In this article:
Overview
We do our best to make our software compatible with most products and services that are used in the corporate environment. However, some products are not compatible at this time, generally because they are trying to use the same system functionality that we require for operation.
The below sections highlight known incompatibilities.
Known Incompatibilities
One of the most common symptoms of the below topics is the Twingate Client failing to connect to open a browser window to authenticate. In the Twingate Client Logs (Twingate.Service.*.log
or *.-com.twingate.macos.tunnelprovider.txt
logs specifically), the below error will often be seen:
[libsdwan] http::request::handle_response: GET "https://<myNetwork>.twingate.com/api/v1/public_keys" failed - dns error: 4 (non-recoverable failure in name resolution), socket error: 32 (Broken pipe), tls error: 0 ((null))
VPN or ZTNA Clients
Several VPN or ZTNA solutions are not compatible with Twingate because we are both trying to forward the same network traffic. Enterprise VPNs will generally not interfere with Twingate unless they are actually connected.
The below articles cover known incompatibilities with third party VPN/ZTNA services.
Enterprise VPN/ZTNA
- Zscaler
- Perimeter 81
Consumer VPN
- TunnelBear
- TunnelBlick
- NordVPN
- ExpressVPN
- InfoBlox BloxOne
- PIA VPN (Private Internet Access)
- HMA VPN (HideMyAss)
- PureVPN
If you are having connectivity issues with your Client and have any VPN software installed, even if you do not think it is running, we strongly recommend you do a full uninstall and see if that resolves the issue.
DNS Clients
The below articles cover known incompatibilities and possible workarounds or resolutions with third party DNS services.
- Cisco Umbrella
- DNSFilter
- AdGuard (locally installed application)
- Avast: Real Site Protection
If you are having connectivity issues with your Client and have any DNS software installed, even if you do not think it is running, we strongly recommend you do a full uninstall and see if that resolves the issue.
If the issue is resolved by doing so, depending on the DNS Client application, you might be able to perform the below to possibly workaround the conflict:
- Configure bypass/compatibility mode for VPN/ZTNA, AV/EDR network filtering, or other network or system services/extensions installed.
- Add DNS domain exclusions for your Twingate DNS Resources and
*.twingate.com
.
DNS IP inside the 100.64.0.0/10
CGNAT range
Our Client uses IPs inside the 100.64.0.0/10
CGNAT range to communicate with the Connector and eventually the Resource. This renders it incompatible with DNS IP that fall within the same IP range.
More information on this can be found in our corresponding knowledge base article.
Security Software
Various antivirus (AV) or endpoint detection and response (EDR) security software like MalwareBytes, Sophos, and Trend Micro have incompatibilities in how their web protection analyze or filter URLs or TLS sessions that devices are attempting to access. Turning off the web protection feature (both URL and TLS) often resolves the issue, the core anti-malware functionality remains compatible.
For such AV or EDR software, it is advised to create exceptions for *.twingate.com
. In some scenarios, the exceptions or disabling the protection doesn't disable the service or network extension from being the middle-man for the Twingate TLS session and must be uninstalled.
For the core anti-malware functionality, it is recommended to ensure the below directories are not being blocked.
-
Windows -
C:\Program Files (x86)\Twingate\
-
macOS -
/Applications/Twingate.app/