Restrict access to VPN from certain countries

Rob,

you can use country blocking when you create the network rule to allow VPN users from internet. It should work!

Have a look at the guide or this thread to configure SSL VPN: https://community.sophos.com/products/xg-firewall/f/vpn/10975/ssl-vpn-policy

Rob,

you can use country blocking when you create the network rule to allow VPN users from internet. It should work!

Have a look at the guide or this thread to configure SSL VPN: https://community.sophos.com/products/xg-firewall/f/vpn/10975/ssl-vpn-policy

Hey Luk & Rob,

Unfortunately that would not work as the SSL VPN listener to allow the initial connection occurs before the firewall, like an auto created rule that you cannot configure.

If you're just looking at blocking access to your SSL VPN from illegitimate sources then the security set-up of OpenVPN should be sturdy enough. It requires a dual factor (triple if you enable OTP in v16) wherein you need the valid client certificate and the username+pass that applies to that certificate.

To appropriately block access to your SSL VPN via countries, you need to do this through the ACL rules in Device access (Cog > Administration > Device Access). You can do this either via allowing SSL VPN on the WAN then restricting it using an ACL to block countries or denying WAN and using an ACL to allow countries.

Hope that helps!

Emile

Hi Emile.

You are correct. An ACL rule inside the device access should be created. I forgot it!

Thanks

It's fine like this?

Or do I have to disable the WAN check box in "Local service ACL"?

Either disable the WAN check box and create an Allow ACL for only those networks you want access, or Enable the WAN check box and create a Block ACL for those networks you don't want access (e.g. APTxx known sources).

Better to disable with an Allow ACL.