how to connect using an OpenVPN capable device to SLL VPN on Sophos

I have a device (NewRock IP phone) that I want to connect through SSL VPN to our HQ XG firewall. the device supports OpenVPN but I assume Sophos uses the same thing for SSL VPN.

In the OpenVPN parameters, the device asked for the ".ovpn" file which I downloaded from the user portal.

the device does not have any fields for user name and password in OpenVPN! it also needs other 3 other files "Root Certificate.crt, Client Certificate.crt and Client Key.key".

How can I get these files? Are they necessary to have these 3 files? Is there a way that I can include username and password in the .ovpn file?

Would appreciate if you can give me a solution.

Thank you,

  • Hi  

    If your device supports OpenVPN, the .ovpn file should have all of the needed files for it to connect.

    Refer to the following article for reference (the process is similar): Sophos XG Firewall: How to configure SSL VPN for android devices using OpenVPN Connect


  • In reply to FloSupport:

    Has anything changed since the last firmware release (i.e. from SFOS 17.5.6 MR-6 to SFOS 17.5.7 MR-7)?

    SSL VPN used to work on my Samsung Note9 (running Android OS 8.1.0 with OpenVPN v3.0.6 (3510)) on SFOS 17.5.6 MR-6 but after the last upgrade, that seemed to fail miserably with the logs in the Android phone reporting an error concerning the SSL certificate - "Client exception in transport_recv_excode: mbed TLS: SSL read error : SSL - Processing of the CertificateRequest handshake message failed"

    The same SSL VPN set up works for my two Windows clients, so that tells me that everything is still configured correctly on the XG86. I did recreate the certificate, in the event that might help resolve it but no change.

    So for now, I'm sticking to SSL VPN for the Windows clients and have just set up L2TP to be available to the same user (as I'm the only VPN user of this network) for the purpose of Android.

    If anyone has any tips or suggestions, I'm all ears.

  • In reply to Tony Antoniou:

    Tony Antoniou
    If anyone has any tips or suggestions, I'm all ears.

    Join the app beta within the Google Play Store and update your OpenVPN app to 3.0.7. This will resolve your problem.
    I had the same issue and opened a support ticket at OpenVPN. This morning they provided me this solution. 

    But at all I suspect the real problem is on Sophos site. Perhaps they're using an old OpenVPN implementation.

  • In reply to dja:

    You nailed it. Thank you very much!!

    As for where the real problem is, I think it was just a matter of OpenVPN playing catch-up because according to OpenVPN's release notes, they updated the mbedTLS library. That tells me that Sophos updated the XG and OpenVPN was behind the eight-ball.

    Now I can deactivate the L2TP functionality on the XG. Again, nice work mate. Thank you!