What are fellow Firewalla folks’ thoughts on leaving the VPN server permanently enabled versus temporarily switching the option on from the app when one wants to use it?
The reason I ask is that I have family members whom I’d trust to enable the WireGuard client on their device but wouldn’t want having full access to the Firewalla remote configuration app.
Any perspectives on performance overhead to normal network functionality or security implications of leaving the VPN server on 24/7 would be greatly appreciated.
Cheers, S.
To answer some of the general questions
- there is no performance issues when VPN’s are on.
- there will be an increase of memory use on your unit, that usage is already factored in, so you should be okay.
As of leaving it on or not, it really your personal choice. From design perspective, both openvpn and wireguard are fairly safe to use 24x7 (I think both of them are fairly stealthy.)
If you are leaving it on, make sure you change the default 1194 for openvpn to be something else, and stick with UDP, it will provide a bit more stealth
The main security risk of leaving either the Wireguard or OpenVPN servers enabled is the chance that there’s a software vulnerability in the code, which could allow a attacker to leverage that vulnerability to get control of your Firewalla or your network.
Based on previous threads in this subreddit, it seems like Firewalla has done their homework and uses versions of both VPN servers that have no known vulnerabilities. I guess there could be zero day or unknown vulnerabilities but I think the risk is pretty low of leaving it on all the time.
I setup OpenVPN server sometime ago and have never even thought to turn it off. I also have never noticed performance issues that were caused by this. Plus, how would they have admin acces just by using the VON to pass packets? Unless they use SSH?
I have a question sort of related to this…
If I only use Firewalla Red as a VPN Server and nothing else, will it still slow my (usually) 800Mbps network down? I understand connections outside the home using the VPN will be limited to the lower number, but will connections inside my home still be limited?
If so, does anyone have any VPN server suggestions outside of Firewalla? I’ve thought about building one with my Pi.
Thanks so much everyone for the replies. That’s really helpful. TBH it’s either leave it on or permanently port forward a greater number of additional ports so the family can access certain devices remotely outside of my local network. So, ultimately I figure it’s a case of ‘pick your poison’ from a security standpoint in my case.
Just a note that the VPN connection alert is currently only there for OpenVPN, connection alerts for WireGuard aren’t there. Hopefully a future addition?
But, I run the server 24/7 as well and don’t notice any degradation in overall performance. I only have 2 groups that utilize the VPN while out and about (kids group so I can still shape their traffic through Firewalla and my mobile devices)
If you are accessing anything from outside via port forwarding, then you definitely will be more protected by using VPN instead.
Thanks for the info. I didn’t notice a VPN connection alert but I’m using WireGuard. It would be great if the Firewallas could add that as you mention. 
UPDATE: I should have read later replies. Great to hear it’s incoming and please continue to enjoy the evening drinks!
I also noticed that while the FWG preserves/remembers rules I set for the WireGuard network through VPN Server on/off switches it seems to intermittently forget that I have set New Device Quarantining to be active on the WireGuard network. It would be great if this setting was reliably remembered too if possible even though I realize that any nefarious actor capable of getting past the certificated secure WireGuard VPN login flow is likely smart enough to spoof the MAC address too. 
That was my instinctive take too. I haven’t established the port forwarding rules because of the VPN server. Thanks for confirming this.
WireGuard alert is coming up in 1.973 for sure. This is one of those things that our dev just didn’t remember to add, testers were out drinking late…
“I” am managed by a few people, so at time you may be talking to a developer, a tester, or even our head of engineering or CEO
As of your request, are you interested in the VPN client (openvpn) or VPN server? or both?
Please post the request here if you can https://help.firewalla.com/hc/en-us/community/topics/115000356994-Feature-Requests-
The reason for the single profile is to make things simple such people don’t have to manage it. Wireguard, we had to do multiple profiles, since it is … how that protocol works.
UPDATE: I should have read later replies. Great to hear it’s incoming and please continue to enjoy the evening drinks!