Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 545 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS SSL-VPN .ovpn files wrong output

itdept-wehrship

Dear all, 

We are struggling with the generated .opvn Connection files users can download from the user portal on the WAN ports for VPN

we do not know and cannot find it in the online help, how they are created. 

our setting:

XGS 3100 Firewall, Firmware 19.01xx

SSL-VPN for external access with active Authentication of AD Users/pwd

SSL-VPN policies apply for 2 different groups -  2 different IP networks to be allowed

SSL .ovpn files do not reflect this when downloaded for a fresh user in the section "remote <network> <port> 443 tcp-client

the result is that after connecting to the VPN , the local computer have no ip routing to the target hosts.


we need .ovpn files for various external users who only use native openVPN client or Mactintosh.  if imported into Sophos Connect CLient latest version though, the errors are the same.

we already learned that the "override hostname" option in the Global Settings for SSL VPN will cause the .opvn  file to have just ONE 
"remote  <hostname> 443 tcp-client"
entry.

if we leave the overide-hostname option empty, we get an ovpn file created that has all networks included, but not our  defined networks in the SSL Policy

Our question is - which condtions / variables are used to create the .ovpn file ?

we can attach more details here, but would like to know if others have the same problem with this ?



This thread was automatically locked due to age.
Parents
  • +1

    Hello there,

    Thank you for contacting the Sophos Community.

    The override hostname is used when your Sophos Firewall hostname isn’t resolvable on the Public internet. Usually, you would add here the Public IP of the WAN interface where you want users to connect to; currently, this is only limited to one via the GUI. 

    If you leave the override hostname empty, the Sophos Firwall will add all networks that have SSL VPN selected under the Device Access Local Service ACL.

    The routes you want users to access are added in the SSL VPN profile, but they won't show in the .ovpn file, however, once they connect to the VPN successfully, the networks mentioned in the SSL VPN profile of the users will be added automatically to the client (Sophos Connect or OpenvPN)

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Dear Emmanuel,

    Many thanks for this comprehensive reply -  this is absolutely correct. 
    i figured that out yesterday when testing with an OpenVPN client for windows.

    if i set the "override hostname" to an ip adress or a hostname  => the .ovpn file for the client contains only one line 
    "remote <input from field override hostname> 443 tcp-client"
    which is then used to contact the public VPN Gateway to execute the SSL policy, which includes ip routes.

    if i leave this field empty, the file fills in all networks that have ticked "SSL VPN" in  Administration>Device Access > ACL list  of all networks in that zone, including my firewall-only VLAN networks , which was confusing me when seeing them in the .ovpn File for clients.

    my only annotation is , that the sophos online help had no dedicated chapter about this, why i was urged to put the question here. 

    many thanks again !

Reply
  • 0 in reply to emmosophos

    Dear Emmanuel,

    Many thanks for this comprehensive reply -  this is absolutely correct. 
    i figured that out yesterday when testing with an OpenVPN client for windows.

    if i set the "override hostname" to an ip adress or a hostname  => the .ovpn file for the client contains only one line 
    "remote <input from field override hostname> 443 tcp-client"
    which is then used to contact the public VPN Gateway to execute the SSL policy, which includes ip routes.

    if i leave this field empty, the file fills in all networks that have ticked "SSL VPN" in  Administration>Device Access > ACL list  of all networks in that zone, including my firewall-only VLAN networks , which was confusing me when seeing them in the .ovpn File for clients.

    my only annotation is , that the sophos online help had no dedicated chapter about this, why i was urged to put the question here. 

    many thanks again !

Children
Unfiltered HTML