Sophos XGS SSL-VPN .ovpn files wrong output

Question

Dear all, We are struggling with the generated .opvn Connection files users can download from the user portal on the WAN ports for VPN we do not know and cannot find it in the online help, how they are created. our setting: XGS 3100 Firewall, Firmware 19.01xx SSL-VPN for external access with active Authentication of AD Users/pwd SSL-VPN policies apply for 2 different groups - 2 different IP networks to be allowed SSL .ovpn files do not reflect this when downloaded for a fresh user in the section "remote 443 tcp-client the result is that after connecting to the VPN , the local computer have no ip routing to the target hosts. we need .ovpn files for various external users who only use native openVPN client or Mactintosh. if imported into Sophos Connect CLient latest version though, the errors are the same. we already learned that the "override hostname" option in the Global Settings for SSL VPN will cause the .opvn file to have just ONE "remote 443 tcp-client" entry. if we leave the overide-hostname option empty, we get an ovpn file created that has all networks included, but not our defined networks in the SSL Policy Our question is - which condtions / variables are used to create the .ovpn file ? we can attach more details here, but would like to know if others have the same problem with this ?

emmosophos · Accepted Answer

Hello there, 
 Thank you for contacting the Sophos Community. 
 The override hostname is used when your Sophos Firewall hostname isn&rsquo;t resolvable on the Public internet. Usually, you would add here the Public IP of the WAN interface where you want users to connect to; currently, this is only limited to one via the GUI. 
 If you leave the override hostname empty, the Sophos Firwall will add all networks that have SSL VPN selected under the Device Access Local Service ACL. 
 The routes you want users to access are added in the SSL VPN profile, but they won't show in the .ovpn file, however, once they connect to the VPN successfully, the networks mentioned in the SSL VPN profile of the users will be added automatically to the client (Sophos Connect or OpenvPN) 
 Regards,

itdept-wehrship · Answer

Dear Emmanuel,

Many thanks for this comprehensive reply - this is absolutely correct.
i figured that out yesterday when testing with an OpenVPN client for windows.

if i set the "override hostname" to an ip adress or a hostname => the .ovpn file for the client contains only one line
"remote <input from field override hostname> 443 tcp-client"
which is then used to contact the public VPN Gateway to execute the SSL policy, which includes ip routes.

if i leave this field empty, the file fills in all networks that have ticked "SSL VPN" in Administration>Device Access > ACL list of all networks in that zone, including my firewall-only VLAN networks , which was confusing me when seeing them in the .ovpn File for clients.

my only annotation is , that the sophos online help had no dedicated chapter about this, why i was urged to put the question here.

many thanks again !

Sophos XGS SSL-VPN .ovpn files wrong output

Top Replies