SSL VPN on Windows on ARM?

Sooooo... today I installed -- successfully it said -- the Watchguard SSL VPN connector via my gateway on my Surface Pro X (which, you may recall, uses an ARM-based processor).

However, no matter how many times I tried, I was unsuccessful at connecting to my VPN. Using the same network, and the same username/password, my (AMD64-based system sitting right next to it connects perfectly. Like it always does.

Is Windows On Arm supposed to be supported? Is there something I need to do to enable this?

If this doesn't currently work, that seems to be me to be a pretty big problem. The Surface Pro X and other Windows On Arm based laptops are being positioned a premier machines for "executive" type knowledge workers (that's code for folks who read a lot of email and edit lot of documents).

Help?

Peter

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi, @PeterGV

    The ARM based processors won't work with the WatchGuard SSLVPN. You can use the L2TP VPN which is supported by Windows 10's built in VPN client. This is more of a limitation of the WindowsRT platform rather than a limitation of the SSLVPN software.

    (Configure and Use L2TP on Windows 10)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/l2tp/l2tp_vpn_client_win10_c.html

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thanks for that reply.

    First, Windows On ARM is most emphatically not WindowsRT (which was a Windows 8 operating system for the long discontinued Surface RT).

    Second, as a professional driver developer with some experience, I don’t understand why you would say that support for SSL VPN is “a limitation of” the Windows platform.

    Isn’t it just a matter of not having a driver that’s built for ARM? What is it, technically, that prevents you guys from supporting SSLVON on Windows On ARM?

    Sorry to post such a negative reply, but it frustrates me when I get a reply from an official representative that doesn’t add-up in my experience.

    Peter

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PeterGV

    I'm referring to WindowsRT as the ARM platform, which the surface you mentioned was part of.

    As far as I'm aware, no VPN apps work with the ARM based variants (I may be incorrect here) -- however, WatchGuard's SSLVPN is based on OpenVPN. This should work with most OpenVPN based clients, if you choose to use that. Doing a cursory search of the windows 10 store for ARM products, I don't see any VPNs that meet that criteria in the WIndows store at this time.

    As I mentioned, there is a supported solution, which is to use the L2TP VPN, which will work on that type of processor.

    -James Carson
    WatchGuard Customer Support

  • Thank you again for your quick reply.

    OK. All your devs need to do is rebuild the driver to target ARM64, just like they build it to target 32-bit x86 and 64-bit x64. And alter the installer to install the right version. It’s not like it’s a lot of work. It will take one dev an afternoon. Including testing.

    I absolutely love my WatchGuard Firebox. Not even having a plan to support Windows On ARM seems like a bad idea, when doing so is so simple. But, what do I know, right?

    Thank you again for the quick reply. I do appreciate your assistance, even if I’m disappointed with the ultimate resolution.

  • And it seems there IS a version of the OpenVPN TAP driver built for Windows On Arm: https://github.com/OpenVPN/tap-windows6/issues/75!

    So... there is hope.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PeterGV
    If you'd like to create a support case, we can certainly get a feature request set up to support this and attach it to this case, which will keep you notified of progress on that.

    If you'd like to use the OpenVPN variant, you can get the OVPN file from the firebox's SSLVPN login page (https://IP of firewall:port SSLVPN runs on if it's not 443) -- so like https://1.2.3.4/sslvpn_logon.shtml:444

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Just to close the loop, I've finally had the time (and requirement) to try this: Using the TAP driver from OpenVPN works like a charm.

    I installed the Watchguard SSL VPN package. THEN I installed the OpenVPN package from here. Fired-up the Watchguard SSL VPN GUI...and presto! everything works.

    It really would be very easy for the Watchguard team to support Windows on Arm. And I hope they do, soon. However, in the meantime... I've got a work around.

    Thanks,

    Peter

  • Thank you PeterGV, your solution worked perfectly for me, and saved me several hours of pulling my hair out.

  • Glad to be able to help.

    Why the Watchguard team hasn’t added support for ARM64 is behind me. It’ll take them, literally, a couple of hours at most.

    Watchguard is such an exceptional product in so many ways. But when they’re blind to things, they can be really blind. This is One of those things, I guess.

