Force All Device WAN Traffic Through VPN

I’ve read the articles/docs on VPN setups and I’m still confused. I thought I had it working and found my WAN IP being reported instead of the VPN IP, so I didn’t have it right. I’m probably just a bit slow and missing something simple. I want to route all traffic for a device or group through a VPN and ensure that no traffic is leaking in/out through the WAN to that device. In an ideal situation I could have a few VPN connections it may use, but never the primary WAN.

I’ve seen examples of just turning it on in the device/group settings, using a Route to force all traffic through the VPN, doing it through the VPN client settings, and I can’t remember if I’ve seen an example blocking traffic to primary WAN through a rule or something else. What’s the proper way to pass all traffic through the VPN and also make sure the primary WAN is not used without the VPN?

Here’s the questions I haven’t been able to determine from the docs/examples:

1. Will turning the VPN connection on in the device/group settings force all traffic through the VPN?
2. Will that setting drop traffic if the VPN connection fails?
3. If a Route should be used with Static, does the same VPN connection also need to be on in the device/group page? (I had this without that and was getting my WAN IP)
4. Is there a way to enable multiple VPN connections so it will use one of the available ones?
5. Is there a way to guarantee no traffic will go through the primary WAN, through a Rule or otherwise?
6. Does port forwarding affect the interface traffic will flow through and possibly allow leaking to primary WAN?
7. Should any rules be used to allow traffic (specifically the VPN)? If so, should it be Outbound Only or Bi-directional?

I feel like I’m really over complicating this, but it’s important in this case and I want to make sure I get it right. Thanks!

1. Yes, if you enable the VPN switch in the device/group/or VPN Client settings menu, it will force all traffic through the VPN.

2. That depends on if the “Internet Kill Switch” setting is enabled on the VPN client configuration. If it is, yes, it will drop all traffic in the event that the VPN connection is lost.

3. It’s important to know the order of precedence for routes and rules. When determining if and how to pass traffic, Firewalla will look at routes and rules applied in this order: ungrouped device>group>network>all devices. If you create an internet route at the all devices level to send internet traffic over the VPN, it will be conflicting with the existing route that send internet traffic over the WAN interface. You can’t see that route in Firewalla’s app, but it’s there. That’s also why you’ll note that you don’t have the option to apply the VPN to all-decides in the VPN Client settings page. It’s always applied at a network, group, or ungrouped-device level. That said, if you’re going to use routes to send all internet traffic over the VPN, do it at a network, group, or ungrouped-device level. Or, make life easy and just use the VPN Client configuration page to select the networks and groups you want to apply it too. Also note that if you want to exclude certain traffic from the VPN, you will also need to do that at a network, group, or ungrouped-device level.

4. No. Failover routing isn’t supported for VPN routes.

5. If you have applied the VPN Client to a particular network or group and enabled Internet Kill Switch in the VPN Client settings, then traffic will only route over the VPN and drop if the VPN is down. However, note that IPv6 is not supported by the VPN Client at this time. If a device has an IPv6 address and attempts to connect to an IPv6 host, that traffic will route over the WAN. The only way to avoid this is by disabling IPv6 on your network.

6. Inbound connections and communication between client and host will occur over the WAN.

7. The only thing you should have to do is apply the VPN Client to the networks and groups that you want to use it on the VPN client settings page.

What a fantastic explanation. Thank you so much. Hopefully it will help others in the future.