Open VPN to UTM - site to site


anybody got a site to site openvpn connection working with the UTM. I copied the certificates from the APC file using notepad++ but this didn't seem to work.



  • Hi  

    Have you followed these articles: Sophos UTM: How to configure a Site to Site SSL VPN tunnel & UTM: SSL Site to Site VPN Troubleshooting? You don't need to import a certificate additionally apart from importing the config file. 

  • In reply to Jaydeep:

    I've got it working now. It wasn't as simple as a UTM to UTM. This is a UTM to OpenVPN site to site (not remote access)

    I had to basically:

    1. Use UTM as server

    2. Download apc file and extract the certs (CA, Cert & Key)

    3. Extract the username/password from above file  (this is the bit I was stuck at)

    4. Use remote server as SSL client and enter above details/certs

  • In reply to Louis-M:


    Thanks for the update. Would you please tell us if you have connected a Linux server or any other system using this method?

  • In reply to Jaydeep:

    I connected a Teltonika RUTX11 using the UTM as the server side (Fixed IP) and the RUTX11 as the client side (dynamic IP)

    This is configured as a site to site SSL VPN on the UTM (not Remote Access)

    Certs (CA & Cert + Key) were extracted using notepad++ from the downloaded apc file on the UTM.
    Username/Password was also extracted from this file.

    RUTX11 client side used TLS+Username/Password

    Works very well so far.

    The system above is a linux based system (as with most) so I imagine anything that has OpenVPN client on it will work. The trick was to extract the correct details from the apc file and also use TLS+password authentication on the client side. I'm not sure why Sophos make the site to site a little bit harder to configure if it's not another UTM?

  • In reply to Louis-M:

    Louis, This is the first time I remember anyone doing this successfully.  Can you a little more precise about extracting and naming the certs, username and password?  Also, what you did in the OpenVPN client to enter the details.


    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)

    Client Cert is the first one:

    copy from
    -----END CERTIFICATE-----

    and save in a file called some_cert.txt OR you can rename to some_cert.crt

    CA cert is the next one:

    copy from
    -----END CERTIFICATE-----

    and save in in a file called some_CA.txt OR you can rename to some_CA.crt

    Private key is the next one:

    copy from
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----

    and save in some file called some_key.txt OR you can rename to some_key.key

    That completes the certs.

    Now you need the username & password which they cleverly hide in the file.
    Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA cert
    Search for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key

    On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.
    Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.

    Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.


    Using with OpenVPN Client

    Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:


    place that file in the same directory as you put the certs into.

    openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)

    dev tun
    proto udp
    hand-window 30
    port 1194
    remote   <<< your remote IP
    resolv-retry infinite
    ca /etc/openvpn/certs/some_CA.crt   <<< your CA Cert
    cert /etc/openvpn/certs/some_cert.crt  <<< your cert
    key /etc/openvpn/certs/some_key.key  <<< your private key

    route  <<< your route
    route  <<< your route yada yada as many as you want

    cipher AES-256-CBC
    auth SHA1

    route-delay 4
    verb 3

    reneg-sec 0
    auth-user-pass /etc/openvpn/certs/user.creds  <<< your username/password file