Firewalla site-to-site VPN allows you to connect two networks over encrypted links, such that devices in one network can reach devices in the other network under the protection of Firewalla.
Unlike client->server VPN, the reachability of a site-to-site VPN is bi-directional.
If you have offices or homes at two different sites, both of the sites have their own separate network, with computers and servers connected, by setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites.
Note: site-to-site VPN can only be established on Firewalla box. Site-to-site VPN connection needs to be recreated when the network settings is changed on either server or client side.
When using Site to Site VPN, the Firewalla IDS/IPS protections will still be active, to ensure the privacy and protection of your data.
How to set up a site-to-site VPN connection?
- A site-to-site VPN setup requires 2 Firewalla boxes. One as the VPN server, the other as the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, for one site if you have a 192.168.1.x network, and the other site CAN NOT be the same, you may give it 192.168.2.x.
- If you want to connect multiple sites together, you'll need to set up VPN server on one box, and VPN client on the others. Here is more detail about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any one of your sites to establish a VPN server (Firewalla Red is not supported as the server in a site-to-site VPN setup).
To turn on VPN Server, on the Firewalla app's main page, tap VPN Server and turn on one of the servers.
Then tap Setup and follow the UI to set up the port forwarding if required.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message of security notice will pop up. Tap continue to acknowledge.
- On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means the VPN-enabled devices will be using its default gateway for Internet access.
VPN means the VPN-enabled devices will be using the gateway on the VPN server site for Internet access.
If you are using lots of cloud apps, you should just set internet to direct; if you want full control of traffic, you can set the internet to VPN and filter at the server-side.
- Force DNS over VPN: on or off
When it is on, Adblock, Family Mode, Safe Search, and DoH will not be working on VPN-enabled devices.
- Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Connecting Multiple Sites:
- Set the “Internet” outbound policy to “VPN”,
- Or, create a "route" rule and send the traffic matching the subnets of the other client site to VPN.
If you have 3 networks, one box on each network:
- Headquater subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.200.0/24
- Subsidiary B subnet: 192.168.300.0/24
In order for devices on subsidiary A with IP 192.168.200.X to access the device on subsidiary B with IP 192.168.300.X, and vice versa, you'll need to set the “Internet” outbound policy to “VPN” in the VPN connection to headquarter, on both subsidiaries A and B.
If you don't want to send all traffic to the headquarter, you can also create a "route" rule and send only the traffic matching the subnets of the other client site to VPN.
Step 3: Connect to the VPN
To connect devices to VPN, on the VPN Client Box, just switch on the "VPN" button, and you'll see the status become "Connected". At this point, devices from the VPN server site are able to access the network on the VPN client site.
On the VPN client site, to selectively send your devices' traffic through the VPN, under the VPN connection, tap Apply To, select the devices/networks/group you'd like to connect to the peer(server) site, and tap save. You can also tap the VPN button and select which VPN to connect to on any device/ network/ group's detail page.
- Devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- Only 1 VPN can be connected between the same Server and Client at the same time.
- Up to 5 VPNs can be connected from a VPN client at the same time.
- More details can be found here: VPN client.
Common Issues and Fixes
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN & WireGuard are supported for Site to Site VPN.
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- DO NOT use the same subnets between two sites, which might cause unexpected problems.
- Firewalla Gold/ Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site-to-site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.