First time setting up VPN on WatchGuard
My last job, I setup VPN through Meraki MX, and I used RADIUS (Active Directory) authentication using NPS (Network Policy Server). This way each user had to be a member of 'VPN Users' AD group, and they could login using their AD Credentials. I also wrote a PowerShell script to automate the native Windows 10 VPN Client.
I like to do the same at my new job using WatchGuard, and I'm following the below guide. I assume I can use the same thing here? Such as RADIUS authentication through AD, and also split tunneling so that internet will go through the user's home LAN and only company traffic goes through the WatchGuard.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html
0
Sign In to comment.
Comments
Hi @tantony
You can set the SSLVPN up to use AD or RADIUS -- and it can be split tunnel. The only major difference is that the user will need to install the SSLVPN client (either ours or an OpenVPN compatible one.)
-James Carson
WatchGuard Customer Support
@james.carson
Thank you, yes, I forgot to mention about the WatchGuard VPN client.
Also be aware of the security considerations if using a split tunnel client VPN.
Potentially a hacker from the Internet or hacker software can be accessing the client PC and then be able to access whatever that user can access behind your firewall.
I was thinking of split tunneling for 'performance' since internet traffic won't touch the company.
Looks like I can setup IKEv2, SSL, L2TP and IPSec. I guess they all have their plus and minuses. Any one of them can do RADIUS authentication right?
When I go to VPN, there's a green check mark only next to SSL, what does that mean?
Where exactly are you when you see this?
IPSec does not support RADIUS.
It does support AD directly.
L2PT is being dropped at some time in the future by WG.
ok, are most admins using IPSec?
Please see attached picture. When I login to the web gui and go to VPN.
Oh ok, I'll ask my co-worker, I'm still about new here and I did not do that.
From what I can tell, we have SSL VPN setup with AD authentication already.
If the AD user is a member of the 'Remote-VPN' group in AD.
What's the SSLVPN-Users? Because I did not see that in the WatchGuard alias.
FYI - searchable WG firewall documentation is here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/_intro/fireware_help_front.html
You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups that exist on your authentication server.
From the "Add Users and Groups" section:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/configure_fb_for_mvpn_ssl_c.html
Thanks, I'm at home now trying to connect to VPN, but I keep getting this in logs. I'm not able to connect to VPN.
2022-10-04T18:18:10.300 Requesting client configuration from .......
2022-10-04T18:18:21.152 FAILED:Cannot perform http request 12156
2022-10-04T18:18:21.152 failed to get domain name
You really need to see your firewall logs to understand this.
Could be many reasons.
You can usually test this connection from behind your firewall.
From the "Connection Issues" section here:
Troubleshoot Mobile VPN with SSL
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_tshoot_c.html
The VPN client cannot connect. These error messages might appear on the client or in the client logs: Failed: Cannot perform HTTP request, Cannot perform HTTP request 12157, Cannot perform HTTP request 12031, Timeout 12002, Failed to get domain name, or System tried to join.Open
This log message indicates that the client cannot make an HTTPS connection to the IP address specified in the Server text box in the Mobile VPN with SSL client. Confirm that the policy configuration on the Firebox allows connections from Any-External to Firebox, and that no other policy handles traffic from the IP addresses you configured as the virtual IP address pool for Mobile VPN with SSL.
If you specify a TCP port other than 443 as the Configuration Channel in the Mobile VPN with SSL settings, mobile users must specify the port number as part of the address in the Server text box in the Mobile VPN with SSL client. For example, if the port is TCP 444, specify 203.0.113.2:444 on the client.
IKEv2 is the best VPN for security and performance but requires RADIUS (or AuthPoint).
SSLVPN is nice in places where IKEv2 traffic isn't allowed since it runs off HTTPS which isn't usually blocked by Firewalls in public places.
It looks like we're using a different public IP for VPN, I'll try that from home.
When I Google this error, some of them say to check Internet Explorer settings. Do I need to check this on my laptop?
https://serverfault.com/questions/783630/watchguard-mobile-vpn-failed-to-get-domain-name
I have never had to do this.
Have you tested this from behind your firewall?
@Bruce_Briggs
Sorry, just to be clear, by behind your firewall, you mean like from my home?
No - connect to trusted - behind your WG firewall
not yet, will try that next
While I'm on the topic, is there a way to connect to VPN from iPad or smart phones? My last job, I just used the native iPhone, Android VPN app and it worked fine.
Do I use OpenVPN Connect iOS app?
I tested this from behind the firewall on a trusted interface.
When I enter the public IP and my AD credentials, I am getting the Duo notification to deny / allow.
But then I see a popup from Sophos (our AV software) that OpenVPN is not allowed. I know WatchGuard VPN Client is based on OpenVPN.
So it looks like its working, but it doesn't connect to VPN probably because of OpenVPN being blocked on company computers.
You can use the native iOS VPN app - which is IPSec based.
Apple is restricting 3rd party VPN apps from working in its latest OS versions.
Review this post:
Mobile VPN with SSL 12.7.2 for macOS Ventura
https://community.watchguard.com/watchguard-community/discussion/2855/mobile-vpn-with-ssl-12-7-2-for-macos-ventura
You can use the native Android VPN app - which supports IPSec or L2TP VPNs.
You can also use an OpenVPN app there too.
Use Mobile VPN with SSL with an OpenVPN Client
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_ovpn_profile_c.html
Thank you, so I guess I'll need to try the VPN again from home since OpenVPN is blocked on company computers. I can try from my home laptop.
I'm able to VPN from home now using the new public IP. I did not had to make any changes on Internet Explorer.
When I was using Logmein, I could remote to my work computer, but with Watchguard VPN I cannot remote in. I can ping it by IP and DNS.
The Logmein client at your house goes to a Logmein server on the Internet which connects to a Logmein destination device which has a connection to the Logmein server - in this case, your work PC.
So in this case, it makes no sense to do this as your VPN client is already connected to your work LAN.
You need to look at work firewall logs to see if this connection is being denied, if you decide that you reallllllly want to do this to work when connected via a client VPN connection.
Use a different app, such as RDP over the VPN connection, or don't try to use Logmein when connected via the client VPN connection.