Does anyone know what configuration changes are needed on the wireguard client VPN configuration that is generated by firewalla (for a client) in order to turn the VPN clients into a “router” on the other side?
Context: I have my firewalla at home and my parents have a raspberry pi that connects to firewalla as a client, because Netflix cracks down on password sharing I would like to route everything Netflix to the raspberry pi.
I know I need to setup a custom route with a target list; but what i am not sure is what configuration changes I may need to make on the raspberry pi (or the wireguard.conf file) to make the “client” acts as a remote router when my firewalla box sends it packets… Has anyone done this?
The router at your parents house needs to send the Netflix traffic to your Firewalla as an exit node to the internet. Unless you put the VPN client on whatever device is watching Netflix only the traffic from your Pi is sent to your Firewalla.
I have this setup from one firewalla server and the other house as client. I route all nflxso.net and Netflix.com to the vpn interface for all devices and dont have to worry about connecting each device to vpn. You would not have to do anything to the pi if it’s only a client; only need to configure firewallas if both are in router mode.
You will need to turn on ip forwarding on the Pi. You are routing from your Firewalla to the Pi correct? Not the other way around?
So far with the Netflix thing, I found that you do not need to route all Netflix video. I’ve found, just logging in while VPNed is sufficient.
As long as the device is at the “primary “ house, and they have logged in there, that satisfies the requirement.
For example, my parents have a AppleTV. I installed BeeVPN on the AppleTV, created a VPN and route all traffic to my firewalla. Login to Netflix. Turn VPN off… been working like that since Christmas.
You would not have to do anything to the pi if it’s only a client; only need to configure firewallas if both are in router mode.
My parents have a dummy ISP router at their house; so the raspberry pi was the easiest way for me to leave a remote device on their LAN using tailscale.
Since firewalla can’t do tailscale; I was trying to see if I can configure wireguard as a client to my firewalla then do some routing magic to the pi IP (on the tunnel) but I think I may need to change wireguard.conf on the pi to have additional configuration and do ‘ip forwarding’ and ‘ip masquerade’ (not sure about this so thats why i posted here asking)
No. Right now the pi WireGuard configuration for the client only allows traffic from the internal IPs of the tunnel. The pi does not use the VPN for default route to the internet.
That is great information about the login trick, I assumed that it constantly checked IPs and devices…. But if the household verification just happens at login then I may just need to do this briefly and rarely if the login expires.
Actually I have the same problem and it is not defrauding Netflix. We have two ISPs and two televisions and their rules are ridiculously restrictive for a $25 package.