How to setup site-to-site VPN with WFilter’s SD-WAN service?

WFilter’s SD-WAN service is an integration of the ZeroTier networking. With SD-WAN, you are able to build secure site-to-site VPN tunnels without needing a static public IP address.  This guide will show you the necessary steps using WFilter NGF.

1. Network topology

202202161644989114139685

As shown in the above topology diagram, headquarter and two branches all use WFilter NGF as gateway. By adding each gateway into the SD-WAN network, you will be able to setup secure site-to-site VPN tunnels.

2. SD-WAN subnet settings

First setup a SD-WAN network in the WFilter cloud service.

Sdwan network01.png

Sdwan network02.png

3. Join every WFilter into the SD-WAN network

QQ20250707-145422

4. Assign SD-WAN ip and setup routing

QQ20250707-145655

Assign static SD-WAN ip addresses to every WFilter, for example: WFilter A(10.200.188.1), WFilter B(10.200.188.2), WFilter C(10.200.188.3). Then you can setup SD-WAN routing policy to forward LAN traffic.

QQ20250707-150606

After the above setups, each local area network can directly access each other. To restrict access, you also can setup firewall rules in WFilter’s firewall->Rules.

Remote management via the WFilter cloud service.

The Wfilter cloud service enables centralized management of multiple WFilter devices. It allows users to view device addresses, system versions, IP addresses, and alarm information, as well as remotely access the management interface and synchronize configurations. This article outlines the basic steps for using the Wfilter cloud service.

1. Register on the Wfilter cloud service

First, you need to register a new account on the Wfilter cloud service and log in. As shown in the figure below:
Cloud register2.png

2. Configure the endpoint WFilter to join the cloud service

As shown in the figure below, record the cloud service network ID, and setup SD-WAN to join this network in the SD-WAN of the WFilter. In the Wfilter cloud service, copy sdwan network ID.
Cloud dashboard1.png
In Wfilter web-UI, join cloud network.
Cloud clients3.png

3. Add WFilter client in the cloud platform

The third step is to add the Wfilter client device in the cloud platform. As shown in the figure below, add client’s SD-WAN secret in “Devices” in the cloud platform.
Cloud clients2.png
After the above steps, you are able to manage the added Wfilter clients in the Wfilter cloud service, including:
  • View device address, system version, IP address, and alert information
  • Synchronize configurations in different Wfilter devices
  • Access the management interface via Internet

 

WFilter WebVPN introduction and example

WebVPN allows a user to securely access resources on the corporate LAN from anywhere with a web browser. The client user must authenticates itself before access any resources.
Compare to other VPN services, WebVPN is easier to deploy and operate. Client users don’t need to install any software clients or settings.

In this guide, I will demonstrate you how to setup and use the WebVPN service of WFilter NG firewall.

First, you need a domain.

Domain shall be mapped to your network public ip address.

webvpn00

Enable the “WebVPN” service, setup domain name, port and authentication.

webvpn01

Add local web services.

webvpn02

Edit the webvpn portal.

webvpn03

Setup “port forwarding” to forward internet access to webvpn port.

webvpn04

Now, let’s check how WebVPN works from client side.

You need to authenticate yourself.
webvpn05

After successful authentication, the web portal shows up. Then you can click a link to visit internal web service.
webvpn06

webvpn07

How to whitelist websites in WFilter?

In WFilter NG firewall, whitelist a website is very simple. You simply need to put the domain in the allowed list of “web filter”. Screenshot as below:

whitelist01

However, real world webpages can be complicated. For example, webpage A also includes resources from website B. So webpage A can not display correctly unless website B is also whitelisted.

To find out the domains of website B, you have to solutions:

Solution one: check the blocking events in WFilter.

whitelist02

whitelist03

In “realtime bandwidth”, click the bandwidth number of the testing client. You will be able to check the “blocking events”. All recent blocked domains/IP will be listed. So, you can find out the external domains.

Solution two: check network activites in browser.

By press F12, you will be able to check network activites of your browser. So you know which resources/urls are not loaded.

whitelist04

With the above two solutions, you can find the extra domains to be whitelisted. You need to add these domains to the allowed list in web filter.

whitelist05

How to block uploading to https webpages?

In “how to block file uploading to internet in business networks“, I’ve introduced a windows software solution using “wfilter internet content filter” program. However, this solution does not work for https webpages. In this guide, I will introduce a new feature in WFilter NG firewall, which can block all uploads including https webpages.

blockup_en01

In “App Control” of WFilter NG firewall, you can enable “block sessions when outgoing traffic exceeds N” option. This option will check the outgoing traffic of every connection. If outgoing traffic exceeds the choosen limit, this connection will be terminated.

Now let’s check the blocking effects.

“Email attachments” will be blocked(https).

blockup_en02

“Blog and forum attachments” will also be blocked(http).

blockup_en03

And you also be able to see the “uploading detected” blocking events in WFilter.

blockup_en04

Please also note: this option blocks uploading according to outgoing traffic checking, so there will be false positives. For example, a video conference will also be blocked due to high outgoing traffic. In this case, you may add “Exceptions” to avoid over-blocking.

blockup_en05

 

How to monitor network activities on your openwrt/lede WiFi router?

WFilter internet content filter software can monitor internet activities of network clients. However, the deployment requires you to setup port mirroring in your switch to mirror all internet packets to WFilter for monitoring. Below is a typical network diagram of WFilter deployment:

In many soho networks, there is no manageable switch for port mirroring. In this guide, I will demonstrate a light solution to setup port mirroring directly in your WiFi router. First, you need to get an openwrt/lede WiFi router(or you can reflash your router with openwrt/lede firmware)
Let’s check the network topology first:

openwrt_diagram

The main router is a WiFi router(192.168.1.1) running openwrt system. A PC with WFilter installed is connected to this WiFi router using a cable, with IP address 192.168.1.2. Other network clients are all wireless.  Packet port-mirroring is also installed in this openwrt system.

You need to enable port-mirroring service in openwrt to mirror network packets to the WFilter pc, syntax:

portmirror03

Settings:

1) target: the target pc ip address,  or interface

2) source_ports: wlan0(the wireless adapter)

Then you shall be able to monitor all clients internet activities in WFilter UI. Screenshots:

portmirror01

portmirror02

You also can setup internet filtering policies to block websites or applications.

portmirror04

Software to monitor and track emails of network clients.

Emails sent or received through a company email account are generally not considered private.  As an internet filtering and monitoring software program, WFilter is able to monitor and archieve network emails.

This guide will demonstrate you how to track and monitor emails of network clients with WFilter NG firewall. Please note that we’re talking about emails sent/received via email clients, not web-based emails. Email clients in computer/laptop/smart phones can all be monitored.

1. Plain text pop3/smtp/imap can be directly recorded.

When WFilter NG firewall is deployed, plain text text pop3/smtp/imap can be directly archieved.

Wfrecorder sermail en.jpg

Wfrecorder query1.png

Wfrecorder query3.png

2. “SSL Inspection” shall be enabled to monitor SSL protected emails.

ssl01

If email connections are “SSL enabled”, you need to enable “SSL Inspection” to decode and parse SSL protected emails.

ssl02

ssl03

SSL protected emails can also be recorded.

Web filtering software solution for network.

To filter websites of local network clients, you can have several options.

  1. First check the features of your internet router/gateway. If you have a powerful router/gateway, you can directly do monitoring/filtering in the router itself.
  2. You also can try pass-by filtering software solutions. For example, WFilter internet content filter, by setting up a mirroring port in your switch, you can get powerful internet monitoring and filtering with the WFilter program.

Network diagram:

WFilter is a windows software program. You can install it in any windows pc, when the wfilter pc is connected to the mirroring port of your switch, you will be able to monitor/filter all network clients.

In WFilter, you can setup internet filtering(application control) and website filtering policies.

webfilter01

webfilter02

You also can block websites by categories, for examples, porn/malicius/streaming sites can all be blocked by one click.

webfilter03

How to unblock an app or website in WFilter?

Sometimes when blocking policies are deployed with WFilter, some applications or website might be blocked unexpectedly.

In this guide, I will demonstrator you how to check the blocking reason and add exceptions.

First, check the blocking events

In “Realtime bandwidth”, click bandwidth number of the blocked clients.

unblock01

You will be able to see the “blocking events”. In “blocking events”, you will get the “blocking reason”, “protocol” and “content”. The “content” shows the domain/IP address being blocked.

unblock02

Second, add sites to “exception” list

To whitelist the blocked sites/ip addresses, you can add an “exception” policy. Excepted targets won’t be blocked by any other policies.

unblock03

Third, test and check

Now make some tests to make sure your sites not blocked. If still blocked, you need to redo 1-2 steps until success.

 

How to block tor browser in network?

Some users might use tor browser to bypass the control of company firewall, and makes your firewall useless. In this topic, I will guide you to block tor browser traffic in your network with WFilter ICF(internet content filter).

1. Define tor browser protocol

blocktor02

New a “torbrowser” protocol in “System Settings”->”Protocols”.

blocktor03

New pattern, choose “TLS2″ type, “Offset” as “0″, “Pattype” as “Regular Expression”. Patterns: “\x01\x02\x02\x02\x03\x00\x0F\x00\x01\x01$”.

Save settings and apply the changes.

2. Deploy a tor blocking policy

blocktor04

Add a blocking policy, set “Torbrowser” to “Deny” in “applications”.

blocktor05

Apply this policy to certain client devices.

3. Test and checking

After above steps, the tor browser shall not be able to establish a tor network connection.

blocktor01

In “live connections” of WFilter, you can see “tor browser”  being blocked.

blocktor06