SSL VPN (remote access) behind the ISP router

Question

Hi 
 My LAN is set as follows : 
 
 INTERNET --- ISP ROUTER (192.168.1.250) ----- DMZ: SOPHOS XG Firewall (192.168.1.251 / 192.168.16.250) --- LAN (192.168.16.x) 
 So ALL the incoming traffinc from the web goes to the SOPHOS since I set up the DMZ on the ISP router as 192.168.1.251 = the wan address of the sophos 
 
 I followed https://community.sophos.com/kb/en-us/122769 to set up the SSL VPN (remote access) 
 
 Then as a distant user I successfully downloaded, installed and run the VPN client but I can't connect to the VPN 
 
 Here is the log : 
 
 Sun Apr 05 10:01:26 2020 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul 3 2017 Sun Apr 05 10:01:26 2020 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09 Sun Apr 05 10:01:26 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun Apr 05 10:01:26 2020 Need hold release from management interface, waiting... Sun Apr 05 10:01:26 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun Apr 05 10:01:26 2020 MANAGEMENT: CMD 'state on' Sun Apr 05 10:01:26 2020 MANAGEMENT: CMD 'log all on' Sun Apr 05 10:01:26 2020 MANAGEMENT: CMD 'hold off' Sun Apr 05 10:01:26 2020 MANAGEMENT: CMD 'hold release' Sun Apr 05 10:01:39 2020 MANAGEMENT: CMD 'username "Auth" "cyril.thibout"' Sun Apr 05 10:01:39 2020 MANAGEMENT: CMD 'password [...]' Sun Apr 05 10:01:40 2020 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Apr 05 10:01:40 2020 Attempting to establish TCP connection with [AF_INET]192.168.1.251:8443 [nonblock] Sun Apr 05 10:01:40 2020 MANAGEMENT: >STATE:1586073700,TCP_CONNECT,,,,,, Sun Apr 05 10:01:50 2020 TCP: connect to [AF_INET]192.168.1.251:8443 failed, will try again in 5 seconds: Le syst&egrave;me a tent&eacute; de joindre un lecteur &agrave; un r&eacute;pertoire stock&eacute; sur un lecteur joint. Sun Apr 05 10:01:50 2020 SIGUSR1[soft,init_instance] received, process restarting Sun Apr 05 10:01:50 2020 MANAGEMENT: >STATE:1586073710,RECONNECTING,init_instance,,,,, Sun Apr 05 10:01:50 2020 Restart pause, 5 second(s) 
 
 As you see the VPN tries to connect 192.168.1.251:8443 and it seems it fails because of the two stage configuration I have instead of the simpler configuration described in https://community.sophos.com/kb/en-us/122769 
 
 How should I adapt the KB page to my setup please? 
 
 Thanks 
 
 cyril

VikenNajarian · Accepted Answer

Hello, 
 
 You should go on VPN > Show VPN Settings, and fill the "override hostname" with your public IP address of your ISP. 
 Because if you don't do that, the VPN tries to connect to your private IP (192.168.1.251) instead of your public IP. 
 Then, redownload your VPN SSL configuration from user portal, and try to connect, it should work :) 
 
 Regards

VikenNajarian · Answer

Hello, 
 
 Glad that works :) 
 
 You should set the primary ipv4 DNS server as your local AD/DNS server and you should set your local domain name. All the settings are in the screenshot I provided in my first reply.

JanSadlik · Answer

Hi, 
 Your WAN IP is not a public IP address. If you want sslVPN access to your firewall from the Internet, your ISP should set NAT (private IP - public IP). The ovpn configuration file should contain "remote <public IP> 8443". 
 Regards Jan