Setting up SSL VPN (OpenVPN) for accessing home network

Question

I’ve followed this video “how-to” exactly on setting up SSL VPN: 
 The issue I’m running into is when I try to download the *.ovpn from the User Portal to setup on my iOS device using the OpenVPN. After importing this config file and setting up my username/pass, it won’t connect. It looks like the config file is setup such that my iOS device is trying to connect to Sophos XG using the local address (172.16.16.16) and not the WAN address (ISP assigned address). If I’m connected to my local network using my iOS device, it connects just fine in OpenVPN so I’m fairly certain the issue is with the *.ovpn file. There doesn’t appear to be a way to edit the address in the OpenVPN app. 
 Any ideas how I can get Sophos XG to create a *.ovpn file with the correct IP address so I can access my LAN from outside my local network?

FloSupport · Accepted Answer

Hey shred 
 Could you please verify that your configured hostname of your XG is a publicly resolvable FQDN? You could also place your public WAN IP address in this field. Please re-download your VPN configuration from the user portal after making this change on your XG. 
 Regards, FloSupport | Community Support Engineer

shred · Answer

I changed the &lsquo;Hostname&rsquo; field to my public WAN IP address and tried redownloading the VPN configuration file but I&rsquo;m still having the same issue. I can see in the OpenVPN log that it&rsquo;s still trying to connect to my Sophos XG local address (172.16.16.16:8443 via TCP). I also tried deleting and re-creating the VPN settings in Sophos XG but still the same thing. 
 OpenVPN error log: 
 2017-12-03 17:17:05 EVENT: RECONNECTING 
 2017-12-03 17:17:05 EVENT: RESOLVE 
 2017-12-03 17:17:05 Contacting 172.16.16.16:8443 via TCP 
 2017-12-03 17:17:05 EVENT: WAIT 
 2017-12-03 17:17:05 SetTunnelSocket returned 1 
 2017-12-03 17:17:05 Transport Error: TCP connect error on '172.16.16.16:8443' (172.16.16.16:8443): Connection refused 
 2017-12-03 17:17:05 Client terminated, restarting in 2000 ms... 
 
 EDIT: In my VPN settings, I noticed a field for "Override Hostname". I entered my WAN IP address there and now when I download the OpenVPN config file, it's showing the correct IP address. However, when I try to connect, now I'm seeing this error message: "Server poll timeout, trying next remote entry..." and eventually the connection just times out. 
 So, it seems if you change your Hostname from the 'Administration' page, it's not being applied to anything VPN related. I'm guessing if I restarted Sophos XG, it might have worked but I didn't want to take down the network. Now the next step is figuring out why it won't connect... 
 EDIT 2: Within the Sophos XG firewall under 'Current Activities' -> 'Remote Users', I can see entries when I try to connect with my iOS device but the 'Leased IP', 'Bytes Sent', 'Bytes Received' are all blank. So it appears that Sophos XG is seeing the initial connection, but it gets stuck there... 
 EDIT 3: Figured it out. I didn't have 'SSL VPN' checked for 'WAN' under 'Administration' -> 'Device Access'. However, I still can't access the one device on my network that I need to...

shred · Answer

I did create a firewall rule but the issue appeared to be with the 'Permitted Network Resources (IPv4)'. 
 What I'm trying to achieve is the ability to access any device on my LAN (172.16.16.0/255) from outside my the network using OpenVPN. Originally, under 'Permitted Network Resources (IPv4)' I had selected '#Port 1' which is what my LAN is connected to. This was the issue as I'll explain below but my thinking was that Port is where the network is located so now I'll just have to create a firewall to allow access from the VPN to my LAN. 
 Here is the firewall rule I created (I have more firewall rules below just not pictured):

After doing this, I still could not access any devices on my LAN network besides my Sophos XG admin page (because I have HTTPS selected in 'Devices Access' under 'Administration', which seems to be its own hidden firewall rule. I really wish all firewall rules, even those created by other settings throughout the Sophos XG GUI, would at least show up in the 'Firewall' page but I digress. 
 I went to the 'IP Host' section on the 'Host and Services' page and created a new IP Host for an IP Subnet called 'LAN' which is pictured below: 
 
 From there, I went back to the SSL VPN setup I created and removed 'Port 1' and added 'LAN' to the 'Permitted Network Resources (IPv4)' section as pictured below:

After doing that, everything is working as expected. I can now access all of my devices on my LAN. If I disable the firewall rule I created above, I can no longer access any devices on my LAN which makes sense. Where I'm confused is why it seems you need to have two separate "rules", one in the 'Permitted Network Resources' section and another firewall rule. Logically, I would think creating the firewall rule is where I'm telling Sophos XG what Source Zones and Source Network are permitted to which Destination Zones and Destination Devices. In other words, the firewall rules is where I define what the VPN connection can access. Instead, it seems that's only half the equation as you have to also have to create an IP subnet for your LAN which has to be added to the 'Permitted Network Resources' section on the SSL VPN page. Why is that the case and when would I ever use 'Port 1'? I realize 'Port 1' is the specific IP address of my Sophos XG device (172.16.16.16) and not a subnet. 
 Anyways, appreciate the help but I'm just trying to learn how Sophos XG works.

FloSupport · Answer

Hey shred 
 Did you create the appropriate firewall rule to allow this connection between your internal LAN device and your WAN SSL VPN device? What are you able to observe on the packet capture tool when you are trying to access the device? Also, if applicable you may want to attempt disabling the Windows Firewall on the internal device to further test. 
 Regards, FloSupport | Community Support Engineer