Use Mobile VPN with SSL with an OpenVPN Client
To configure the OpenVPN app, users can download a Mobile VPN with SSL client profile from the Firebox. Users can then import the profile into the OpenVPN app.
In Fireware v12.3 or higher, Mobile VPN with SSL supports two-factor, challenge-response authentication for native OpenVPN clients.
Before you download the Mobile VPN with SSL client profile, make sure your Firebox configuration meets these requirements:
- The Firebox must use Fireware v11.7.4 or higher.
- The Firebox must be configured to route VPN traffic. Make sure that Routed VPN traffic is selected in the Mobile VPN with SSL configuration. For more information, see Manually Configure the Firebox for Mobile VPN with SSL.
- The certificates for Mobile VPN with SSL must be created with Fireware v11.7.3 or higher. If you upgraded from an earlier version, your certificates may not be compatible with the OpenVPN client.
To generate new SSLVPN certificates, you must delete the SSLVPN certificates from the Firebox and reboot the Firebox. When the Firebox restarts, it creates new SSLVPN certificates.
To generate new SSLVPN certificates for a Firebox, from Firebox System Manager:
- Select View > Certificates.
The Certificates dialog box appears.
- In the list of certificates, find and delete the three SSLVPN certificates.
The three SSLVPN certificates have these common name (cn) attributes:
- cn=Fireware SSLVPN Server
- cn=Fireware SSLVPN Client
- cn=Fireware SSLVPN (SN...) CA
- Reboot the Firebox to automatically generate new certificates.
You must use Firebox System Manager (FSM) to delete certificates. You cannot delete the certificate from Fireware Web UI.
After the Firebox generates new SSLVPN certificates, existing WatchGuard Mobile VPN with SSL clients automatically download the new certificates the next time your users connect. The WatchGuard Mobile VPN with SSL client prompts the user to accept the new certificate if the user does not have the CA certificate for the Firebox.
To generate new SSLVPN certificates for Fireboxes that are FireCluster members, you must turn off the backup master and then reboot the master. The master will create the new certificates. After the master is back online, turn on the backup master. The backup master uses the new certificates that the master generated.
Download the Mobile VPN with SSL Client Profile
After you configure Mobile VPN with SSL on the Firebox, you users can download the client.ovpn file from the Firebox and send it to the device where the OpenVPN client is installed.
Because web browsers on some mobile devices do not support file downloads, this procedure describes how to download the file to another device and email it to the mobile device as a file attachment.
To download the .ovpn profile from the Firebox:
- Connect to the Firebox with a web browser over port 443, unless you configured a custom port number:
https://<IP address of a Firebox interface or host name>/sslvpn.html
https://<IP address of a Firebox interface or host name>:<custom port number>/sslvpn.html
- Type your user name and password to authenticate to the Firebox.
The Mobile VPN with SSL download page appears.
- Click the Download button for the Mobile VPN with SSL client profile. The file you download is called client.ovpn.
- Save the file to a location on your computer.
- Send the file as an email file attachment to the mobile user.
Import the Client Profile
To import a client profile to an Android or iOS device:
- Install the OpenVPN Connect app.
- Open the email message that contains the .ovpn email attachment.
- Tap the attachment to open the file in the OpenVPN Connect app.
- Import the .ovpn file to the VPN client to create a new connection profile.
- In the profile, type the Username and Password you use to authenticate to the Firebox.
- To start the VPN tunnel, select or turn on the VPN profile in OpenVPN Connect.
See the documentation for your OpenVPN client for more information about how to import a .ovpn file.