First time configuring VPN on Firebox and I need help
Hi everyone! This is actually first time I am setting up VPN at all.
I made an account with DDNS provider - duckdns.org and copied a token number.
I went to web UI/Mobile VPN/SSL/Configure and typed in my DDNS and virtual IP pool
Checked users, and added a user with a password to SSLVPN users group. Went to Authentication and on FireboxDB I added a user to SSLVPN group, with a password
On Network/Dynamic DNS I enabled Dynamic DNS, I used duckdns.org, and typed in my domain name "mydomainname.duckdns.org" and pasted a token number. I also checked the option that says "Allow the dynamic DNS provider to determine the IP address"
Because firewall is behind my ISP router, I logged in ISP router and on DMZ I added a dynamic dns. Not sure if I have to port forward? If so I am not sure how to do it because its confusing me a little bit, but I guess I'll get to it aswell.
When I try to connect via the client that I downloaded I just get "Couldn't read user configuration" or some message like that.
What am I doing wrong, or what am I skipping/missing?
Thanks for any help or advice on this subject and I apologize if I was confusing.
Comments
You do need to set up a port forward on your ISP device if your firewall has a private IP addr on external,
Better yet, set up your ISP device in bridge mode if possible - which will give your firewall a public IP addr on external.
If your firewall has a private IP addr then you do not want to use your firewall's external IP addr in your DYNDNS setup - you need the public IP addr.
Hi @Bruce_Briggs , and thank you for your answer. I really appreciate it.
I don't know where is my mistake but if you could kindly take a look at it, that would be great.
So my firebox is behind tehnicolor T-com ISP.
I configured mobile VPN SSL, downloaded client. Configured users, placed them in SSL-VPN users group.
Firewall policies were added by default after enabling mobile vpn ssl (I am not sure if I need to add more rules or edit policy, I am still learning so sorry for that).
I enabled external interface on dynamic dns, after creating account on ddns provider platform. I checked and the IP looks alright. nslookup is giving me my public IP so it should be good.
I figured out that I need to do port forward, so I logged in my t-com router where I have options: source/destination IP and WAN and LAN port. On DMZ DynDNS I added my ddns account and it should be working because in tehnicolor options it says that its "updated" with green color. If it wasn't connecting it would be yellow or red color.
Since Mobile VPN SSL is on TCP 443, I figured out that I should put 443 in WAN and LAN port, leave source IP field empty, and destination IP should be the private address of firebox (if I understood this correctly).
General instructions:
1) verify that your DYNDNS IP addr is correct. Compare it to what you see from behind your firewall when accessing https://www.whatsmyip.org/
2) verify if you are getting anything incoming from your ISP router on TCP port 443.
Turn on Logging on your Watchguard SSLVPN policy - in the Web UI - Firewall -> Firewall Policies - select it. In the Logging section - select "Send a log message".
Look in Traffic Monitor when a session is trying to be established and search for SSLVPN.
If you are still having issues, please provide the ISP router model in use.
Hi @Bruce_Briggs! Once again, thank you for your fast reply. I really appreciate it.
1) I did verified that, and it all looks good.
2) I tried that, and I don't see anything. I mean, it doesn't seem as if firewall is getting that request at all.
ISP router: Technicolor
Model: FGA2233
Seems like you have done everything correctly.
The FGA2233 manual that I can find online looks like it is in Hungarian, and doesn't seem to have any info on port forwarding - so there is no real help there.
Try contacting your ISP and see if someone there can help verify that your port forwarding is set up correctly.
This link is translated into English (original is in Hungarian)
https://kozosseg-telekom-hu.translate.goog/topic/15094-port-forwarding/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
What you can try is use a web based port scanner to scan port 443 on the external IP (duckdns.org). It should be open.