- What is a Site to Site VPN?
- How do I set up a Site to Site VPN connection?
- How do I limit access on Site to Site VPN tunnel?
- Common Issues and Fixes
What is a Site to Site VPN?
Firewalla's Site to Site VPN allows you to connect two networks over encrypted links such that devices in one network can reach devices in the other network under the protection of Firewalla. Unlike client->server VPNs, the reachability of a site to site VPN is bi-directional.
Suppose you have offices or homes at two different sites, and both sites have separate networks with computers and servers connected. By setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites. Additionally, when using Site to Site VPN, Firewalla's IDS/IPS protection will still be active to ensure the privacy and protection of your data.
Note: Site to Site VPN connections can only be established on Firewalla boxes. Site to Site VPN connections must be recreated when network settings are changed on either the server or client side.
How do I set up a Site to Site VPN connection?
Planning:
- A site to site VPN setup requires 2 Firewalla boxes – one to be the VPN server and the other to be the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, if for one site you have a 192.168.20.x network, the other site CANNOT have a network with the same IP range. However, you may set up a 192.168.30.x subnet.
- To connect multiple sites, you must set up a VPN server on one box and a VPN client on the others. Learn more about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any of your sites to establish a VPN server (Firewalla Red cannot serve as the server in a site to site VPN setup).
To turn on VPN Server, tap VPN Server on your box's main page and turn on either the OpenVPN or WireGuard server.
Then, tap Setup and follow the UI to set up port forwarding if required.
For more details about Firewalla VPN Server setup, see our articles on OpenVPN Server Configuration and WireGuard VPN Server Configuration.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message will pop up. Tap continue to acknowledge. - On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
Note: Firewalla Gold/Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site to site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means VPN-enabled devices on the client side will use their default gateway for Internet access (devices on the server side will always use their default gateway).
VPN means VPN-enabled devices will use the gateway on the VPN server site for Internet access.
If you are using many cloud apps, you should set Internet to direct. If you want full traffic control, you should set Internet to VPN and filter on the server side.
- Force DNS over VPN: on or off
When Force DNS over VPN is on, Ad Block, Family Mode, Safe Search, and DoH will not work on VPN-enabled devices. Other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules. - Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect the device's internet access if VPN is down
- Detect and generate an alarm if the VPN Connection is restored.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Connecting Multiple Sites:
- Set the "Internet" outbound policy to "VPN"
- Or, create a "route" rule and send the traffic matching the subnets of the other client site to the VPN.
Example:
- Headquarters subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.20.0/24
- Subsidiary B subnet: 192.168.30.0/24
For devices on subsidiary A with IP 192.168.20.X to access the device on subsidiary B with IP 192.168.30.X, and vice versa, you'll need to set the "Internet" outbound policy to "VPN" in the VPN connection to headquarters, on both subsidiaries A and B.
If you don't want to send all traffic to headquarters, you can create a "route" rule and send only the traffic matching the subnets of the other client site to the VPN.
Step 3: Connect to the VPN
To connect devices to VPN, switch on the "VPN" button on the VPN Client Box, and you'll see the status become "Connected." At this point, devices from the VPN server site can access the network on the VPN client site.
To selectively send your devices' traffic through the VPN on the VPN client site, tap Apply To under the VPN connection, select the devices/networks/groups you'd like to connect to the peer (server) site, and tap Save. You can also tap the VPN button and select which VPN to connect to on any device/ network/group's detail page.
Note:
- Devices must be part of the Firewalla overlay network or in router mode to use VPN.
- Only 1 VPN can be connected between the same Server and Client simultaneously.
- Up to 5 VPNs can be connected from a VPN client simultaneously.
Learn more in our article about Firewalla's VPN Client.
Additionally, you can use custom DNS entry rules to access devices across sites. Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. You can think of custom DNS rules as a local address book.
How do I limit access on a Site to Site VPN tunnel?
If you have several networks on each site, Firewalla helps you manage communication between each network. While the VPN Client is active:
- Devices on the server network have access to client-side networks.
- Devices on the client network have access to server networks as long as the VPN Client is applied to those devices.
If you want to limit specific traffic, a combination of rules can help you easily manage access.
Example:
In the Headquarters site, there are three networks:
- Database network: 192.168.100.1/24
- Private network: 192.168.11.1/24
- Guest network: 192.168.12.1/24
In Subsidiary A, there are two networks:
- IoT network: 192.168.20.1/24
- Work network: 10.10.10.1/24
In Subsidiary B, there are two networks:
- Trust network: 192.168.30.1/24
- NAS network: 192.168.31.1/24
Scenario 1: Block a network in the Server site from accessing a specific Client site network
- First, note down the IP range of the Client network that you're blocking access to.
- Then, add a rule to block the traffic on the Server network. You can also block access on group/device level.
Scenario 2: Block a device/group/LAN on the Server network from accessing all Client networks
- On your Server site box, create a target list with all subsidiary networks included. You can learn more in our article about Target Lists.
- After creating the list, add rules blocking traffic from any device/group/network on your Server site network.
If you are using the WireGuard protocol, Firewalla supports per-device management for WireGuard VPN clients. A target list is NOT required to block it on the network level. A more straightforward solution is to block local traffic from the Server site network and apply it to the WireGuard client directly.
Scenario 3: Only allow one Server network to access one Client network
If you don't want all your Server site networks to access your Client networks, you need to add a rule to block your Client networks and another rule to allow traffic between the Server site network you want to allow access to and your Client networks. Learn more in our article about rule logic.
Scenario 4: Only allow one Client network to access one Server network
When the client network is connected to the VPN, it will have access to all networks in the Server site by default. You may need to disable the VPN client for your Client network and add a policy-based routing rule. Learn more in our article about Policy Based Routing.
Scenario 5: Allow Client network to access only one device on the Server network
If you only want to allow the devices on the client network to access one device on the server network (for example, a NAS with shared files), you'll need to create a few rules for the client box devices:
- Block rule matching the server network (if you have multiple server networks, create a block rule for each network) on the client box
- Allow rule matching the IP address of the device you want to allow access to on the client box
For example, say you want all devices on Box A to only be able to access the printer on Box B. Additionally, you want all of Box A's traffic to go through its default gateway instead of through Box B:
- Create a Site-to-site VPN connection with Box A as the client and Box B as the server
- Create some rules on Box B:
- Block the devices on Box A from accessing all the networks on Box B
- Allow the devices on Box to access the IP address of the printer on Box B
- On Box A, set the Internet Outbound Policy of the VPN connection to Direct to route all its traffic through its default gateway instead of through Box B (server network devices will always go through their default gateway.)
Common Issues and Fixes
- IPv6 Traffic is NOT supported and will NOT be routed to VPN. Please make sure IPv6 is turned off (For Firewalla Gold users, go to Network -> LAN network -> turn off IPv6).
- Only OpenVPN & WireGuard protocols support Site to Site VPN.
- Devices (i.e., laptops, phones, tablets, etc.) should not use local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "Router mode" to use VPN.
- DO NOT use the same subnets between two sites. Doing so may cause connection issues.
Comments
21 comments
This sentence :
"A site to Site VPN setup requires 2 Firewalla boxes at each site."
should be:
"A site to Site VPN setup requires 2 Firewalla boxes, one at each site."
Correct?
@Gareth, Yes, you are right. Corrected. Thanks!
I tried setting up site to site with my friend. We share work but do not have same domain etc.
‘’both me and my friend are running fw gold.
‘why do we have to have both firewalls on same account.
Given that the subnets need to be different, for clients and server, how do the subnet masks be set on both sides to make that work?
As long as the subnet for the client and servers do not overlap, it should be fine.
