Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 28 subscribers
  • Views 2217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS blocking Wireguard Traffic

Joseph Posorski

We have a customer that we just put a Sophos XGS 116 firewall in to replace a PfSense. They have a business partner that has a Wireguard VPN tunnel that they use to connect to a remote NAS. The Wiregaurd VPN runs directly on the remote NAS. Our customer has a Wireguard Client installed on their computer and when they activate the tunnel it does say it connects, but the traffic to the remote seems to be blocked. If we look in the routes on the computer with the VPN it shows the proper routes to the remote network. I called Sophos and the excuse I got was that "it's not supported". All I'm trying to do is get the traffic to pass. 

We have tried to open all the rules with an Any Any rule

Done a TCP Dump

If we look in the logs it shows that the network and port are allowed

If we bypass the firewall it all works fine. 

Any help anyone can give would be greatly appreciated. If you need to help troubleshoot the issue or insight just let me know and I'll get it. 



This thread was automatically locked due to age.
  • 0

    Have you looked at all logs? (In particular SSL/TLS Inspection and Application Filter.) Is your Any Any rule at the top? Does your Any Any rule do Application Control or Web filtering? Have you checked Rules and Policies > SSL/TLS Inspection? Are you running Intercept X on the customer's machine?

    Most of my "everything looks right, but it's not getting through" issues have been due to SSL/TLS inspection of connections that are doing non-standard things (and are rejected) or are being inspected and care about the man-in-the-middle certificate. Or to using Application Control on a Firewall Rule and the App Control being confused by an innocuous connection and thinking it's a Category 5 Risk.

    The most mysterious blocked incoming things were due to Web Filtering on the Intercept X client but I was only looking at Web Filtering on the firewall. Two similar but different mechanisms and hard to tell their results apart.

    Most VPN traffic is considered to be "Very High Risk (Risk Level 5) Applications", so any firewall rule that App Controls those might be killing something like Wireguard.