On the remote side, I have Watchguard firewalls deployed in my HQ and branch offices. HQ terminates SSL VPN connections and routes traffic appropriately.
Being out and about, the inevitable support call comes up. It’d be nice to fire off a SQL query, RDP to a machine, SSH into a box, etc, without opening these services up to the world. Running to the nearest PC isn’t always ideal — my phone is ALWAYS with me, but VPN support has been lacking. This reddit post on apps for IT professionals finally motivated me to sit down today and get it working.
In the past I’ve looked at Watchguard’s client files in order to get SSL VPN working on Ubuntu. This arms me with the knowledge that they’re using nothing more than an OpenVPN wrapper. This works out wonderfully because OpenVPN is pretty mature and fully embraced.
After some trial and error, I found the right Android client and the correct combo of settings to make this work.
First off, download the OpenVPN for Android client from the Play Store or hit the QR code.
My setup is detailed below — depending on your config, settings will vary.
- Watchguard XTM 505’s running 11.6.1
- Watchguard SSL VPN client configured and working from Windows 7 (OS X has a client, too, but I’m more familiar with the Windows locations of its certs).
- Default advanced settings (SHA-1 authentication, AES 256 encryption, TCP data channel, port of your choice — I use 450)
- S3 running 4.2.1 (Cyanogenmod 10.1)
- OpenVPN for Android (no root required)
- Start a manual profile with a profile name of your liking.
- Edit Basic Settings.
- Server Address can be a DNS record or the external IP address to your firewall
- Server port: Port taken advanced settings on your firewall – default is 443, mine is set to 450 to avoid port conflicts
- No LZO compression
From a machine that you’ve connected with the SSL VPN client before, copy your ca.crt, client.crt and client.pem to your phone. In Windows 7, these are located at %appdata%/Watchguard/Mobile VPN.
Back in the OpenVPN client, change type to User/PW + Certificates. Now, click CA Certificate and browse to your ca.crt file and import. Click client certificate, browse to your client.crt and import. Click Client certificate key, brose to your client.pem file and import.
Next, input your username and password that you use to authenticate from the Watchguard SSL VPN client on Windows – I’m using Active Directory, so it’s my Windows username and password. Your setup will certainly vary here – check your SSL VPN settings on the firewall for authentication type (Firebox-DB, AD, Radius, LDAP, etc.)
- Go back. Leave IP settings unchanged.
- Under routing, clear the check for default route under IPV6.
- Under authentication, add AES-256-CBC under encryption cipher.
- Leave advanced settings unchanged.
Go back to the main menu and tap your newly configured profile. If all goes well, the logs will fly by and you’ll get a notification that the VPN is connected.
Fire up a terminal window and try pinging a resource on the remote side to confirm connectivity.