Firewalla Site-to-site VPN allows you to connect the two networks over encrypted links, such that devices in one network can reach devices in the other network under the protection of Firewalla. Unlike client->server VPN, the reachability is bi-directional.
If you have offices or homes at two different sites, both of the sites have their own separate network, with computers and servers connected, by setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites.
When using Firewalla Site to Site VPN, the Firewalla IDS/IPS protections will be still active, to ensure the privacy and protection of your data.
How to set up a Site to Site VPN connection?
A site to Site VPN setup requires 2 Firewalla boxes at each site. One as the VPN server, the other as the VPN client.
Planning:
- To have networks reach others, you will need to make sure they have different IP addresses. For example, for one site you need to have 192.168.1.x, and the other site CAN NOT be the same, so you give it 192.168.2.x
- You need to plan on what happens to internet traffic.
- If you are using lots of cloud apps, you should just let that traffic NOT go to the VPN tunnel. (setting internet to direct)
- If you want full control of traffic, you can set the internet to VPN and filter at the server-side
- You will need at least one Firewalla instance to run in VPN Server mode for other sites to connect to. (The Firewalla Red can not be a VPN server for site to site)
Step 1: Set up VPN Server
You can choose the Firewalla box on any one of your sites to establish a VPN server (Firewalla Red is not supported as the server in a site-to-site VPN setup).
To turn on VPN Server, on the Firewalla app's main page, tap VPN Server and turn on one of the servers.
- OpenVPN
- WireGuard (Beta)
Then tap Setup and follow the UI to set up the port forwarding if required.
For the full details on Firewalla VPN Server setup, see here: OpenVPN Server Configuration, and WireGuard VPN Server Configuration.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message of security notice will pop up. Tap continue to acknowledge. - On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard (Beta). Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means the VPN-enabled devices will be using its default gateway for Internet access.
VPN means the VPN-enabled devices will be using the gateway on the VPN server site for Internet access
- Force DNS over VPN: on or off
When it is on, Adblock, Family Mode, Safe Search, and DoH will not be working on VPN-enabled devices. - Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
- Policy-Based Routes: firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Step 3: Connect to the VPN
To connect devices to VPN, on the VPN Client Box, just switch on the "VPN" button, and you'll see the status become "Connected". At this point, devices from the VPN server site are able to access the network on the VPN client site.
On the VPN client site, to selectively send your devices' traffic through the VPN, under the VPN connection, tap Apply To, select the devices/networks/group you'd like to connect to the peer(server) site, and tap save. You can also tap the VPN button and select which VPN to connect to on any device/ network/ group's detail page.
Note:
- Devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- Only 1 VPN can be connected between the same Server and Client at the same time.
- Up to 5 VPNs can be connected from a VPN client at the same time.
- More details can be found here: VPN client.
Common Issues and Fixes
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN protocol is supported for Site to Site VPN. (WireGuard site to site is supported on App Beta version 1.50)
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- DO NOT use the same subnets between two sites, which might cause unexpected problems.
- Firewalla Gold/ Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site-to-site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
Comments
0 comments
Please sign in to leave a comment.