Outbound VPN to 3rd Party Provider

With all of the enhancements that I've seen in the OS lately, I'm pretty sure that what I'd like to do is possible, just looking to see if someone has any suggestions or a configuration hints.

Current setup:

  • M270
  • OS 12.9.2

What I'd like to do is create an outbound BOVPN to a 3rd party VPN provider, such as SurfShark or ExpressVPN. I'd like to create a route in the firewall that will send specific users out to the interwebs via that BOVPN.

I tried to import an OpenVPN file into the Watchguard BOVPN virtual interface (fantastic idea!) but it's missing the and portions and won't import. I tried to manually add some sections but it wouldn't take. It also seems like SurfShark and ExpressVPN don't post their IKE settings, so this looks like it could be a trial-and-error setup.

Any hints?

Comments

  • See James's comment, here:

    Setup a perminant VPN from my network to a public VPN?
    https://community.watchguard.com/watchguard-community/discussion/comment/12381#Comment_12381

  • Thanks Bruce. I stepped through everything that's there, and have come up with an .opvn file that is supposed to work. I realize that Watchguard OS is not intended to do what I'm trying, so I understand if this isn't feasible. The config file currently is:

    client
    dev tun
    proto tcp
    remote hostname 1433
    resolv-retry infinite

    auth-user-pass

    client-cert-not-required

    username-as-common-name

    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    reneg-sec 0
    keepalive 10 60
    verb 3
    mute-replay-warnings
    cipher AES-256-CBC
    auth SHA512


    -----BEGIN CERTIFICATE-----
    MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
    [snip]
    623cSEC3Q3UZutsEm/UplsM=
    -----END CERTIFICATE-----

    key-direction 1

    #

    2048 bit OpenVPN static key

    #
    -----BEGIN OpenVPN Static key V1-----
    b02cb1d7c6fee5d4f89b8de72b51a8d0
    [snip]
    134d3a3aa2f904512e85aa2dc2202498
    -----END OpenVPN Static key V1-----


    The problem lies in the section:

    auth-user-pass

    client-cert-not-required

    username-as-common-name

    Watchguard is reporting "The required parameter - '[ca]' is missing!" if I uncomment auth-user-pass, and it's reporting, "The required parameter - '[cert]' is missing!" if I leave that section commented out.

    I have since figured out that:
    openvpn auth-user-pass is looking for a certificate file on the local device that contains the username/password for the OpenVPN log in. If I comment out auth-user-pass, it's looking for a user certificate. I only have the username/password and do not have the certificate. Maybe I'll keep looking to see if I can generate a certificate somehow.

    OR, does anyone have an IKE key exchange ideas? Utilizing BOVPN Virtual Interfaces would be ideal and it looks like it only supports IKE.

    Thanks!

  • edited March 2023

    A number of years back, I contacted NordVPN on a problem that I was having using their product from my Windows PC.
    Their support suggested using OpenVPN and provided me with an .ovpn file, which included a cert and other settings.

    Perhaps contacting support for the VPN product of your choice would result in a working .ovpn file for you.

  • As an update to getting this to: I couldn't get this to work using the Watchguard appliance. BUT, my workaround:

    • purchased a used TP-Link Archer C7 v5 (AC1750) from my local buy and sell.
    • Re-flashed it with OpenWrt
    • Plugged the LAN port of the TP-Link in to port 6 on the M270 and set it as an external port in the WG OS and as a DHCP client. I named this port, "VPN-to-Internet"
    • Plugged the WAN port of the TP-Link in to the back of the cable modem. (Have since modified this that it's coming back in to port 5 on the M270 on an any-hole that then uses SD-WAN policy to route via either Cable or DSL, depending on availability - but that's specific to this install)
    • Followed the OpenVPN settings for SurfShark / Router / Manual config.
    • In WG, added the new "VPN-to-Internet" as an SD-WAN available route.
    • In WG, created a new rule that will allow specific people/IPs out to the Any-External (or could be a specific external IP) via SD-WAN "VPN-to-Internet"
    • Rebooted the TP-Link and voila, instant outbound secure connection to a 3rd-party outbound VPN provider.
Sign In to comment.