I’m planning on putting a watchguard firewall in all of my clients homes for VPN access for me only and possibly for them as well.
All are unique clients that need autonomy except for when I vpn them to service for home automation.
How can I setup for various dynamic vpn’s back to my watchguard. BOVPN? That’s always on right. Need it on only when service is needed.
If it’s just for admin access you may be better off setting up IKEv2 mobile vpn, this supports dyn dns. For my BVPN I use no-ip to for a lot of my remote firewalls as I am unable to get a static IP for StarLink.
You can have watch guards behind dynamic IPs, they negotiate the communication on their own.
We do this all the time, set it up the first time and forget.
Just want to 2nd what others have said…in this case ad-hoc IKEv2 VPN definitely preferred over BOVPN. BOVPN is great and would accomplish what you’re looking to do, but there is a security risk as a computer in one affected site could traverse the VPN and spread to other clients.
You could do ikev1 aggressive mode, just make sure you use secure encryption and authentication methods
BOVPN Virtual interface will work just fine if one side is static. The dynamic side will always be the initiator and “call home” to the static IP to start the tunnel. No need for DynDNS services.
Here is how to do it:
-Use BOVPN Virtual interface VPN
-Use REMOTE ENDPOINT TYPE: Cloud VPN or Third Party
-Configure the HQ firewall like nomral, but for Remote Gateway choose DYNAMIC IP ADDRESS
and then for tunnel auth select BY DOMAIN INFORMATION
-Configure the domain information to use DOMAIN NAME and just type in “clientx.local” or something. Don’t select ATTEMPT TO RESOLVE.
-Reverse for the client side. For local gateway use the domain info above.
-Select START PHASE 1 TUNNEL WHEN IT IS INACTIVE. Probably just needed on the dynamic side as it’s going to be initiating, but I usually hit it on both.
You mention you just want it sometimes… There are Enable and Disable buttons. Just disable the VPN when you dont need.
Others mention security concern because when the tunnel is enabled, they could reach your network. This can be mitigated by disabling the BOVPN-Allow.in policy that gets created by default when you set up the VPN. Just disable it and then traffic will only be allowed from your office → Client and not reverse.
Thanks for the IKEV2 and noip.com recs. I’ll report back how it goes. Did you have to create certificates to connect on each side of the tunnel?
Yes I do this all the time as well. . My question How are you able to VPN to it a watchguard without knowing the IP address at multiple locations.
Nope, no certs needed.
You do the initial setup with whatever external IP it has, after that they will check into the WSM via the wsm rule they create, it’s open to any external, and then they do their cert authentication after that.
Sounds incredible. VPN to dynamic addresses with no 3rd party DNS keeping track. Can’t wait to test this. Am I understanding it correctly?
Head office needs to have static IP, the satellite ones can be dynamic.
Glad I asked. I’m trying to reach client sites from my office which is static but satellites are scattered and dynamic. It will be only me reaching to them.