Is there a real way to connect to WatchGuard's VPN from Linux?

Here is what I did to get WatchGuard/Firebox SSL VPN working on Ubuntu 11.10:

Getting the needed files

You will need the following files:

  • ca.crt
  • client.crt
  • client.pem
  • client.ovpn

From a Windows computer

You will need access to a window computer that you can install their client on.

  1. Follow the instructions for installing their client.
  2. Log in for the first time (this will make a number of files in the WatchGuard directory)
  3. Copy the files from the WatchGuard directory
    • Windows XP: C:\Documents and Settings\{Username}\Application Data\WatchGuard\Mobile VPN\
    • Windows Vista/7: C:\Users\{Username}\AppData\Roaming\WatchGuard\Mobile VPN\
  4. The important ones are ca.crt, client.crt, client.pem, and client.ovpn (note the client.pem maybe something else ending in .key).
  5. Copy these files over to your Ubuntu system.

From the Firebox SSL box

This is from the Watchguard site. I haven't tried these instructions directly but they look reasonable.

http://customers.watchguard.com/articles/Article/2870?retURL=/apex/knowledgeHome&popup=false

From their document:

  1. Start WatchGuard System Manager and connect to your Firebox or XTM device.
  2. Start Firebox System Manager.
  3. Click the Status Report tab.
  4. Click Support, located at the bottom-right corner of the window.
  5. Click Browse to select the path on your computer where you want to save the support file. Click Retrieve. Wait while your support file is downloaded from the Firebox. This can take up to 20-30 seconds. A dialog box appears to tell you when the download is complete. By default, the support file has a name like 192.168.111.1_support.tgz.
  6. Unzip the support file to a location on your computer that you have easy access to.
  7. Unzip the Fireware_XTM_support.tgz file contained within the original file to the same location.

Needed software on Ubuntu

You will need to install a number of packages to connect from Ubuntu (this assumes the desktop version, things are likely different for the server version).

  • openvpn (Likely already installed)
    • sudo apt-get install openvpn
  • network-manager open vpn plug in
    • sudo apt-get install network-manager-openvpn
  • Network Manager OpenVPN plugin for Gnome (needed as of Ubuntu 12.04)
    • sudo apt-get install network-manager-openvpn-gnome

Testing from the command line

You can test if the connection is working from the command line. You don't have to do this but it may make things easier.

From the directory you copied the config/crt files:

sudo openvpn --config client.ovpn

Setting up network manager

The network manager is the icon in the panel bar at the top (currently the up/down arrows). You will need a number of lines out of the client.ovpn file so open it in an editor for reference.

This is an example client.ovpn:

dev tun
client
proto tcp-client
ca ca.crt
cert client.crt
key client.pem
tls-remote "/O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN_Server"
remote-cert-eku "TLS Web Server Authentication"
remote 1.2.3.4 1000
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA1
float 1
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass
  1. Click on the network manager icon
  2. Select VPN Connections->Configure VPN...
  3. Select Add.
  4. Select the VPN tab
  5. For User Certificate select the client.crt file (from the cert line)
  6. For CA Certificate select the ca.crt file (from the ca line)
  7. For Private Key select the client.pem file. (from the key line)
  8. For my setup I also needed to set the type to Password with Certificates (TLS) (from the auth-user-pass line).
  9. Gateway comes from the remote line. You need to copy the server name or IP address. In this example "1.2.3.4"

The rest of the settings are in the Advanced area (the advanced button at the bottom). In the General tab:

  1. Use custom gateway port uses the last number from the remote line. In this example "1000"
  2. Use TCP connection come from the proto line. In this case tcp-client.

Under the Security tab:

  1. Cipher comes from the cipher line. (In this example AES-256-CBC)
  2. 'HMAC Authentication' comes from the auth line. (In this example SHA1)

Under the TLS Authentication tab:

  1. Subject Match comes from the `tls-remote' line. (In this example /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN_Server)

I also needed to check "use this connection only for resource on its network" under the IPv4 Settings tab under the "Routes..." button.

There maybe more needed to setup things depending on how the Firebox SSL is setup but hopefully this will help as a starting point. Also you may want to watch the sys log if you have problems (tail -fn0 /var/log/syslog)


Software requirements

sudo apt-get install network-manager-openvpn-gnome

or for the minimalist:

sudo apt-get install openvpn

Get the certificates & config

For Watchguard XTM devices running 11.8+

It appears that the https://yourrouter.tld/sslvpn.html page that is used to pickup the windows client now also includes a generic ovpn configuration download saving the steps in the workaround. Simply login and go to that directory to get your configuration file. Congratulations on being equal with your windows and mac buddies.

Skip down to the "Create New VPN Connection" step.

For Watchguard XTM devices running 11.7 or less

These can be retrieved directly from the firewall (replace server with your own):

  1. Go to https://watchguard_server and authenticate to the firewall.
  2. Go to https://watchguard_server:4100/?action=sslvpn_download&filename=client.wgssl

Alternately (I believe this is less secure because the password is sent in the request)(replace server, user and pass with your own):

https://watchguard_server:4100/?action=sslvpn_download&filename=client.wgssl&username=youruser&password=yourpass

Move client.wgssl to where you want to store the config and certs, perhaps /etc/openvpn. This will tar bomb you, so you'll want to create the folder for it to extract into.

Run tar zxvf client.wgssl

Create new VPN connection

Open Network Connections and Add new. For type, under VPN, select "Import a saved VPN configuration..." Browse for the client.ovpn file in the folder you extracted client.wgssl.

Add credentials

Edit the newly created connection to include your username and password, or set password to "Always Ask".

Warning: The password is saved in an encryption that can be reversed.

Adjust networking

If you don't want the VPN to take over all your traffic, just the traffic going to the remote location go to IPv4 Settings tab -> Routes and check "Use this connection only for resources on its network"