    • Firewalla Gold Pro: Up to 200 total clients
• You can remove a client by tapping 'Delete This Client' at the bottom of the client profile.
• Please do NOT use the same VPN profile on different AmneziaWG clients at the same time. 

Step 2: Set Up The AmneziaWG App

To connect to the VPN server, you will need to install the AmneziaWG app on your mobile or desktop device. Here is the installation guide provided by AmneziaWG. (This app is NOT implemented by the Firewalla Team)

There are two ways to use the AmneziaWG app to connect your device to the AmneziaWG VPN Server:

• Create from file, then "open in AmneziaWG"
• Create from QR code.

Depending on which method you select, you'll need to access either the VPN client profile or QR code from the Firewalla App. Here is an example of the AmneziaWG app on iOS:

If you're setting up your personal device as the client, you can also quickly open the profile with the AmneziaWG app to simplify the process. Here is an example on iOS:

4. VPN Device Management

The AmneziaWG VPN Server creates a local network on Firewalla. All the devices will join the network once connected to the VPN. Each VPN device corresponds to a VPN client you created in the VPN server setup. 

On the Devices list, tap the AmneziaWG network or a VPN device. You can view network flows and basic info, receive alarms, and apply rules or features to the entire VPN network or to any VPN device individually, just like any local device. You can learn more about device management here.

5. Customize Your AmneziaWG Settings

5.1 On-Demand Activation

If you want to ensure a device (such as your kids’ phone) always connects to your Firewalla VPN server, you can turn On-Demand Activation in the AmneziaWG app. This will automatically turn on your VPN connection when your device connects to cellular data and/or Wi-Fi.

5.2 On-Demand Activation Exceptions

You can also add an exception. While you're editing your AmneziaWG configuration, enable the cellular and Wi-Fi options under On-Demand Activation. Then, tap SSIDs. Tap Except these SSIDs, then enter the name of your home network.

(iOS or Mac only; for other OSs, you will need to use a separate 3rd-party app)

5.3 Adjust MTU (Advanced)

If your LTE provider requires a smaller MTU value, you can optionally adjust the MTU value per client profile in the AmneziaWG app. Note: Please use caution when changing this setting. Most clients do not require specifying an MTU value.