Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 41 subscribers
  • Views 2671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about coming from pfsense to sophos

Martyn Campbell

Hi,

 

I am wanting to move from pfsense.  I have been using it for 2 years, largely without issue until I wanted to use a nic to run behind a PIA vpn.  I asked the question in the forums to be rather aggressively told it could so then began my nightmare journey.  I spent days trying to do this, I followed a guide from PIA themselves on how to achieve this only to find it not working as expected and getting barked at by the moderator at pfsense telling me that pia and their users are useless it's all wrong do it like this etc. This has gone on for days, abusive responses to all of my questions so I have decided to leave pfsense, I am not a network engineer which is what it appears I am expected to be.  When I did actually get it running (from reddit forums and youtube videos) I had dns leaks & the killswitch did nothing.

I currently have the following hardware

Model: HP Gen8 Microserver
M/B: Version - s/n:
BIOS: HP Version J06. Dated: 01/22/2018
CPU: Intel® Core™ i5-3470T CPU @ 2.90GHz
HVM: Enabled
IOMMU: Enabled
Cache: 64 KiB, 512 KiB, 3072 KiB
Memory: 16 GiB DDR3 Single-bit ECC (max. installable capacity 16 GiB)
Network: eth0: 1000 Mbps, full duplex, mtu 1500
eth1: interface down

I also have a 4 port nic with a bt modem going into port 1

LAN network on port 2

UniFi network on port 3

Port 4 I would like to be the vpn network (PIA if possible) with no dns leaks & a kill switch

 

I run unraid on this server and pfsense is running as a VM

 

Is Sophos right for me? if so, which version? Would I be able to acheive what I am looking to do?

 

Many Thanks in advance! :-)



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Welcome to the Community!

     

    already answered some of your questions, now let's talk about PiA VPN.

    Apparently the main way to connect with PiA VPN is OpenVPN, which won't work with Sophos XG, your best bet, and practice would be to create an IPsec tunnel for PiA, which is fully supported by PiA.

    On Sophos XG v18, the process would be standard, first set up the IPsec tunnel as a Tunnel Interface, with all settings from PiA, also you will need to authenticate as a client with your PiA Account, after it create the new VPN Server IP as Gateway for it on Sophos XG, then you could decide what you want to route on the VPN.

    If you want everything from the Port4 to be sent to PiA, you can create a SD-WAN Policy for this, while using PiA VPN as the primary gateway, as for the Kill Switch, as your sending all traffic over the PiA Gateway, if that Gateway goes down, your traffic will go down too.

    For DNS Leaks, the same applies for Kill Switch, everything will be routed to the PiA VPN, also for something better, you could create a NAT Rule and redirect all DNS Traffic to the PiA VPN DNS Servers.

     

    I'm sorry, I know this information are pretty vague, but much of it you will learn by doing it.

     

    Thanks!

     

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Hi  

    Following on from your reply yesterday I took to plunge and have "almost" everything working as hoped except for the PIA VPN

     

    I am trying to tackle that now and looked for a guide/others experiences etc only to find that it is apparently not possible? (one of the mods on here replied not possible in a post 6 months ago)

     

    I have found several users on here asking for help from 2 years back to present un-answered and reddit was, well far ruder.

     

    Can you please help me out here with what I have to do to get the vpn working, the way you described it sounds perfect but I would not know where to start to complete it as I cannot find any guides/information.

     

    Many Thanks

  • 0 in reply to Martyn Campbell

    also, I am happy to change VPN Provider if it would make things easier?

  • 0 in reply to Martyn Campbell

    Sophos XG is a Business/Enterprise Firewall. The main issue with setting up those consumer-grade VPN providers is - most of them just offer access through OpenVPN, which is not supported on Sophos XG.

    Any VPN provider that offers IPsec will work with XG. The only problem on this, you won't find any guide on how to exactly do it. So this will be a process of trial and error.

    I've used some time ago IPsec to one of my VPS in Canada, worked flawlessly, but after a week I've realized there has no personal need for It anymore.

     

    About the other question you just made;

    Looking at PiA VPN they dont offer IPsec (Wrong, will write the comment with the information about this.), your best bet right now, is to find someone else that supports It. From memory NordVPN and some others in the wild supports IPsec. (You will have to dig some information about this first.)

     

    Thanks,

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    ah, this is worrying! :-(

     

    Yesterday you said IPsec was fully supported by PIA?

     

    I will look for other providers but having a feeling after looking around some more I am going fall at the final hurdle as the VPN is a dealbreaker (and a whole day wasted)

     

    I will update back here whatever the outcome.

  • 0 in reply to Martyn Campbell

    Sorry, I've updated the last comment, PiA VPN supports It, and there's a lot of successful stories about this.

     

    (I will be updating this comment with more information when I get back home.)

    Instead of certificates you will used a standard PiA PSK which is "mysafety".

    The Username and password for authentication will be needed to be generated through the Control Panel on PiA VPN.

    They are using AES-128 for encryption and SHA256 for authentication.

    And the Peer name will be with the domain of that Host/Country from PiA. (I'll be getting the list later.)

     

    At last I'm just not sure about what It's used on it, IKEv1 or IKEv2.

     

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • 0 in reply to Martyn Campbell

    Sorry, I've updated the last comment, PiA VPN supports It, and there's a lot of successful stories about this.

     

    (I will be updating this comment with more information when I get back home.)

    Instead of certificates you will used a standard PiA PSK which is "mysafety".

    The Username and password for authentication will be needed to be generated through the Control Panel on PiA VPN.

    They are using AES-128 for encryption and SHA256 for authentication.

    And the Peer name will be with the domain of that Host/Country from PiA. (I'll be getting the list later.)

     

    At last I'm just not sure about what It's used on it, IKEv1 or IKEv2.

     

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

Children
Unfiltered HTML