Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 63 replies
  • Subscribers 8 subscribers
  • Views 121725 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM as VPN "Client"

jdmoore0883
Hey Guys!

I recently signed up for a VPN service. I want to have all the traffic from the device to go through the tunnel The service has .ovpn config files, as well as all the info I could need to set up a VPN connection, which I have downloaded. Now I have a bunch of .ovpn config files which are utterly useless.

On a side note, the #1 VPN feature request is something to convert the .ovpn to the (seemingly) proprietary .apc (or .epc) files:
UTM (Formerly ASG) Feature Requests: VPN (172 ideas)

There are a few posts indicating a script may be able to do so. I have downloaded it and run it. It never coimpletes properly, and the .apc file it spits out is always corrupted (or so say Sophos when I try to import it).

Now, I tried creating an SSL VPN Server, save the config file, and then tried to edit it; I couldn't seem to get it top open to be edited... If this is possible, please let me know how.

So... How do I set up this UTM to be an Open VPN client to another server whose settings I have no control over? All the Sophos guides I could find only mentioned creating the VPN server on one device, saving the config file, and using THAT on the "client" device. How can I just config the client device?

Is this even possible with the UTM 9 devices?


This thread was automatically locked due to age.
  • 0 in reply to Scott_Klassen
    The one you found on the web and the component of UTM are two completely different products, by different people, that happen to use the same name.  As I mentioned earlier, confd (confd-client) on the UTM is completely home grown, coded at Astaro and never released externally.

    See the above.  [:)]

    I misunderstood what you had said earlier, as I didn't realize that meant confd on UTM was a unique product purely built for UTM alone... putting that into context makes everything you, bob, and Billybob appear in a new light.  I now fully understand why it's probably not feasible for OpenVPN to be customized to a great degree on UTM.

    On a side note, I have been successful with adding specific options to the openvpn.conf-default for both server side and client side (via push), with it yet to be overwritten.  I have taken updates since the manual edit, with the changes remaining afterwards (I take this to mean no OpenVPN files were apart of the update).  I'm thinking, to stay on the cautious side, I'll create a cron job to manually replace the openvpn.conf-default file with a custom one that includes all my additions at midnight every night. 

    • I think someone mentioned this before, but just to re-verify, if I create a folder in the root directory, or within root's home folder, will this folder be safe from deletion by confd or other system processes (such as an update)?  If it won't be, is there anywhere I can create a folder where it, or the files contained within, won't be deleted? (While I'd rather store the folder on the internal SSD, worst case scenario I can use a mounted flash drive.)
  • 0
    The conf-default files, in conjunction with the data in confd is what's used to write the conf files, so as long as it doesn't conflict with what is in confd or an OpenVPN patch isn't released, your changes should be ok.

    , will this folder be safe from deletion by confd or other system processes (such as an update)
    confd, yes.  A large update, probably, but no guarantees.  It's quite possible that a check could be added, in future, to look for non-standard directories and delete them, now that you've posted about it.

    You would be much better off just installing openvpn onto another vm, with the distro of your choice, for this feature and be done with it.  On the UTM it's something of a Don Quixote project.  [:)]
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    It's quite possible that a check could be added, in future, to look for non-standard directories and delete them, now that you've posted about it.

    If something along those lines was integrated in the future, would mounting a USB drive work?  I'm still in the process of reading the UTM user manual, and in case it's not covered in there, does UTM allow mounting external devices, or for security reasons has Sophos prevented external devices from being utilized?
  • 0
    They can be mounted, yes.  It's not supported though, for the purposes you are looking at.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    I found a few pages talking about confd and perhaps some backing up:
    [URL="https://www.sophos.com/en-us/support/knowledgebase/116041.aspx"]www.sophos.com/.../116041.aspx
    [/URL]
    Sophos UTM Command-line Useful Shell Commands and Processes
    Sophos UTM: Configuring Interfaces and IP Addresses via CLI in a Hyper-V Environment

    Maybe these will help...?
  • 0

    Hi folks,

    Has any progress been made connecting the UTM to a signup VPN service or any service providing a bit more privacy.

    Given we have all the "tools" in UTM but I am still stumped as to how to connect the dots.

    Cheers, Craig

  • 0 in reply to vicegod

    Ignore my post, I was lazy and should have been reading more :-)

  • 0 in reply to BAlfson

    BAlfson wrote the following post at 29 Oct 2015 5:28 PM:

    I'm curious, JD.  What is the reason for needing the UTM to act as a client?

     

    I'm not looking at a default route - but I have a VPS which has an openVPN server running - allowing for various people/locations to connect and tunnel data to the server, and for some of them to contact between each other.

    I can't put Sophos up there, because I couldn't then install any of the things I actually want the VPS for, so it's all hand crafted.

    I've previously had my home network connected to the VPN by the firewall (and a couple of rules allowing limited return access), which made life very easy inside the home network.  And allowed me to contact the home network from wherever I was by going via the VPS.

    I can probably (I haven't tried it from "outside" yet) get to my home network using the SSL VPN - and that will be fine - but I lose the convenience of internal connectivity to my VPS and the other sites which are connected to the VPS.

  • 0 in reply to jdmoore0883

    To anyone who may find this thread searching for a means to accomplish this. All I was able to find was repeated  nonsense about how this isn't possible.

    It's fairly easy. Grab an old router, flash ddwrt on it, set up your open VPN, Turn DHCP on (if you want), set it in a DMZ.

    Set up a new Ethernet interface wan interface, attach it your DDWRT router. Set up a multipath rule to push whichever traffic or hosts across this new interface to your ddwrt router - dmz - and eventually out your primary wan.

    No biggie. So UTM won't be client. You can find a router in the garbage can that can perform this service.

  • 0 in reply to KennethGregory

    Hi Ken,

    Thanks. Do you know how to set this up on a VMware host? Instead of DDWRT, would pfsense as VM work too?

Unfiltered HTML