SSL VPN on Windows on ARM?
Sooooo... today I installed -- successfully it said -- the Watchguard SSL VPN connector via my gateway on my Surface Pro X (which, you may recall, uses an ARM-based processor).
However, no matter how many times I tried, I was unsuccessful at connecting to my VPN. Using the same network, and the same username/password, my (AMD64-based system sitting right next to it connects perfectly. Like it always does.
Is Windows On Arm supposed to be supported? Is there something I need to do to enable this?
If this doesn't currently work, that seems to be me to be a pretty big problem. The Surface Pro X and other Windows On Arm based laptops are being positioned a premier machines for "executive" type knowledge workers (that's code for folks who read a lot of email and edit lot of documents).
Help?
Peter
Comments
Hi, @PeterGV
The ARM based processors won't work with the WatchGuard SSLVPN. You can use the L2TP VPN which is supported by Windows 10's built in VPN client. This is more of a limitation of the WindowsRT platform rather than a limitation of the SSLVPN software.
(Configure and Use L2TP on Windows 10)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/l2tp/l2tp_vpn_client_win10_c.html
Thank you,
-James Carson
WatchGuard Customer Support
Thanks for that reply.
First, Windows On ARM is most emphatically not WindowsRT (which was a Windows 8 operating system for the long discontinued Surface RT).
Second, as a professional driver developer with some experience, I don’t understand why you would say that support for SSL VPN is “a limitation of” the Windows platform.
Isn’t it just a matter of not having a driver that’s built for ARM? What is it, technically, that prevents you guys from supporting SSLVON on Windows On ARM?
Sorry to post such a negative reply, but it frustrates me when I get a reply from an official representative that doesn’t add-up in my experience.
Peter
Hi @PeterGV
I'm referring to WindowsRT as the ARM platform, which the surface you mentioned was part of.
As far as I'm aware, no VPN apps work with the ARM based variants (I may be incorrect here) -- however, WatchGuard's SSLVPN is based on OpenVPN. This should work with most OpenVPN based clients, if you choose to use that. Doing a cursory search of the windows 10 store for ARM products, I don't see any VPNs that meet that criteria in the WIndows store at this time.
As I mentioned, there is a supported solution, which is to use the L2TP VPN, which will work on that type of processor.
-James Carson
WatchGuard Customer Support
Thank you again for your quick reply.
OK. All your devs need to do is rebuild the driver to target ARM64, just like they build it to target 32-bit x86 and 64-bit x64. And alter the installer to install the right version. It’s not like it’s a lot of work. It will take one dev an afternoon. Including testing.
I absolutely love my WatchGuard Firebox. Not even having a plan to support Windows On ARM seems like a bad idea, when doing so is so simple. But, what do I know, right?
Thank you again for the quick reply. I do appreciate your assistance, even if I’m disappointed with the ultimate resolution.
And it seems there IS a version of the OpenVPN TAP driver built for Windows On Arm: https://github.com/OpenVPN/tap-windows6/issues/75!
So... there is hope.
Hi @PeterGV
If you'd like to create a support case, we can certainly get a feature request set up to support this and attach it to this case, which will keep you notified of progress on that.
If you'd like to use the OpenVPN variant, you can get the OVPN file from the firebox's SSLVPN login page (https://IP of firewall:port SSLVPN runs on if it's not 443) -- so like https://1.2.3.4/sslvpn_logon.shtml:444
Thank you,
-James Carson
WatchGuard Customer Support
Just to close the loop, I've finally had the time (and requirement) to try this: Using the TAP driver from OpenVPN works like a charm.
I installed the Watchguard SSL VPN package. THEN I installed the OpenVPN package from here. Fired-up the Watchguard SSL VPN GUI...and presto! everything works.
It really would be very easy for the Watchguard team to support Windows on Arm. And I hope they do, soon. However, in the meantime... I've got a work around.
Thanks,
Peter
Thank you PeterGV, your solution worked perfectly for me, and saved me several hours of pulling my hair out.
Glad to be able to help.
Why the Watchguard team hasn’t added support for ARM64 is behind me. It’ll take them, literally, a couple of hours at most.
