I know this is not specific to Firewalla. And if you think it’s not appropriate, please let me know and I’ll delete it. As a Firewalla user that uses the built in VPN server, I was excited to recently learn that iOS, at least latest, allows creating a personal automation + shortcut to automatically connect to a VPN when launching an app. This has been huge for me, as it ensure that certain apps always go through my Firewalla, regardless of where I am.
Or just use on-demand vpn connection. So whenever you leave home WiFi, vpn is always on.
Hi- can you provide additional details please? Do you mean an iOS shortcut to connect directly to the VPN you use, or connect to FW using the FW VPN client to connect to the FW VPN server?
Nice to know.
I personally just use the on-demand feature of the Wireguard client defining specific target “allowed” private IP’s when over cellular or wifi networks (putting my home wifi ssid in the exceptions list).
If I open an app that tries to connect to a private home IP address, it connects Wireguard just for traffic to and from that IP. Everything else stays off the VPN tunnel.
I have a focus setup for my kids. When that focus is on it shows only their apps, contacts, etc. I’ve let them customize background, screen brightness, etc. I have an automation setup that will connect to the VPN when their focus is enabled and then disconnect when the focus is disabled. Added their VPN connection to the kids group on firewalla. Gives me the peace of mind that they’re going through effectively the same guard rail stuff as they would at home. Good enough because they aren’t testing the limits yet.
Limited upstream bandwidth at home makes that a poor option for me.
In the iOS shortcuts app, first go to the shortcuts tab and create a shortcut to connect to your VPN profile of choice - create new, search for vpn, select the set vpn selection, choose your vpn profile. Done.
Then create a new ‘Personal Automation’. From there, select when app opens. Choose the app and hit next. From this screen, search for VPN, and you’ll find the shortcut you created.
That was a quick overview, if you need more details, let me know!
My limited upload bandwidth at home prevents me from going with that approach.
Got it, tnx! So you’re connecting to the VPN itself using your profile, not to the FW client. BTW, I’ve been experimenting with using FW routes to have specific domains connect to VPN, inside FW itself. Jury is still out, as it’s hard to detect whether it’s actually working or not.
I don’t understand. It has the same outcome of your shortcut? “Certain apps always go through my Firewalla regardless of where I am”
One way to confirm is by creating a route for a ‘what’s my IP’ website.
In terms of my post, this is huge for me. Certain apps like Plex only work behind my firewall. Now instead of having to remember to enable the VPN on my phone, when I open the app the VPN automatically enables. I have a separate automation to disable the VPN when the app closes.
I think I misunderstood your post. How do you do on demand by IP VPN connections? I didn’t think iPhones could do that.
Hi,
Can you elaborate please on how to create a route for what’s my IP, to use in that scenario?
My iOS device is connected to my WiFi LAN, my secured sites are routed to VPN. Thus, I would expect what’s my ip to still show my WiFi and FWG addresses. FW support has been fantastic answering m6 questions, but since FWG is still monitoring traffic even if the FW device sends that traffic to VPN, I haven’t determined a way to map out that traffic yet ( I don’t want to use wireshark yet).
Using the Wireguard client for iOS, create a tunnel to your home Firewalla. In the settings of that tunnel on the client, in the “Allowed IPs” section put in the IP address and subnet of the internal server your app would connect to.
ie I have the following:
192.168.1.1/32, 192.168.1.240/32, 192.168.1.202/32, 192.168.1.250/32
Each of these are internal devices at home that I don’t allow Internet facing management of. If I am out (and not connected to my home wifi) and use a web browser or a dedicated app that tries to connect to any of these, the on-demand tunnel starts up - and only traffic to and from these IPs goes through the tunnel.
Then don’t forget to enable On-Demand for that tunnel in Wireguard! (up top of the client config for that tunnel it will say “on demand disabled” toggle the switch to enable it.
Note: this won’t work if you want say Netflix to VPN home to avoid geo restrictions. Your shortcut would be better for that.
Interesting! I’ll have to give that a try as well. I’m not sure that will work with an app like Plex.
It should work with Plex if you have external access disabled and only want connectivity via VPN.
Just put the internal IP address of your Plex server in the Allowed IPs.
I’m going to give it a try!
So I tried that setup. When I enabled it, it immediately connected to the VPN. I could hit an IP of an allowed IP address, but when I tried to hit a different url, it would not work until I forced the VPN to be disabled. Where did I go wrong?
Make sure you don’t have 0.0.0.0 or ::/0 in allowed IPs.
Try with just the IP and subnet of your Plex server (ie 192.168.1.240/32) and see how that goes.
That should allow other traffic not directed at that address to go out the without using the VPN.