Bug Report - SSL VPN global setting "IPv4 lease range" start IP is now the network IP

I also had Remote access SSL VPN setup using OpenVPN since v17. It worked on v18 as well but after upgrading to v19 EAP, I can still connect using OpenVPN but I can’t access anything on my network. I haven’t changed any settings with SSL VPN but I double checked everything just to make sure it’s still the same and everything looks correct. In the logs, I can see I’m connecting/authenticating successfully when I connect using OpenVPN, but that’s it.

Update: Figured out what my issue was. In v17 (or maybe v18), the IP range that was assigned to remote clients use to be 10.81.234.5 to 10.81.234.55, so I had an IP range setup for that which was used in my firewall rule. I noticed that when I was connected with OpenVPN, I was being assigned an IP address outside that range. I updated the firewall to just use a IP host for the entire subnet 10.81.234.0/24, and now everything works fine.

Not sure when that changed with Sophos XG. I must have just missed it in the change logs.

I also had Remote access SSL VPN setup using OpenVPN since v17. It worked on v18 as well but after upgrading to v19 EAP, I can still connect using OpenVPN but I can’t access anything on my network. I haven’t changed any settings with SSL VPN but I double checked everything just to make sure it’s still the same and everything looks correct. In the logs, I can see I’m connecting/authenticating successfully when I connect using OpenVPN, but that’s it.

Update: Figured out what my issue was. In v17 (or maybe v18), the IP range that was assigned to remote clients use to be 10.81.234.5 to 10.81.234.55, so I had an IP range setup for that which was used in my firewall rule. I noticed that when I was connected with OpenVPN, I was being assigned an IP address outside that range. I updated the firewall to just use a IP host for the entire subnet 10.81.234.0/24, and now everything works fine.

Not sure when that changed with Sophos XG. I must have just missed it in the change logs.

I can't remember if both IPSEC and SSL Remote VPN allowed for an IP range to be specified in v18/18.5. In v19, for IPSEC you can still set a range, but for SSL you can only set the first IP address. This address becomes the server's, and SSL VPN clients get addresses starting at one more than that.

It looks like you can set the IP addresses SSL VPN will use in the CIDR notation (e.g. 10.81.234.5/24). I only have one instance of Sophos XG running for my home network so I can’t compare it to v18 but I’m fairly certain it use to specify a range from 10.81.234.5 to 10.81.234.55 as the default.

So for anyone coming from pre v19 with SSL VPN set using the default range it use to specify, you may have to update your IP host used in the firewall rule for SSL VPN.