- What is a Site to Site VPN?
- How do I set up a Site to Site VPN connection?
- Limiting Access on Site to Site VPN Tunnels
- Connecting Multiple Sites
- Common Issues and Fixes
What is a Site to Site VPN?
Firewalla's Site to Site VPN allows you to connect two networks over encrypted links such that devices in one network can reach devices in the other network under the protection of Firewalla. Unlike client->server VPNs, the reachability of a site to site VPN is bi-directional.
Suppose you have offices or homes at two different sites, and both sites have separate networks with computers and servers connected. By setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites. Additionally, when using Site to Site VPN, Firewalla's IDS/IPS protection will still be active to ensure the privacy and protection of your data.
Note: Site to Site VPN connections can only be established on Firewalla boxes. Site to Site VPN connections must be recreated when network settings are changed on either the server or client side.
How do I set up a Site to Site VPN connection?
Planning:
- A site to site VPN setup requires 2 Firewalla boxes – one to be the VPN server and the other to be the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, if for one site you have a 192.168.20.x network, the other site CANNOT have a network with the same IP range. However, you may set up a 192.168.30.x subnet.
- To connect multiple sites, you must set up a VPN server on one box and a VPN client on the others. Learn more about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any of your sites to establish a VPN server (Firewalla Red cannot serve as the server in a site to site VPN setup).
To turn on VPN Server, tap VPN Server on your box's main page and turn on either the OpenVPN or WireGuard server.
Then, tap Setup and follow the UI to set up port forwarding if required.
For more details about Firewalla VPN Server setup, see our articles on OpenVPN Server Configuration and WireGuard VPN Server Configuration.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message will pop up. Tap continue to acknowledge. - On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
Note: Firewalla Gold/Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a Site to Site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
-
Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
-
Internet: Direct or VPN
Direct means VPN-enabled devices on the client side will use their default gateway for Internet access (devices on the server side will always use their default gateway).
VPN means VPN-enabled devices will use the gateway on the VPN server site for Internet access.
If you are using many cloud apps, you should set Internet to direct. If you want full traffic control, you should set Internet to VPN and filter on the server side.
-
Force DNS over VPN: on or off
When Force DNS over VPN is on, Ad Block, Family Mode, Safe Search, and DoH will not work on VPN-enabled devices. Other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
-
Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect the device's internet access if VPN is down
- Detect and generate an alarm if the VPN Connection is restored.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Step 3: Connect to the VPN
To connect devices to VPN, switch on the "VPN" button on the VPN Client Box, and you'll see the status become "Connected." At this point, devices from the VPN server site can access the network on the VPN client site.
To selectively send your devices' traffic through the VPN on the VPN client site, tap Apply To under the VPN connection, select the devices/networks/groups you'd like to connect to the peer (server) site, and tap Save. You can also tap the VPN button and select which VPN to connect to on any device/ network/group's detail page.
Note:
- Devices must be part of the Firewalla overlay network or in router mode to use VPN.
- Only 1 VPN can be connected between the same Server and Client simultaneously.
- Up to 5 VPNs can be connected from a VPN client simultaneously.
Learn more in our article about Firewalla's VPN Client.
Additionally, you can use custom DNS entry rules to access devices across sites. Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. You can think of custom DNS rules as a local address book.
Limiting Access on Site to Site VPN Tunnels
If you have several networks on each site, Firewalla helps you manage communication between each network. While the VPN Client is active:
- Devices on the server network have access to client-side networks.
- Devices on the client network have access to server networks as long as the VPN Client is applied to those devices.
If you want to limit specific traffic, a combination of rules can help you easily manage access.
For the next scenarios, we'll assume the following setup:
In the Server site, there are three networks:
- Database network: 192.168.100.1/24
- Private network: 192.168.11.1/24
- Guest network: 192.168.12.1/24
In the Client site, there are two networks:
- IoT network: 192.168.20.1/24
- Work network: 10.10.10.1/24
Scenario 1: Block a network in the Server site from accessing a specific Client site network
First, note down the IP range of the Client network that you're blocking access to. In this case, we want to block the Work network IP range of 10.10.10.1/24.
Then, add a rule to block the traffic on the Server network. You can also block access on an individual device or group level.
