Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 574 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protect Internet Connection with Site-To-Site connection to VPN Service using XG Firewall

cm00001

Hello,

I was wondering if this has been attempted before. The goal is to configure a Site-To-Site VPN IPSec connection to a public VPN provider like NordVPN (on an XG Firewall), and through rules, force outbound internet traffic through the Site-To-Site VPN connection, to protect traffic for the internal network.  Diagram as below:

The goal:

  • Protect LAN outbound traffic with a VPN Provider (through a Site-To-Site VPN).
  • Preserve any inbound connectivity as configured (Either Inbound VPN Access or WAF).

Other potential options with drawbacks:

  • Letting users setup VPN on their devices. Drawbacks:
    • Multiple outbound VPN connections need to be established:
    • Outbound Traffic will be invisible to the XG Firewall, making any firewall rules unusable. Logging will also be useless.
    • Unless all internal devices establish VPN connections, they won't be protected.

  • Putting a Device that will connect to the Public VPN (like NordVPN) between the XG Firewall and the Internal Network. Drawbacks:
    • Outbound Traffic will be invisible to the XG Firewall, making any firewall rules unusable. Logging will also be useless.

  • Putting a Device that will connect to the Public VPN (like NordVPN) between the XG Firewall and the ISP (WAN Link). Drawbacks:
    • Inbound VPN to the Internal Network will stop working 

Products like PFSense seem to have a way to make this work: pfSense 2.4.5 setup with NordVPN | NordVPN support

I am not tied to NordVPN. I am using it just as an example.

Questions:

  • Is the configuration in the diagram possible? Any potential issues?
    • Can the outbound internet traffic be forced through the Site-to-Site VPN?
  • Any other options to achieve the same results? (Green above)

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    You can force all the internet traffic through the IPsec tunnel, (check out this KB), but I am afraid not on the way you’re looking to achieve it with a 3rd Party VPN provider. That would be a feature request.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • +1 in reply to emmosophos

    Thanks for the reply.  

    I was able to get this working as I intended, but not exactly the way I was expecting it to be configured (still more testing is needed)

    The updated diagram now looks more like this:

    Green Line :  Path the Outbound Internet takes from inside the LAN.

    Blue Arrow: Any Inbound connection (whether VPN or WAF)

    Details:

    - I setup a Windows VM that will be used as a "gateway" to the VPN service. 

    This VM has 2 Network Interfaces:

    - LAN connection (used to get internet through the XG Firewall)

    The VPN Client will use this connection to reach out to the internet.

    - Private connection (a different network segment) (Let's call it Private-LAN2)

    This connection will be used to share the VPN Service's internet with it. 

    The VPN Client created another Network Interface in the Windows Machine. This interface was configured to share its internet with Private-LAN2.

    On the XG Firewall Side:

    I enabled another Network Interface, and defined that as a WAN connection (this will be the primary connection, while the ISP's WAN connection will be configured as secondary).

    Under "Network -> Interfaces", this new connection:

    - was set to type WAN.

    - configured with a Static IP in the same segment as Private-LAN2. (Configuring the static IP assigned to the Windows VM on Private-LAN2  as its gateway).

    Under "Network" -> "WAN Link Manager":

    - Configured the VPN WAN (WAN1 in the diagram) as the Primary WAN Link.

    - Configured the ISP WAN interface (WAN2 in the diagram) as the Backup WAN Link (If the VPN WAN Link fails, I want the XG Firewall to fail back to the ISP WAN).

    I tested the failover (by re-connecting the Public VPN service to a different node) and it works as expected..  XG Firewall switches the backup link as the Primary WAN link for about 30 seconds, while it realizes the connection is active again, and it switches back.

    Even though I was able to achieve the result I was looking for, and so far the connection through the Windows VM has been solid, here are things I don't like:

    - Using a VM to set this up (This is a point of failure)

    - The VPN client I use can't be configured as a service, so I need to manually sign in to Windows to activate the connection, and leave it logged in.

    The good things about this setup:

    - I am not exposing anything new to the internet, so it is a secure approach since the Windows VM is residing inside the LAN.

    - I am able to VPN into the XG Firewall as I was before.  Even the outbound connections are being forced through the Public VPN service, I am able to still maintain any publishing points on the XG Firewall intact.

    - All traffic coming from the LAN is logged as expected, and all LAN is enjoying the privacy of using the Public VPN for outbound access. 

    For now, I'll continue testing to see how can I better improve on it, but at least is working consistently (and with good speed, as I I thought this tortuous outbound path would have performance hits). I hope this helps someone who wants to give it a try.



    corrected a typo
    [edited by: cm00001 at 1:30 AM (GMT -7) on 20 Apr 2022]
Reply
  • +1 in reply to emmosophos

    Thanks for the reply.  

    I was able to get this working as I intended, but not exactly the way I was expecting it to be configured (still more testing is needed)

    The updated diagram now looks more like this:

    Green Line :  Path the Outbound Internet takes from inside the LAN.

    Blue Arrow: Any Inbound connection (whether VPN or WAF)

    Details:

    - I setup a Windows VM that will be used as a "gateway" to the VPN service. 

    This VM has 2 Network Interfaces:

    - LAN connection (used to get internet through the XG Firewall)

    The VPN Client will use this connection to reach out to the internet.

    - Private connection (a different network segment) (Let's call it Private-LAN2)

    This connection will be used to share the VPN Service's internet with it. 

    The VPN Client created another Network Interface in the Windows Machine. This interface was configured to share its internet with Private-LAN2.

    On the XG Firewall Side:

    I enabled another Network Interface, and defined that as a WAN connection (this will be the primary connection, while the ISP's WAN connection will be configured as secondary).

    Under "Network -> Interfaces", this new connection:

    - was set to type WAN.

    - configured with a Static IP in the same segment as Private-LAN2. (Configuring the static IP assigned to the Windows VM on Private-LAN2  as its gateway).

    Under "Network" -> "WAN Link Manager":

    - Configured the VPN WAN (WAN1 in the diagram) as the Primary WAN Link.

    - Configured the ISP WAN interface (WAN2 in the diagram) as the Backup WAN Link (If the VPN WAN Link fails, I want the XG Firewall to fail back to the ISP WAN).

    I tested the failover (by re-connecting the Public VPN service to a different node) and it works as expected..  XG Firewall switches the backup link as the Primary WAN link for about 30 seconds, while it realizes the connection is active again, and it switches back.

    Even though I was able to achieve the result I was looking for, and so far the connection through the Windows VM has been solid, here are things I don't like:

    - Using a VM to set this up (This is a point of failure)

    - The VPN client I use can't be configured as a service, so I need to manually sign in to Windows to activate the connection, and leave it logged in.

    The good things about this setup:

    - I am not exposing anything new to the internet, so it is a secure approach since the Windows VM is residing inside the LAN.

    - I am able to VPN into the XG Firewall as I was before.  Even the outbound connections are being forced through the Public VPN service, I am able to still maintain any publishing points on the XG Firewall intact.

    - All traffic coming from the LAN is logged as expected, and all LAN is enjoying the privacy of using the Public VPN for outbound access. 

    For now, I'll continue testing to see how can I better improve on it, but at least is working consistently (and with good speed, as I I thought this tortuous outbound path would have performance hits). I hope this helps someone who wants to give it a try.



    corrected a typo
    [edited by: cm00001 at 1:30 AM (GMT -7) on 20 Apr 2022]
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?