In the example above, having multi-site VPN, will rules also need to be created to allow those subnets at the two client sites? I'm unable to route all internet traffic through the VPN due to asymmetrical bandwidth, so I setup static routes. I'm unable to reach any devices from the two site-to-site VPN clients.
Any advice would be appreciated.
I have FWG at "headquarters" and a FWG and FWP for the two clients.
Nathan,
Did you ever get an update on this or figure it out? I have 2 Golds and 1 Gold Plus and I don't want to route all my traffic out of the headquarters. Defeats the purpose imo.
Ryan H.,
I have not received a response. I agree it defeats the purpose. If we all had synchronous Internet connections it wouldn't be a big deal. A majority of the population does not have the luxury.
Figured this out after going through the forums for an hour. They should add this configuration on this page, but this does work:
Problem resolved.
Remove yourself from the VPN Client and add all your "remote" subnets through the Routes.
VPN Client config
* Remove the Group or computers from the "Apply To" in the VPN Client.
* Select VPN for the Internet Outbound Policy
Routes config
* Add all the subnets on the server side you need to reach, including the peer site subnets listed in the VPN Client
* Point the interface for these routes to the VPN client
Nathan, if you need help let me know, I'd be happy to jump on a zoom; it was frustrating to say the least.
The common / issue and fixes section has an image of the configuration that will allow one side firewall to be turned off. I'll ask the team to document that more clearer
Is it possible to have a site to site connection that let's you ping the hostname as well.
I haven’t been able to figure that out yet; is almost feel you need to make a rule though.
Will a firewalla firewall connect to other vendors firewall (That supports IPSEC) for a remote office VPN tunnel, or will it only connect to another firewalla firewall?
I've tried figuring it out with SonicWALL, Fortigate, and Azure NSG, however, it won't' work b/c the protocols are not available in the firewalla; I will say that you can probably do it via CLI with a third-party package, but I didn't go that route. For Azure, I ended up setting up a WireGuard Server and set up a one-way connection. Hope this helps.
Here is a good link; about a year old though but I think this still stand true today:
https://help.firewalla.com/hc/en-us/community/posts/360048582914-Feature-request-Site-to-site-VPn-with-third-party-device-or-even-cloud
I have a gold device on server side and need to setup a client side network with 2 clients for 10 Mbps throughput. What Firewalla should I purchase for client side?
I want to set up a site-to-site VPN between two sites. At both locations I have Verizon FIOS residential service with dynamic public IPs which change about once a month at each location.
Can I set up a site-to-site VPN using a Firewalla Gold Plus box at each of these 2 sites? I would love for the VPN to automatically reconnect when an IP of the main location changes.
To the extent this is not possible, is there at least a way for the client site to reconnect by simply restarting the Firewalla client device (and it would auto-discover the new IP of the main site using its DDNS web name rather than having to manually re-enter the new public IP address)?
Thanks in advance.
They will reconnect even if IP changes. (Firewalla uses DDNS)
I plan to run Firewalla Gold Plus in bridge mode at both sites [CLOUD] => [VERIZON FIOS ROUTER] => [FIREWALLA IN BRIDGE MODE] => [SWITCH] => [WIRED LAN PCs].
If I open the appropriate ports on the FiOS router and direct them to the Firewalla device, will site-to-site VPN work even though the device is running in bridge mode?
hi,
I successfully setup my site-to-site vpn between my firewalla gold and purple.
purple is the server and gold is the client. now I need to send all internet traffic for the devices connected to my purple to go through my firewalla gold. in the route section I don't see my vpn tunnel. if I try to do the same on the gold I can see my vpn tunnel in the route section.
I can't make the vpn tunnel to connect if I initiate if from purple to gold since connecting to VPN is blocked in the country where the purple is. any suggestions?
Gold (client)(Site A)<-------tunnel----->Purple(server)(Site B)
Protocol: Wireguard.
issue: route all internet traffics from the clients in Site B (purple) to go through tunnel to the gold and use the internet connection at site A where the gold is connected.
Please sign in to leave a comment.