Watchguard is such an exceptional product in so many ways. But when they’re blind to things, they can be really blind. This is One of those things, I guess.
Peter
Have exactly same problem on a New Surface Pro X and have Tried your solution unfortunately it did not work with the current version of the ARM64 Open VPN that your link goes through too was it by any chance an earlier Version trying to get it to run with Version 12.7.0 build 637701 of Watchguard
I had arrived at the same fix @PeterGV before I found this post... Sadly it didn't work for me straight away. I checked the date of your post and went back and got the October 2019 OpenVPN version 2.4.8 - installed that and it worked like a charm.
It's a shame nobody from Watchguard is stepping up to answer these questions -- never mind fixing the underlying problem that's plaguing us and would take their developers an afternoon or less to fix. WTF?
Let's see if I can help: ISTR that OpenVPN is revising their client code. I know that some very significant work was being done on the Windows driver. If the Watchguard driver is based on the earlier version of OpenVPN, then it is entirely possible that using the new OpenVPN driver and expecting that to interop with the rest of the Watchguard client (which is what I was successful in doing) doesn't work anymore.
I am still, successfully, running the OpenVPN code (on my Surface X) that I downloaded back in November 2019. And it's still working with the latest update of my firewall. So, I'd advise downloading whatever version of OpenVPN was current back in November 2019, if that's still possible.
Again, where is Watchguard with this problem? C'mon guys...
Hi @petergv@osr.com
SSLVPN isn't currently supported on ARM devices (both Apple, and Windows.) There's quite a few reasons for this -- most of which are based on shuffling the TAP drivers for compatibility and performance (as you've experienced.) We use the current version of the TAP driver because it is the most compatible across the platforms we support.
There are open feature requests for each
FBX-19268 - Windows ARM.
FBX-20838 - Apple M1 (and presumably M2)
For customers on that platform, and in general, the direction WatchGuard has been moving us to use built in OS VPN clients, vice installing them (like IKEv2 and L2TP.) IKEv2 generally performs better and works with both platforms, no software install needed.
If you'd like status updates on either of those feature requests as they're worked on, please open a support case and mention the FBX number somewhere in the case itself. The support rep can set the case up for that.
-James Carson
WatchGuard Customer Support
I don't have an ARM processor on my MacBook Pro, but am getting a message that the Watchguard SSL VPN Client is a Legacy System Extension and will not work with future versions of MacOS. I am currently running macOS Monterey v12.3 and it works fine. I believe this is because Apple is moving to only allow 64-bit code in their next macOS release. Do you expect a solution from Watchguard or do I need to start working on trying alternative VPN Clients and abandoning the Watchguard client?
Hi @Landy
This is expected at this time, but fully works with your OS. See:
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNNNSA4&lang=en_US
There's a feature request to support later versions of MacOS, but it remains to be seen if this will be fully possible given that the SSLVPN is built on OpenVPN for the widest compatibility. The article here provides a good overview of the issue:
https://tunnelblick.net/cTunTapConnections.html
Should these types of connections not be allowed, the IPSec (IKEv1) and IKEv2 VPNs are compatible with the VPN client built into MacOS -- however, due to how Apple has configured it, it will only function as a full/forced tunnel.
See these articles for more information on configuring these:
Use the macOS or iOS Native IPSec VPN Client
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ipsec/mvpn_ipsec_ios_vpn_c.html
Configure iOS and macOS Devices for Mobile VPN with IKEv2
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_mac_client.html
-James Carson
WatchGuard Customer Support
@james.carson
I was coming here to once again complain about SSLVPN support and ARM and such... but after reading your reply above that said (in part):
I decided to setup an IKEv2 MUVPN, and try to use it from my ARM tablet.
Setup on the Firebox was a bit confusing, but once done... setup on the CLIENT was trivial and indeed, the performance is extremely good.
In summary: I'm a convert! Now I'm "all about" the IKEv2 MUVPN, and (as soon as the darn tokens get here) I'm going to move ahead with setting up Authpoint MFA for the IKEv2 VPN and move our users from the older SSL VPN.
I was skeptical... but using the built-in VPN facility in Windows really DOES seem to work quite nicely.
Peter