Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 10275 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN where are the options ?

NickLattanze

While setting up the SSL VPN I was able to make a few configurations on my test remote client with multiple working VPN connections to the Sophos UTM all using the SSL VPN. But when I clean up and setup, how I would like, I found out that the user portal only offers one SSL vpn profile. So with logic that is one vpn profile each type of connection. 
I would like to have a 

  • Split tunnel VPN so home users can access the network but keep their internet speed on there own ISP. 
  • Full tunnel VPN for when they travelling. 

Due to the poor usability of Sophos UTM user portal my following options are: 

  1. Setup a different type of VPN connections for each type of connection type
    ie a SSL VPN for split tunnel vpn and PPTP for a full VPN connection.
    Cisco and IPSEC are not an options  as they would have additional cost. This would be very confusing for users. 
  2. Play the game of add and remove users from each group while login as the user so I can get there VPN configs for each profile to add manually.
    This would be a lot of overhead for my team.  
  3. Not use the UTM for VPN till the user Portal is fix. So setup a VPN server in something like a DMZ.

Dose anyone have any other ideas to setup 2 VPN profiles for users ? 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Nick, and welcome to the UTM Community!

    Like all ordered lists in WebAdmin, once the traffic qualifies for a Profile, no further Profiles are considered (FALSE).  In the UTM's implementation, the only differentiating criterion is the user object, so you can't let the user choose between two or more Profiles (True).

    UPDATE 2016-05-21: That statement is partially incorrect.  The rest of this post is correct.  Please also read the rest of the thread.

    The only Remote Access method that lets you supply that kind of granularity is IPsec via the use of different Policies or different Interfaces in different Profiles.  This does, however, leave open the possibility that the user can choose to establish a split tunnel when not working from home.

    Depending on the number of people this involves, to allow split tunneling when working from home but require full tunnels when not, I would suggest the following:

    1. Create a NAT rule 'NoNAT : {group of home IPs of users} -> IPsec -> External (Address)'
    2. Block IPsec from elsewhere with a second rule: 'DNAT: Internet -> IPsec -> External (Address) : to {unreachable/non-existent IP}
    3. Configure L2TP/IPsec and tell users to connect with that from home.  They each can configure their client to use split tunneling.
    4. Configure the SSL VPN with a full tunnel and tell users to use that elsewhere.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    <quote> Like all ordered lists in WebAdmin, once the traffic qualifies for a Profile, no further Profiles are considered.  In the UTM's implementation, the only differentiating criterion is the user object, so you can't let the user choose between two or more Profiles. </quote>

    Bob - are you certain about this?  Reason I ask, in some inadvertent testing with multiple profiles, and a user who belonged to two different profiles (backend AD membership), the Sophos _seemed_ to blend the routes together (from the 2 profiles)... so it ended up being the (greater) combination of access... "blended", as it were.  

  • 0 in reply to GNyce

    Hi, G, and welcome to the UTM Community!

    Thanks for your question - you just opened up a new configuration possibility to me - Eureka!

    In fact, I just noticed that the profiles are NOT in an ordered list.  I added a test Profile with a network not included in the other Profile for which my test user qualifies.  If I activate the new profile, my client gets the routes from both profiles.  If I disable the new Profile, the client only gets the routes to the networks in the original Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to GNyce

    Hi, G, and welcome to the UTM Community!

    Thanks for your question - you just opened up a new configuration possibility to me - Eureka!

    In fact, I just noticed that the profiles are NOT in an ordered list.  I added a test Profile with a network not included in the other Profile for which my test user qualifies.  If I activate the new profile, my client gets the routes from both profiles.  If I disable the new Profile, the client only gets the routes to the networks in the original Profile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML