- What's Site to Site VPN
- How to set up a site-to-site VPN connection?
- How to limit access on Site to Site VPN tunnel
- Common Issues and Fixes
What's Site to Site VPN
Firewalla site-to-site VPN allows you to connect two networks over encrypted links, such that devices in one network can reach devices in the other network under the protection of Firewalla.
Unlike client->server VPN, the reachability of a site-to-site VPN is bi-directional.
If you have offices or homes at two different sites, both of the sites have their own separate network, with computers and servers connected, by setting up a Site to Site VPN connection, you'll be able to access shared devices such as file servers, printers, and video cameras bi-directionally between the two sites.
Note: site-to-site VPN can only be established on Firewalla box. Site-to-site VPN connection needs to be recreated when the network settings is changed on either server or client side.
When using Site to Site VPN, the Firewalla IDS/IPS protections will still be active, to ensure the privacy and protection of your data.
How to set up a site-to-site VPN connection?
- A site-to-site VPN setup requires 2 Firewalla boxes. One as the VPN server, the other as the VPN client.
- To have networks reach each other, you will need to make sure they have different subnets. For example, for one site if you have a 192.168.20.x network, and the other site CAN NOT be the same, you may give it 192.168.30.x.
- If you want to connect multiple sites together, you'll need to set up VPN server on one box, and VPN client on the others. Here is more detail about connecting multiple sites.
Step 1: Set up VPN Server
You can choose the Firewalla box on any one of your sites to establish a VPN server (Firewalla Red is not supported as the server in a site-to-site VPN setup).
To turn on VPN Server, on the Firewalla app's main page, tap VPN Server and turn on one of the servers.
Then tap Setup and follow the UI to set up the port forwarding if required.
Step 2: Set up VPN Client
After setting up VPN Server on one site, you'll need to create a VPN connection using the VPN client feature on the other site.
On the other Firewalla box:
- Go to the main screen, tap VPN Client, and tap + Create VPN Connection to create a new profile/connection.
- Choose Site to Site VPN as the type of new VPN connection
A warning message of security notice will pop up. Tap continue to acknowledge.
- On the Select Peer Site page, select the Firewalla box with the VPN server enabled.
- You'll be asked to choose a protocol, OpenVPN or WireGuard. Pick the one you've enabled on the Server site in the last step.
- Tap on Done to finish setting up the new VPN connection.
More details about setting up the VPN client can be found here: VPN client.
VPN Profile Configurations:
After the VPN connection is set up, there are some options you can set:
- Outbound Policy:
- Peer site subnets: The app will list all the subnets on the peer site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
- Internet: Direct or VPN
Direct means the VPN-enabled devices will be using its default gateway for Internet access.
VPN means the VPN-enabled devices will be using the gateway on the VPN server site for Internet access.
If you are using lots of cloud apps, you should just set internet to direct; if you want full control of traffic, you can set the internet to VPN and filter at the server-side.
- Force DNS over VPN: on or off
When it is on, Adblock, Family Mode, Safe Search, and DoH will not be working on VPN-enabled devices.
- Internet Kill Switch: on or off
This option is ONLY available when the Internet option is set to VPN
When it is on, Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters any error.
- Auto disconnect device's internet access if VPN is down
- Detect and generate an alarm if VPN Connection restores.
- Policy-Based Routes: Firewalla policy-based routing can be used to route traffic to VPN or locally. See this article: Using Firewalla Policy Based Routing with VPN and Multi-WAN.
Connecting Multiple Sites:
- Set the “Internet” outbound policy to “VPN”,
- Or, create a "route" rule and send the traffic matching the subnets of the other client site to VPN.
- Headquater subnet: 192.168.100.0/24
- Subsidiary A subnet: 192.168.20.0/24
- Subsidiary B subnet: 192.168.30.0/24
In order for devices on subsidiary A with IP 192.168.20.X to access the device on subsidiary B with IP 192.168.30.X, and vice versa, you'll need to set the “Internet” outbound policy to “VPN” in the VPN connection to headquarter, on both subsidiaries A and B.
If you don't want to send all traffic to the headquarter, you can also create a "route" rule and send only the traffic matching the subnets of the other client site to VPN.
Step 3: Connect to the VPN
To connect devices to VPN, on the VPN Client Box, just switch on the "VPN" button, and you'll see the status become "Connected". At this point, devices from the VPN server site are able to access the network on the VPN client site.
On the VPN client site, to selectively send your devices' traffic through the VPN, under the VPN connection, tap Apply To, select the devices/networks/group you'd like to connect to the peer(server) site, and tap save. You can also tap the VPN button and select which VPN to connect to on any device/ network/ group's detail page.
- Devices must be part of the Firewalla overlay network or in router mode, in order to use VPN.
- Only 1 VPN can be connected between the same Server and Client at the same time.
- Up to 5 VPNs can be connected from a VPN client at the same time.
- More details can be found here: VPN client.
How to limit access on Site to Site VPN tunnel
If you have several networks on each site, Firewalla helps you manage communication between each network. By default, devices on server network have full access to all client-side networks. On Client network, with VPN client applied, devices will have full access to Server networks.
If you want to limit specific traffic, a combination of rules helps you easily manage access.
On Headquater site, there are three networks:
- Database network 192.168.100.1/24
- Private network 192.168.11.1/24
- Guest network 192.168.12.1/24
On Subsidiary A, there are two networks:
- IoT network 192.168.20.1/24
- Work network 10.10.10.1/24
On Subsidiary B, there are two networks:
- Trust network 192.168.30.1/24
- NAS network 192.168.31.1/24
Scenario 1 Block device/group/LAN network on Server network access specific Client LAN network
- Note down Work network IP range on Subsidiary A first
- add a rule to block the traffic on Private network on Headquater. You can also block it on group/device level.
Scenario 2 Block device/group/LAN on Server network access all Client networks
- On Headquater, create a target list with all subsidiary networks included. Learn more about Target list
- When the list is created, add rules to block the traffic from any device/group/ network on Headquater.
If you are using WireGuard protocol, Firewalla supports per-device management for WireGuard VPN clients. A target list is NOT required to block it on network level. A more straightforward solution is to block local traffic from Guest network and apply it on Device WireGuard client directly.
Scenario 3 Only allow one server network access to one client network
If you don't want Private network and Guest network access Subsidiary B, you need to add one rule to block 'client networks' and another rule to allow traffic to Work network to Database network. Learn more about rule logic
Scenario 4 Only allow one client network access one server network
When VPN client is applied to Work network, it will grant access to all networks on Headquater. You may need to disable VPN client for Work network and add policy-based routing rule. (require box 1.973) Learn more about Policy Based Routing
Common Issues and Fixes
- IPv6 Traffic is NOT supported, and will NOT be routed to VPN. Please make sure your IPv6 is turned off. (For Firewalla Gold, go to Network -> LAN network -> turn off IPv6)
- Only the OpenVPN & WireGuard are supported for Site to Site VPN.
- Devices (i.e. laptop/phone/pad, etc) should not use any local DNS servers.
- Devices must be part of the Firewalla overlay network or Firewalla in "router mode" to use VPN.
- DO NOT use the same subnets between two sites, which might cause unexpected problems.
- Firewalla Gold/ Purple has a default Firewall rule that blocks all inbound connections from outside your network. In a site-to-site VPN connection, to allow traffic from the server site box, allow rules will be created automatically on the client site box.