    Peter

  • Have exactly same problem on a New Surface Pro X and have Tried your solution unfortunately it did not work with the current version of the ARM64 Open VPN that your link goes through too was it by any chance an earlier Version trying to get it to run with Version 12.7.0 build 637701 of Watchguard

  • edited October 2021

    I had arrived at the same fix @PeterGV before I found this post... Sadly it didn't work for me straight away. I checked the date of your post and went back and got the October 2019 OpenVPN version 2.4.8 - installed that and it worked like a charm.

  • It's a shame nobody from Watchguard is stepping up to answer these questions -- never mind fixing the underlying problem that's plaguing us and would take their developers an afternoon or less to fix. WTF?

    Let's see if I can help: ISTR that OpenVPN is revising their client code. I know that some very significant work was being done on the Windows driver. If the Watchguard driver is based on the earlier version of OpenVPN, then it is entirely possible that using the new OpenVPN driver and expecting that to interop with the rest of the Watchguard client (which is what I was successful in doing) doesn't work anymore.

    I am still, successfully, running the OpenVPN code (on my Surface X) that I downloaded back in November 2019. And it's still working with the latest update of my firewall. So, I'd advise downloading whatever version of OpenVPN was current back in November 2019, if that's still possible.

    Again, where is Watchguard with this problem? C'mon guys...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @petergv@osr.com

    SSLVPN isn't currently supported on ARM devices (both Apple, and Windows.) There's quite a few reasons for this -- most of which are based on shuffling the TAP drivers for compatibility and performance (as you've experienced.) We use the current version of the TAP driver because it is the most compatible across the platforms we support.

    There are open feature requests for each
    FBX-19268 - Windows ARM.
    FBX-20838 - Apple M1 (and presumably M2)

    For customers on that platform, and in general, the direction WatchGuard has been moving us to use built in OS VPN clients, vice installing them (like IKEv2 and L2TP.) IKEv2 generally performs better and works with both platforms, no software install needed.

    If you'd like status updates on either of those feature requests as they're worked on, please open a support case and mention the FBX number somewhere in the case itself. The support rep can set the case up for that.

    -James Carson
    WatchGuard Customer Support

  • I don't have an ARM processor on my MacBook Pro, but am getting a message that the Watchguard SSL VPN Client is a Legacy System Extension and will not work with future versions of MacOS. I am currently running macOS Monterey v12.3 and it works fine. I believe this is because Apple is moving to only allow 64-bit code in their next macOS release. Do you expect a solution from Watchguard or do I need to start working on trying alternative VPN Clients and abandoning the Watchguard client?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Landy

    This is expected at this time, but fully works with your OS. See:

    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNNNSA4&lang=en_US

    There's a feature request to support later versions of MacOS, but it remains to be seen if this will be fully possible given that the SSLVPN is built on OpenVPN for the widest compatibility. The article here provides a good overview of the issue:
    https://tunnelblick.net/cTunTapConnections.html

    Should these types of connections not be allowed, the IPSec (IKEv1) and IKEv2 VPNs are compatible with the VPN client built into MacOS -- however, due to how Apple has configured it, it will only function as a full/forced tunnel.

    See these articles for more information on configuring these:

    Use the macOS or iOS Native IPSec VPN Client
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ipsec/mvpn_ipsec_ios_vpn_c.html

    Configure iOS and macOS Devices for Mobile VPN with IKEv2
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_mac_client.html

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    I was coming here to once again complain about SSLVPN support and ARM and such... but after reading your reply above that said (in part):

    the direction WatchGuard has been moving us to use built in OS VPN clients, vice installing them (like IKEv2 and L2TP.) IKEv2 generally performs better and works with both platforms, no software install needed.

    I decided to setup an IKEv2 MUVPN, and try to use it from my ARM tablet.

    Setup on the Firebox was a bit confusing, but once done... setup on the CLIENT was trivial and indeed, the performance is extremely good.

    In summary: I'm a convert! Now I'm "all about" the IKEv2 MUVPN, and (as soon as the darn tokens get here) I'm going to move ahead with setting up Authpoint MFA for the IKEv2 VPN and move our users from the older SSL VPN.

    I was skeptical... but using the built-in VPN facility in Windows really DOES seem to work quite nicely.

    Peter

Sign In to comment.