Scenario 2: Block a device/group/LAN on the Server network from accessing all Client networks
On your Server site box, create a target list with all Client networks included. In this case, we include the IoT subnet (192.168.20.1/24) and the Work subnet (10.10.10.1/24). Learn more about Target Lists here.
After creating the list, create rules to block any device, group, or network in the Server site from sending traffic to the specified Client networks.
If you are using the WireGuard protocol, Firewalla supports per-device management for WireGuard VPN clients. A target list is NOT required to block it on the network level.
A more straightforward solution is to block local traffic from the Server site network and apply it to the WireGuard client directly.
Scenario 3: Only allow one Client network to access one Server network
When the Client network is connected to the VPN, it will have access to all networks in the Server site by default. If you want only ONE Client network to have access to a specific Server network, you may need to disable the VPN Client for your Client network and add a policy-based routing rule.
In this case, we created a new route rule to send the Database (IP range 192.168.100.1/24) traffic through the VPN Server on the Client's "Work" network.
Learn more in our article about Policy-Based Routing.
If you want to allow the devices on the Client network to access ONE device on the Server network (for example, a NAS with shared files), create a new route, similar to the example above, but matching the Server device's specific IP address instead of the IP range for the Server network.
Connecting Multiple Sites
In addition to connecting two sites, you can use multiple Site to Site VPN connections to connect additional boxes, so that devices on client sites can reach each other.
In this example, we assume the following subnets:
- Headquarters subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.20.0/24
- Subsidiary B subnet: 192.168.30.0/24
For example, for devices on subsidiary A (IP 192.168.20.X) to access the device on subsidiary B (IP 192.168.30.X) and vice versa, you can create a "route" rule and send only the traffic matching the subnets of the other client site to the VPN.
VPN Mesh
With VPN Mesh supported by Firewalla MSP, it is much simpler to connect multiple Firewalla units. When connecting multiple boxes with Site to Site VPN, all boxes must manually set up the VPN, and connections and rules must be manually configured for each pair.
With VPN Mesh, Firewalla MSP handles the membership VPN mesh nodes, making it easier for users to configure everything. Learn more about VPN Mesh here.
Common Issues and Fixes
- IPv6 Traffic is NOT supported and will NOT be routed to VPN. Please make sure IPv6 is turned off (For Firewalla Gold users, go to Network -> LAN network -> turn off IPv6).
- Only OpenVPN & WireGuard protocols support Site to Site VPN.
- Devices (i.e., laptops, phones, tablets, etc.) should not use local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "Router mode" to use VPN.
- DO NOT use the same subnets between two sites. Doing so may cause connection issues.
Comments
26 comments
This sentence :
"A site to Site VPN setup requires 2 Firewalla boxes at each site."
should be:
"A site to Site VPN setup requires 2 Firewalla boxes, one at each site."
Correct?
@Gareth, Yes, you are right. Corrected. Thanks!
I tried setting up site to site with my friend. We share work but do not have same domain etc.
‘’both me and my friend are running fw gold.
‘why do we have to have both firewalls on same account.
Given that the subnets need to be different, for clients and server, how do the subnet masks be set on both sides to make that work?
As long as the subnet for the client and servers do not overlap, it should be fine.
In the example above, having multi-site VPN, will rules also need to be created to allow those subnets at the two client sites? I'm unable to route all internet traffic through the VPN due to asymmetrical bandwidth, so I setup static routes. I'm unable to reach any devices from the two site-to-site VPN clients.
Any advice would be appreciated.
I have FWG at "headquarters" and a FWG and FWP for the two clients.
Nathan,
Did you ever get an update on this or figure it out? I have 2 Golds and 1 Gold Plus and I don't want to route all my traffic out of the headquarters. Defeats the purpose imo.
Ryan H.,
I have not received a response. I agree it defeats the purpose. If we all had synchronous Internet connections it wouldn't be a big deal. A majority of the population does not have the luxury.
Figured this out after going through the forums for an hour. They should add this configuration on this page, but this does work:
Problem resolved.
Remove yourself from the VPN Client and add all your "remote" subnets through the Routes.
VPN Client config
* Remove the Group or computers from the "Apply To" in the VPN Client.
* Select VPN for the Internet Outbound Policy
Routes config
* Add all the subnets on the server side you need to reach, including the peer site subnets listed in the VPN Client
* Point the interface for these routes to the VPN client
Nathan, if you need help let me know, I'd be happy to jump on a zoom; it was frustrating to say the least.
The common / issue and fixes section has an image of the configuration that will allow one side firewall to be turned off. I'll ask the team to document that more clearer
Is it possible to have a site to site connection that let's you ping the hostname as well.
I haven’t been able to figure that out yet; is almost feel you need to make a rule though.
Will a firewalla firewall connect to other vendors firewall (That supports IPSEC) for a remote office VPN tunnel, or will it only connect to another firewalla firewall?
I've tried figuring it out with SonicWALL, Fortigate, and Azure NSG, however, it won't' work b/c the protocols are not available in the firewalla; I will say that you can probably do it via CLI with a third-party package, but I didn't go that route. For Azure, I ended up setting up a WireGuard Server and set up a one-way connection. Hope this helps.
Here is a good link; about a year old though but I think this still stand true today:
https://help.firewalla.com/hc/en-us/community/posts/360048582914-Feature-request-Site-to-site-VPn-with-third-party-device-or-even-cloud
I have a gold device on server side and need to setup a client side network with 2 clients for 10 Mbps throughput. What Firewalla should I purchase for client side?
I want to set up a site-to-site VPN between two sites. At both locations I have Verizon FIOS residential service with dynamic public IPs which change about once a month at each location.
Can I set up a site-to-site VPN using a Firewalla Gold Plus box at each of these 2 sites? I would love for the VPN to automatically reconnect when an IP of the main location changes.
To the extent this is not possible, is there at least a way for the client site to reconnect by simply restarting the Firewalla client device (and it would auto-discover the new IP of the main site using its DDNS web name rather than having to manually re-enter the new public IP address)?
Thanks in advance.
They will reconnect even if IP changes. (Firewalla uses DDNS)
I plan to run Firewalla Gold Plus in bridge mode at both sites [CLOUD] => [VERIZON FIOS ROUTER] => [FIREWALLA IN BRIDGE MODE] => [SWITCH] => [WIRED LAN PCs].
If I open the appropriate ports on the FiOS router and direct them to the Firewalla device, will site-to-site VPN work even though the device is running in bridge mode?
hi,
I successfully setup my site-to-site vpn between my firewalla gold and purple.
purple is the server and gold is the client. now I need to send all internet traffic for the devices connected to my purple to go through my firewalla gold. in the route section I don't see my vpn tunnel. if I try to do the same on the gold I can see my vpn tunnel in the route section.
I can't make the vpn tunnel to connect if I initiate if from purple to gold since connecting to VPN is blocked in the country where the purple is. any suggestions?
Gold (client)(Site A)<-------tunnel----->Purple(server)(Site B)
Protocol: Wireguard.
issue: route all internet traffics from the clients in Site B (purple) to go through tunnel to the gold and use the internet connection at site A where the gold is connected.
Thank you @Ryan for your tip above!!! That should be in the article. My "subsidiary A" was throwing all traffic to headquarters and not just a local subnet. Now it works as I want it!
I am confused, still after trying to break this section [ 2. Site to Site setup ]
Note: Firewalla Gold/Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site to site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
Can someone simplify ?
Ive :
Gold SE [ home / main Server for Site2Site ]
purple [ use for travelling, the client vpn ]
What is the ip address i should be looking, to input, and where ?
From Firewalla app [ Purple or gold ? ]
input whose ip address [ Purple or gold ? ]
What are the ip address i should be inputing ? [ Purple's into gold ? or From Gold ]
@Jen. To allow your client site to access your server site, no manual rules are needed. Simply set up the site-to-site connection, and the allow rules will be created automatically on your client site, which is the purple box. You can check these rules and make edits if your server site network changes by navigating to Rules -> All Devices -> Allow section.
Understood ! Thanks Support Team
might take my stupid question as question to update using ChatGPT haha
Still wish I could do site-to-site connections with friends and family that have their own firewalla.
Please sign in to leave a comment.