SSL User VPN Best practice with more than one Internet Uplink

Hi Matthias,

When a client connects to the UTM's SSL VPN Remote Access service, it receives routing information from the server specific to the tunnel established.  If the client calls in to 1.2.3.4, all traffic for that tunnel will be via that IP.  If the ISP for 1.2.3.4 has a problem and the client establishes a new tunnel via another ISP on 4.3.2.1, all traffic for that tunnel will be via that IP.  There's no way to shift an existing tunnel from one to the other without breaking it.

Yes, you would want to configure SSL VPN profiles with an FQDN instead of a fixed IP.  If it's too inconvenient for your users to have a separate connection for each ISP, then google DNS failover service.

Did I understand what you were looking for?

Cheers - Bob

Hi Bob,

thanks for your answer.

Well so far I had the impression that it was not possible to open an SSL VPN tunnel if it is not coming in through the interface with the default route, but I need to verify that again it seems.

But if I understood you correctly, with three public IPs, like 1.2.3.4, 4.3.2.1 and 1.1.2.2 best practice would be creating a DNS record including all these 3 IPs, correct?

Thanks in advance.

Matthias

Matthias, I think "best practice" would depend on your situation.  The choices are:

• "Round-robin DNS" where you assign three A-records to a single FQDN.
• A separate FQDN for each public IP.
• A DNS fail over service that monitors the availability of each public IP and responds to a name resolution request with the highest-priority IP that's available.

Cheers - Bob

Hi, I now had th possibility to test that again, but it doesn´t work.

I have connected 2 Internet connection to my SG330, one is used as default gateway (I´m not using uplink balancing). VPN CLients enter to the second interface´s public IP, but the tunnel can´t be established.

On client side you only see repeatedly (german error message as the client was german)

Tue Dec 27 21:13:18 2016 TCP: connect to [AF_INET]%MYIP%:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  
Tue Dec 27 21:13:23 2016 MANAGEMENT: >STATE:1482894803,TCP_CONNECT,,,
Tue Dec 27 21:13:33 2016 TCP: connect to [AF_INET]%MYIP%:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.

On server side I do not see anything in the logs.

The SSL Server is configured to listen on "Any" Interface

Any ideas?

Thanks in advance

Hi, I now had th possibility to test that again, but it doesn´t work.

I have connected 2 Internet connection to my SG330, one is used as default gateway (I´m not using uplink balancing). VPN CLients enter to the second interface´s public IP, but the tunnel can´t be established.

On client side you only see repeatedly (german error message as the client was german)

Tue Dec 27 21:13:18 2016 TCP: connect to [AF_INET]%MYIP%:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.  
Tue Dec 27 21:13:23 2016 MANAGEMENT: >STATE:1482894803,TCP_CONNECT,,,
Tue Dec 27 21:13:33 2016 TCP: connect to [AF_INET]%MYIP%:443 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.

On server side I do not see anything in the logs.

The SSL Server is configured to listen on "Any" Interface

Any ideas?

Thanks in advance

As a small addition, currently I have my external IP in the "replace hostname" field.

So given the case this JOIN/SUBST Error is due to the fact that I´m using TCP for OpenVPN, what would be the way to change everything but only deploy new VPN profiles once to my ~80 VPN users?

-I will create a public FQDN, containing all 3 public IPs of my Sophos

-I will change SSL settings in my Sophos to UDP

-I will put the public FQDN in the "Replace hostname" field.

- Then I will regenerate all the profiles (is that done automatically?) and deploy it to the clients.

With this configuration my users should be able to connect to VPN, even if 1 or 2 of the public IPs are not reachable (maybe with a second try), am I right or do I miss something here?

Many thanks in advance for your support.

M.

In OpenVPN Client 2.4 (Just released these days) is a new Feature called "DualStack Round Robin". Maybe this would help you to solve your problem?

OpenVPN Client 2.4 is compatible with some minor modifications in *.OVPN File with Sophos UTM 9.409.

See here for further Informations: https://github.com/OpenVPN/openvpn/blob/master/Changes.rst

Hi,

that looks indeed quite interesting, although it still depends on the server side setting of the sophos if the tunnel is anyway built.

Could you explain a bit more which minor modifications in the OVPN file would be necessary?

Thanks in advance

MK

In WebAdmin 'Users & Groups', you can select all of the users, click the drop down at the top of the column of names and then download just the configuration update for all users.  Copy the unzipped folder, move all of the user folders out of the "config" subdirectory and then paste them back in one at a time to email the configuration package to each user.

Did your new approach work?

Cheers - Bob

Hi Bob,

actually I was hoping that you would tell me that it will work before I do the changes :-)

I know how to download the configurations, unfortunately it´s not that easy as I need to modify each and every exported OVPN file before I can give it to the users as we´re using a split-tunnel with a lot of routes, so I need to add "max-routes 200" to every file.

Regards,

MK

MK said:

Could you explain a bit more which minor modifications in the OVPN file would be necessary?

 

The Setting tls-remote does no longer exist under OpenVPN 2.4. You have to replace it with --verify-x509-name.

This is already done in XG Firewall Config, but not in good old UTM.

That's all you have to modify to get it run.

Your suggestion looks good to me!

Cheers - Bob