Another SSL VPN question. Not for routing issues, no. End user experience question

Question

Hi Gents, 
 
 I have 2 questions today for you. 
 
 1. I'm setting up an SSL servers for bunch of users here. Department requiring access to specific resource. Most of the users are Ubuntu and other Linuxs users with few Windows users. 
 - Windows users, great! Install the client. Start the client. Supply credentials. Access granted. 
 - Linux users.... a bit more difficult. Tried the gnome-openvpn NetworkManager plugin - asks for client certificate, ca certificate, private key.... couldn't get them all from the XG; Than i tried other OpenVPN GUI clients, many issues, 0 success. The only thing that currently works for me is going in command prompt and running "sudo openvpn --config username__ssl.ovpn" and then supplying username and password. The terminal session has to stay open for the duration of the session. Users don't like it. They want GUI client. -> Can't believe Sophos wont invest in 3 clients for 3 platforms, MACOS, Linux, Windows, but only has Windows client. Shame. 
 What are my option, did any had success configuring SSL for Linux using GUI Client? 
 2. This is weird scenario. Sophos XG lives behind Palo Alto. Palo Alto is the public firewall. Sophos XG is the 'department' firewall. Its WAN address is "Private" and the Palo Alto forwards ports onto the Firewall. The Sophos is SSL VPN Gateway for this department and should provide external VPN access to internal department resources. The Palo Alto obviously forwards elected SSL port onto the XG to take care off. 
 Now, when I build the XG SSL Policy I cannot override the Gateway IP. The Config *.ovpn" file comes with the XG WAN address in it, which is, as discussed before, a "Private IP". The config file should have the Palo Alto Public IP as the gateway as the Palo Alto will be listening for incoming SSL requests and forwarding them onto the Sophos XG. 
 What are my options in this scenario?

GZgidnick · Accepted Answer

I may have asked all the wrong questions for not getting ans answer. 
 
 Anyways, the solution for the 2nd part of the question is: 
 Configure -> VPN -> Show VPN Settings -> SSL VPN -> Override Hostname -> Specify the Public IP listening for incoming SSL connections. This gets propagated to the .ovpn configuration file. All good! 
 
 Considering the 1st part of the question, I'm eager to hear if anyone found an easy and user friendly way to establish SSL connection to Sophos from a Linux client

GZgidnick · Answer

I love when I'm answering my own question. 
 
 Okay the solution to the 1st part of the question. 
 
 1. You need to install the OPENVPN plugin for Gnome 
 sudo apt install network-manager-openvpn-gnome openvpn-systemd-resolved openvpn 
 
 2. You need to download the configuration file form Sophos User Portal "Download Configuration for Other OSs" 
 
 3. Sophos .ovpn configuration file is not compatible with linux network-manager-openvpn-gnome plugin and cannot be imported using the GUI due to errors: 
 
 It is missing some crucial tags such as 
 ca [inline] 
 cert [inline] 
 key [inline] 
 and some other as well. 
 I didn't wanted to go down the path of having to rebuilt all the config file as too much trial and error and decided to try CLI import, bypassing network manager GUI. 
 Trying the CLI import failed again, complaining for invalid argument "route" in the configuration file: 
 
 I've rectified that by removing the following argument from the file:

Tried again and YAY!

Then the new network connections are visible in NetworkManager: 
 
 Rename them to something pretty such as (and supply username and password):

And tick this box if you want to use your local network connection to get out to the internet:

Try to dial the VPN now..... and YAY! Success:

Hope this helps someone in the same situation as me. 
 
 Also, Sophos.... just release a client for Linux and make this 10 times easier.