VPN SSL connection from outside

Hello,

I'm a newby and I configure the first firewall, a Sophos XG115 firewall.

There was a RaspberryPi with OpenVPN before the firewall installation to reach the internal ressources from outside.

Now, this should be able with the XG. I've tried a few things with a few instructions, but nothing worked.

I have a DynDNS account (like before with the RaspberryPi)...

I tried this: https://community.sophos.com/kb/en-us/122769 but without the subnet, because I want to reach a specific virtual machine on a server.

In the VPN Settings, I've tried to fill the Overrite Hostname with the url from the DynDNS. This Url shows the correct external IP in the SSL VPN Client from external.

 

But there is a TSL error in the log and I cannot create a VPN connection.

Is there anything wrong in the firewall rules?

 

Thanks.

  • use the article you told us: https://community.sophos.com/kb/en-us/122769.

    Do exactly as it said, and the firewall will link the "other IP" to the local subnet no problems.

    FYI: opensvpn is a client that works with sophos xg ssl vpn

  • In reply to Hayim Caspy:

    And the Dyndns? Should I not override the host?

    What do you mean with link the other IP

  • In reply to Dominik Nill:

    I've tried it again.

    It is working internally, but not outside the network.

     

    Log:

     

    Thu Aug 22 19:47:47 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Thu Aug 22 19:47:47 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Thu Aug 22 19:47:47 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Thu Aug 22 19:47:47 2019 Need hold release from management interface, waiting...
    Thu Aug 22 19:47:48 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Thu Aug 22 19:47:48 2019 MANAGEMENT: CMD 'state on'
    Thu Aug 22 19:47:48 2019 MANAGEMENT: CMD 'log all on'
    Thu Aug 22 19:47:48 2019 MANAGEMENT: CMD 'hold off'
    Thu Aug 22 19:47:48 2019 MANAGEMENT: CMD 'hold release'
    Thu Aug 22 19:47:52 2019 MANAGEMENT: CMD 'username "Auth" "*"'
    Thu Aug 22 19:47:52 2019 MANAGEMENT: CMD 'password [...]'
    Thu Aug 22 19:47:52 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Thu Aug 22 19:47:52 2019 UDPv4 link local: [undef]
    Thu Aug 22 19:47:52 2019 UDPv4 link remote: [AF_INET]192.168.100.124:8443
    Thu Aug 22 19:47:52 2019 MANAGEMENT: >STATE:1566496072,WAIT,,,,,,
    Thu Aug 22 19:48:52 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Aug 22 19:48:52 2019 TLS Error: TLS handshake failed
    Thu Aug 22 19:48:52 2019 SIGUSR1[soft,tls-error] received, process restarting
    Thu Aug 22 19:48:52 2019 MANAGEMENT: >STATE:1566496132,RECONNECTING,tls-error,,,,,

  • In reply to Dominik Nill:

    Hello,

     

    When you change the configuration of your VPN SSL server on the XG, you must redownload again the configuration file from your user portal.

    In your last post, it seems to connecting to the 192.1168.100.124 IP instead of your dynDNS or public IP.

    So: redownload your VPN configuration file from your user portal and it will work.

  • In reply to VikenNajarian:

    I've also tried this.

     

    But there is the same result:

     

    Thu Aug 22 20:10:40 2019 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017
    Thu Aug 22 20:10:40 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
    Enter Management Password:
    Thu Aug 22 20:10:40 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Thu Aug 22 20:10:40 2019 Need hold release from management interface, waiting...
    Thu Aug 22 20:10:41 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Thu Aug 22 20:10:41 2019 MANAGEMENT: CMD 'state on'
    Thu Aug 22 20:10:41 2019 MANAGEMENT: CMD 'log all on'
    Thu Aug 22 20:10:41 2019 MANAGEMENT: CMD 'hold off'
    Thu Aug 22 20:10:41 2019 MANAGEMENT: CMD 'hold release'
    Thu Aug 22 20:10:45 2019 MANAGEMENT: CMD 'username "Auth" "*"'
    Thu Aug 22 20:10:45 2019 MANAGEMENT: CMD 'password [...]'
    Thu Aug 22 20:10:45 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Thu Aug 22 20:10:45 2019 MANAGEMENT: >STATE:1566497445,RESOLVE,,,,,,
    Thu Aug 22 20:10:49 2019 UDPv4 link local: [undef]
    Thu Aug 22 20:10:49 2019 UDPv4 link remote: [AF_INET]"PUBLIC IP":8443
    Thu Aug 22 20:10:49 2019 MANAGEMENT: >STATE:1566497449,WAIT,,,,,,
    Thu Aug 22 20:11:50 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Aug 22 20:11:50 2019 TLS Error: TLS handshake failed
    Thu Aug 22 20:11:50 2019 SIGUSR1[soft,tls-error] received, process restarting

  • In reply to Dominik Nill:

    please post a screenshot of your SSL VPN configuration

  • In reply to Dominik Nill:

    Here is also the config file from SSL VPN Client:

     

    ip-win32 dynamic
    client
    dev tun
    proto udp
    explicit-exit-notify
    verify-x509-name "CERTIFICATE DETAILS"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    <ca>
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN RSA PRIVATE KEY-----

    -----END RSA PRIVATE KEY-----
    </key>
    auth-user-pass
    cipher AES-128-CBC
    auth SHA256
    comp-lzo no
    route-delay 4
    verb 3
    reneg-sec 0
    remote DYNDNS-URL 8443

  • In reply to Dominik Nill:

    post the "show vpn settings" from the upper right corner also please

  • In reply to Dominik Nill:

    Your configuration seems to be good (I suggest to change the Key size setting from 2048 to 1024 bit (just to optimize your VPN when it will work :) )

     

    What is your WAN connection configured on your XG ? And the technology configured into the XG ? (PPPOE, DHCP, Static IP ?) Is there another router in front of your XG with another private IP ?

  • In reply to VikenNajarian:

    Okay, i will change the key size. ;-)

     

    XG is with DHCP connected to a Router in front of them.

     

    Router IP: 192.168.100.1

    Sophos WAN: 192.168.100.124

    Sophos LAN: 192.168.0.2

    In front, there is a Elmeg Digitalisierungsbox from the Telekom in Germany.

  • In reply to Dominik Nill:

    The router in front has an old routing vom OpenVPN. But with another port: 1194, the OpenVPN standard.

  • In reply to Dominik Nill:

    Ok so I suppose you created a NAT rule on your Router to forward the 8443 port to the 192.168.100.124 IP right ?

     

    Maybe the problem is there. You should check on the Router side if the 8443 traffic received by your public IP is well forwarded to the XG Nated IP.

  • In reply to VikenNajarian:

    I will check it tomorrow.

    But then should the DynDNS be configured at the router in front of the xg. Is that right?