Outbound VPN to 3rd Party Provider
With all of the enhancements that I've seen in the OS lately, I'm pretty sure that what I'd like to do is possible, just looking to see if someone has any suggestions or a configuration hints.
Current setup:
- M270
- OS 12.9.2
What I'd like to do is create an outbound BOVPN to a 3rd party VPN provider, such as SurfShark or ExpressVPN. I'd like to create a route in the firewall that will send specific users out to the interwebs via that BOVPN.
I tried to import an OpenVPN file into the Watchguard BOVPN virtual interface (fantastic idea!) but it's missing the and portions and won't import. I tried to manually add some sections but it wouldn't take. It also seems like SurfShark and ExpressVPN don't post their IKE settings, so this looks like it could be a trial-and-error setup.
Any hints?
Comments
See James's comment, here:
Setup a perminant VPN from my network to a public VPN?
https://community.watchguard.com/watchguard-community/discussion/comment/12381#Comment_12381
Thanks Bruce. I stepped through everything that's there, and have come up with an .opvn file that is supposed to work. I realize that Watchguard OS is not intended to do what I'm trying, so I understand if this isn't feasible. The config file currently is:
client
dev tun
proto tcp
remote hostname 1433
resolv-retry infinite
auth-user-pass
client-cert-not-required
username-as-common-name
nobind
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
keepalive 10 60
verb 3
mute-replay-warnings
cipher AES-256-CBC
auth SHA512
-----BEGIN CERTIFICATE-----
MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
[snip]
623cSEC3Q3UZutsEm/UplsM=
-----END CERTIFICATE-----
key-direction 1
#
2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
[snip]
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----
The problem lies in the section:
auth-user-pass
client-cert-not-required
username-as-common-name
Watchguard is reporting "The required parameter - '[ca]' is missing!" if I uncomment auth-user-pass, and it's reporting, "The required parameter - '[cert]' is missing!" if I leave that section commented out.
I have since figured out that:
openvpn auth-user-pass is looking for a certificate file on the local device that contains the username/password for the OpenVPN log in. If I comment out auth-user-pass, it's looking for a user certificate. I only have the username/password and do not have the certificate. Maybe I'll keep looking to see if I can generate a certificate somehow.
OR, does anyone have an IKE key exchange ideas? Utilizing BOVPN Virtual Interfaces would be ideal and it looks like it only supports IKE.
Thanks!
A number of years back, I contacted NordVPN on a problem that I was having using their product from my Windows PC.
Their support suggested using OpenVPN and provided me with an .ovpn file, which included a cert and other settings.
Perhaps contacting support for the VPN product of your choice would result in a working .ovpn file for you.
As an update to getting this to: I couldn't get this to work using the Watchguard appliance. BUT, my workaround: