- What's Site to Site VPN
- How to set up a site-to-site VPN connection?
- How to limit access on Site to Site VPN tunnel
- Common Issues and Fixes
What's Site to Site VPN
Firewalla site-to-site VPN allows you to connect two networks over encrypted links, such that devices in one network can reach devices in the other network under the protection of Firewalla.
Unlike client->server VPN, the reachability of a site-to-site VPN is bi-directional.
If you have offices or homes at two different sites, both of the sites have their own separate network, with computers and servers connected, by setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites.
Note: site-to-site VPN can only be established on Firewalla box. Site-to-site VPN connection needs to be recreated when the network settings is changed on either server or client side.
When using Site to Site VPN, the Firewalla IDS/IPS protections will still be active, to ensure the privacy and protection of your data.
How to set up a site-to-site VPN connection?
Planning:
- A site-to-site VPN setup requires 2 Firewalla boxes. One as the VPN server, the other as the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, for one site if you have a 192.168.20.x network, and the other site CAN NOT be the same, you may give it 192.168.30.x.
- If you want to connect multiple sites together, you'll need to set up VPN server on one box, and VPN client on the others. Here is more detail about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any one of your sites to establish a VPN server (Firewalla Red is not supported as the server in a site-to-site VPN setup).
To turn on VPN Server, on the Firewalla app's main page, tap VPN Server and turn on one of the servers.
- OpenVPN
- WireGuard
Then tap Setup and follow the UI to set up the port forwarding if required.
For the full details on Firewalla VPN Server setup, see here: OpenVPN Server Configuration, and WireGuard VPN Server Configuration.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message of security notice will pop up. Tap continue to acknowledge. - On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
Note: Firewalla Gold/Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site-to-site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means the VPN-enabled devices will be using its default gateway for Internet access.
VPN means the VPN-enabled devices will be using the gateway on the VPN server site for Internet access.
If you are using lots of cloud apps, you should just set internet to direct; if you want full control of traffic, you can set the internet to VPN and filter at the server-side.
- Force DNS over VPN: on or off
When it is on, Adblock, Family Mode, Safe Search, and DoH will not be working on VPN-enabled devices. - Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Connecting Multiple Sites:
- Set the “Internet” outbound policy to “VPN”,
- Or, create a "route" rule and send the traffic matching the subnets of the other client site to VPN.
Example:
- Headquater subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.20.0/24
- Subsidiary B subnet: 192.168.30.0/24
In order for devices on subsidiary A with IP 192.168.20.X to access the device on subsidiary B with IP 192.168.30.X, and vice versa, you'll need to set the “Internet” outbound policy to “VPN” in the VPN connection to headquarter, on both subsidiaries A and B.
If you don't want to send all traffic to the headquarter, you can also create a "route" rule and send only the traffic matching the subnets of the other client site to VPN.
Step 3: Connect to the VPN
To connect devices to VPN, on the VPN Client Box, just switch on the "VPN" button, and you'll see the status become "Connected". At this point, devices from the VPN server site are able to access the network on the VPN client site.
On the VPN client site, to selectively send your devices' traffic through the VPN, under the VPN connection, tap Apply To, select the devices/networks/group you'd like to connect to the peer(server) site, and tap save. You can also tap the VPN button and select which VPN to connect to on any device/ network/ group's detail page.
Note:
- Devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- Only 1 VPN can be connected between the same Server and Client at the same time.
- Up to 5 VPNs can be connected from a VPN client at the same time.
- More details can be found here: VPN client.
How to limit access on Site to Site VPN tunnel
If you have several networks on each site, Firewalla helps you manage communication between each network. By default, devices on server network have full access to all client-side networks. On Client network, with VPN client applied, devices will have full access to Server networks.
If you want to limit specific traffic, a combination of rules helps you easily manage access.
Example:
On Headquater site, there are three networks:
- Database network 192.168.100.1/24
- Private network 192.168.11.1/24
- Guest network 192.168.12.1/24
On Subsidiary A, there are two networks:
- IoT network 192.168.20.1/24
- Work network 10.10.10.1/24
On Subsidiary B, there are two networks:
- Trust network 192.168.30.1/24
- NAS network 192.168.31.1/24
Scenario 1 Block device/group/LAN network on Server network access specific Client LAN network
- Note down Work network IP range on Subsidiary A first
- add a rule to block the traffic on Private network on Headquater. You can also block it on group/device level.
Scenario 2 Block device/group/LAN on Server network access all Client networks
- On Headquater, create a target list with all subsidiary networks included. Learn more about Target list
- When the list is created, add rules to block the traffic from any device/group/ network on Headquater.
.
If you are using WireGuard protocol, Firewalla supports per-device management for WireGuard VPN clients. A target list is NOT required to block it on network level. A more straightforward solution is to block local traffic from Guest network and apply it on Device WireGuard client directly.
Scenario 3 Only allow one server network access to one client network
If you don't want Private network and Guest network access Subsidiary B, you need to add one rule to block 'client networks' and another rule to allow traffic to Work network to Database network. Learn more about rule logic
Scenario 4 Only allow one client network access one server network
When VPN client is applied to Work network, it will grant access to all networks on Headquater. You may need to disable VPN client for Work network and add policy-based routing rule. (require box 1.973) Learn more about Policy Based Routing
Common Issues and Fixes
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN & WireGuard are supported for Site to Site VPN.
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- DO NOT use the same subnets between two sites, which might cause unexpected problems.
Comments
13 comments
This sentence :
"A site to Site VPN setup requires 2 Firewalla boxes at each site."
should be:
"A site to Site VPN setup requires 2 Firewalla boxes, one at each site."
Correct?
@Gareth, Yes, you are right. Corrected. Thanks!
I tried setting up site to site with my friend. We share work but do not have same domain etc.
‘’both me and my friend are running fw gold.
‘why do we have to have both firewalls on same account.
Given that the subnets need to be different, for clients and server, how do the subnet masks be set on both sides to make that work?
As long as the subnet for the client and servers do not overlap, it should be fine.
In the example above, having multi-site VPN, will rules also need to be created to allow those subnets at the two client sites? I'm unable to route all internet traffic through the VPN due to asymmetrical bandwidth, so I setup static routes. I'm unable to reach any devices from the two site-to-site VPN clients.
Any advice would be appreciated.
I have FWG at "headquarters" and a FWG and FWP for the two clients.
Nathan,
Did you ever get an update on this or figure it out? I have 2 Golds and 1 Gold Plus and I don't want to route all my traffic out of the headquarters. Defeats the purpose imo.
Ryan H.,
I have not received a response. I agree it defeats the purpose. If we all had synchronous Internet connections it wouldn't be a big deal. A majority of the population does not have the luxury.
Figured this out after going through the forums for an hour. They should add this configuration on this page, but this does work:
Problem resolved.
Remove yourself from the VPN Client and add all your "remote" subnets through the Routes.
VPN Client config
* Remove the Group or computers from the "Apply To" in the VPN Client.
* Select VPN for the Internet Outbound Policy
Routes config
* Add all the subnets on the server side you need to reach, including the peer site subnets listed in the VPN Client
* Point the interface for these routes to the VPN client
Nathan, if you need help let me know, I'd be happy to jump on a zoom; it was frustrating to say the least.
The common / issue and fixes section has an image of the configuration that will allow one side firewall to be turned off. I'll ask the team to document that more clearer
Is it possible to have a site to site connection that let's you ping the hostname as well.
I haven’t been able to figure that out yet; is almost feel you need to make a rule though.
Please sign in to leave a comment.