PPTP VPN configuration

SG115 - FW:  9.510-5

Kind of sorry that I recommended this Sophos UTM to my client, as it's clearly not at all easy to configure and the documentation is terrible.  

I managed to configure a PPTP VPN with that documentation with little problem, but it really doesn't do much.   I can ping inside the network by IP address, but not by hostname.   While I would prefer to know how to just resolve Windows hosts inside in general, that could be a topic for a future posting.  I know Windows networking is kind of goofy, but with a wide-open firewall, even that should work.

Right now, I'd like to create a hostname for a single computer inside the network, a static DNS entry, and allow my users to connect via the Windows PPTP client, RDP into that single hostname, and get their jobs done.    The way I see it, this should be pretty easy.

While I wouldn't call myself a networking guru like many of you, I am also not an inexperienced network tech.   I have done this sort of thing with many devices, including Windows server RRAS.    It really shouldn't be that difficult.

Anyway, if I have to set up RDP icons on everyone's desktop to the actual IP address, I guess I can do that.   But what good is a VPN when you can't even resolve network names through it?

I created a host with the fully qualified name of the server I want to connect to "hostname.dnsdomain.com"
Gave it the LAN IP address.

When I connect via VPN, I can ping the IP address, but not the name.

I have firewall rules allowing ANY service between the LAN and the PPTP Pool (both directions).   
PPTP Pool address is the default
Internal LAN adress is

I tried looking through the firewall log, but who can read that?   It's a dog's breakfast, and I can't figure out how to put it into a spreadsheet to at least make it a bit more palatable.   Haven't worked too hard at that yet.

So, if anyone can explain what I need to do to resolve a single hostname inside the network I'm connecting to, I'd love to hear it.    Even a link to a document that explains it would be appreciated, but not just how to set up the PPTP VPN.   It gets me as far as I already am, but no further.    If past experience with the device is any indication, there are about 4 or 5 more things I need to know to get this to work.   Trouble is, without a lot of Sophos experience, I have no idea where to look.


  • This is not as much about Sophos as it is about Microsoft and NetBIOS vs DNS name resolution.

    When you use a single hostname, Windows uses NetBIOS to resolve the host. This is a broadcast protocol that can only ever exist inside it's own subnet and will by default NOT travel any router.

    What you can do is have the "default" DNS-suffix(es) you use inside your network added to every single computer that needs to access the network from a VPN-connection. That way whenever you try to connect to a hostname only, if Windows cannot resolve it, it will add the configured DNS-suffixes in order until it finds the FQDN.

    FQDN resolution however is a DNS thing. In order to resolve these, your client needs to resolve the right IP-address with the right DNS-server. In UTM you can configure what DNS-server(s) to use when using a remote VPN solution. I'm not using PPTP myself, so haven't really checked if this also works with PPTP but webadmin suggests it works with all connecting remote access clients (see Remote access -> Advanced).

    UTM really isn't that complex, but it has so many possibilities, that there is indeed a rather steep learning curve. Don't give up to easily on it.... And I'm not sure if there's a special reason you're using PPTP, but UTM also can handle SSL remote access. It's more secure and can use default SSL port (TCP 443) so it will likely work from many places around the world where PPTP might be blocked. You can also configure it to use UDP (instead of TCP) to increase the performance of the remote access connection (UDP is a connectionless protocol).

  • Well-stated question, Rob.  I agree with all of apijnappels comments and would also urge the use of SSL VPN remote access.  Years ago, I read here that UDP can be problematic in European hotels.  Since you're in North America, I would change the protocol to UDP on port 1443 before loading SSL VPN configs.  This is just a good habit to avoid potential issues with other capabilities and UDP is a bit faster than TCP.

    NOTE 2019-04-26: One reason to stay with the TCP 443 default is that your cellular data provider might block UDP.  My AT&T iPhone XS was unable to establish a working tunnel when using UDP 443 or UDP 1443.  Everything worked perfectly with TCP 443.

    Here are a few links I would recommend to you

    Rulz - especially #2 & #1
    DNS best practice
    Packetfilter logfiles on the Sophos UTM
    How to Run Preconnect/Connect/Disconnect OpenVPN Scripts

    Cheers - Bob

  • In reply to BAlfson:

    Thanks to both of you.  I was using PPTP because I am more familiar with the client-side setup, but I will switch the the SSL and see what I get.


    Not clear on changing the port and protocol - there are likely about a zillion places on this thing where I can do that, so I probably have a lot of reading to do before I do that.


    But I will do some reading (the links you provided) before I bug with more questions.


    Going to also create a Sophos appliance on my home network, so I can become more accustomed to it.


    Thanks again - stay tuned for more amusing anecdotes from this Sophos-newbie