Options for implementing an outbound VPN for all trusted network users

Customer wants to know the best way to implement an outbound VPN that is in place at the internet gateway, for all outbound HTTP traffic without installing client software on desktops, tablets or other devices.

Is the WatchGuard firebox the right place to do this?
Can it even be done on the firebox?

As always any suggestions or answers appreciated.

Comments

  • If you mean a VPN to one of the commercial VPN servers, such as for NordVPN, IPVanish etc., no it can't be done on a WG firewall.
    And when using those services, all traffic goes over the VPN connection, not just HTTP.

    What is the goal here?

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @EnEm

    Creating a default route, or zero route is possible, it really just depends on what you're doing it to.

    You can read more about how you set a default or zero route on a VPN here:

    http://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/bovpn/manual/vpn_default_route_c.html

    -James Carson
    WatchGuard Customer Support

  • Thanks for the replies. I wasn’t sure how it would work, especially the VPN part. I can see that the commercial VPN providers can’t be integrated.

    Not WatchGuard related but how do people achieve a network level outbound VPN?

  • To do what?

  • Currently, accessing the internet outbound using a VPN with a browser requires a device based VPN on the desktop or the mobile device from the trusted network. This may simply be how it is... but the question being asked is can we put a VPN on the perimeter of the network, so that when an internet user connects to the internet with a browser they are automatically connected using a VPN. The purpose is to make sure that internet browsing and privacy is protected by the VPN.

  • You can buy home type routers which are set up to set up a VPN to a limited number of commercial VPN servers. These run DD-WRT and use OpenVPN to make the VPN to the commercial VPN servers.

    If you were to do this, then the content of the VPNs would not be available to your WG firewall to control any of this traffic, to do inspection of HTTPS, to block access to undesired sites, to prevent the use of specific applications, to prevent Botnet activity, to do AV scans etc.
    The above are true for a client VPN connection to commercial VPN servers too.

Sign In to comment.