- What is a Site to Site VPN?
- How do I set up a Site to Site VPN connection?
- How do I limit access on Site to Site VPN tunnel?
- Common Issues and Fixes
What is a Site to Site VPN?
Firewalla's Site to Site VPN allows you to connect two networks over encrypted links such that devices in one network can reach devices in the other network under the protection of Firewalla. Unlike client->server VPNs, the reachability of a site to site VPN is bi-directional.
Suppose you have offices or homes at two different sites, and both sites have separate networks with computers and servers connected. By setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites. Additionally, when using Site to Site VPN, Firewalla's IDS/IPS protection will still be active to ensure the privacy and protection of your data.
Note: Site to Site VPN connections can only be established on Firewalla boxes. Site to Site VPN connections must be recreated when network settings are changed on either the server or client side.
How do I set up a Site to Site VPN connection?
- A site to site VPN setup requires 2 Firewalla boxes – one to be the VPN server and the other to be the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, if for one site you have a 192.168.20.x network, the other site CANNOT have a network with the same IP range. However, you may set up a 192.168.30.x subnet.
- To connect multiple sites, you must set up a VPN server on one box and a VPN client on the others. Learn more about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any of your sites to establish a VPN server (Firewalla Red cannot serve as the server in a site to site VPN setup).
To turn on VPN Server, tap VPN Server on your box's main page and turn on either the OpenVPN or WireGuard server.
Then, tap Setup and follow the UI to set up port forwarding if required.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message will pop up. Tap continue to acknowledge.
- On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
Note: Firewalla Gold/Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site to site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means VPN-enabled devices on the client side will use their default gateway for Internet access (devices on the server side will always use their default gateway).
VPN means VPN-enabled devices will use the gateway on the VPN server site for Internet access.
If you are using many cloud apps, you should set Internet to direct. If you want full traffic control, you should set Internet to VPN and filter on the server side.
- Force DNS over VPN: on or off
When Force DNS over VPN is on, Ad Block, Family Mode, Safe Search, and DoH will not work on VPN-enabled devices. Other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
- Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect the device's internet access if VPN is down
- Detect and generate an alarm if the VPN Connection is restored.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Connecting Multiple Sites:
- Set the "Internet" outbound policy to "VPN"
- Or, create a "route" rule and send the traffic matching the subnets of the other client site to the VPN.
- Headquarters subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.20.0/24
- Subsidiary B subnet: 192.168.30.0/24
For devices on subsidiary A with IP 192.168.20.X to access the device on subsidiary B with IP 192.168.30.X, and vice versa, you'll need to set the "Internet" outbound policy to "VPN" in the VPN connection to headquarters, on both subsidiaries A and B.
If you don't want to send all traffic to headquarters, you can create a "route" rule and send only the traffic matching the subnets of the other client site to the VPN.
Step 3: Connect to the VPN
To connect devices to VPN, switch on the "VPN" button on the VPN Client Box, and you'll see the status become "Connected." At this point, devices from the VPN server site can access the network on the VPN client site.
To selectively send your devices' traffic through the VPN on the VPN client site, tap Apply To under the VPN connection, select the devices/networks/groups you'd like to connect to the peer (server) site, and tap Save. You can also tap the VPN button and select which VPN to connect to on any device/ network/group's detail page.
- Devices must be part of the Firewalla overlay network or in router mode to use VPN.
- Only 1 VPN can be connected between the same Server and Client simultaneously.
- Up to 5 VPNs can be connected from a VPN client simultaneously.
Learn more in our article about Firewalla's VPN Client.
Additionally, you can use custom DNS entry rules to access devices across sites. Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. You can think of custom DNS rules as a local address book.
How do I limit access on a Site to Site VPN tunnel?
If you have several networks on each site, Firewalla helps you manage communication between each network. While the VPN Client is active:
- Devices on the server network have access to client-side networks.
- Devices on the client network have access to server networks as long as the VPN Client is applied to those devices.
If you want to limit specific traffic, a combination of rules can help you easily manage access.
In the Headquarters site, there are three networks:
- Database network: 192.168.100.1/24
- Private network: 192.168.11.1/24
- Guest network: 192.168.12.1/24
In Subsidiary A, there are two networks:
- IoT network: 192.168.20.1/24
- Work network: 10.10.10.1/24
In Subsidiary B, there are two networks:
- Trust network: 192.168.30.1/24
- NAS network: 192.168.31.1/24
Scenario 1: Block a network in the Server site from accessing a specific Client site network
- First, note down the IP range of the Client network that you're blocking access to.
- Then, add a rule to block the traffic on the Server network. You can also block access on group/device level.
Scenario 2: Block a device/group/LAN on the Server network from accessing all Client networks
- On your Server site box, create a target list with all subsidiary networks included. You can learn more in our article about Target Lists.
- After creating the list, add rules blocking traffic from any device/group/network on your Server site network.
If you are using the WireGuard protocol, Firewalla supports per-device management for WireGuard VPN clients. A target list is NOT required to block it on the network level. A more straightforward solution is to block local traffic from the Server site network and apply it to the WireGuard client directly.
Scenario 3: Only allow one Server network to access one Client network
If you don't want all your Server site networks to access your Client networks, you need to add a rule to block your Client networks and another rule to allow traffic between the Server site network you want to allow access to and your Client networks. Learn more in our article about rule logic.
Scenario 4: Only allow one Client network to access one Server network
When the client network is connected to the VPN, it will have access to all networks in the Server site by default. You may need to disable the VPN client for your Client network and add a policy-based routing rule. Learn more in our article about Policy Based Routing.
Scenario 5: Allow Client network to access only one device on the Server network
If you only want to allow the devices on the client network to access one device on the server network (for example, a NAS with shared files), you'll need to create a few rules for the client box devices:
- Block rule matching the server network (if you have multiple server networks, create a block rule for each network) on the client box
- Allow rule matching the IP address of the device you want to allow access to on the client box
For example, say you want all devices on Box A to only be able to access the printer on Box B. Additionally, you want all of Box A's traffic to go through its default gateway instead of through Box B:
- Create a Site-to-site VPN connection with Box A as the client and Box B as the server
- Create some rules on Box B:
- Block the devices on Box A from accessing all the networks on Box B
- Allow the devices on Box to access the IP address of the printer on Box B
- On Box A, set the Internet Outbound Policy of the VPN connection to Direct to route all its traffic through its default gateway instead of through Box B (server network devices will always go through their default gateway.)
Common Issues and Fixes
- IPv6 Traffic is NOT supported and will NOT be routed to VPN. Please make sure IPv6 is turned off (For Firewalla Gold users, go to Network -> LAN network -> turn off IPv6).
- Only OpenVPN & WireGuard protocols support Site to Site VPN.
- Devices (i.e., laptops, phones, tablets, etc.) should not use local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "Router mode" to use VPN.
- DO NOT use the same subnets between two sites. Doing so may cause connection issues.