Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 1578 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG WAN access and VPN/OpenVPN issues

NA NA3

I don't think routes are being added when openvpn connects. Here is the issue..

I've set up Sopos XG with VMWARE Fusion, port forwarding is done on for WAN access, and testng va iPhone...  I'e also set up seperate VM on LAN for SMB sharing of folder and enabled sharing on that with rules in place on Sophos.

UDP & TCP: 135-139 and port 445 from WAN to LAN rule

Testing Open VPN app on iPhone over cellular on purpose so I'm outside network 1.x Host only, 1x Bridged.nics.

imported .ovpn, and openVPN connects... It shows under "Current activities" on Sophos,, but despite seeing logs in openvpn, about "route added <IP address>:8843 doing a "what is my ip" check from iPhone while connected still resolves to mobile career, which indicates to routes are NOT added. Otherwise the VPN server would be shown instead.

This would be basically the same as a DNS leak from VPN providers..  It also explains why I cannot acts mapped share...  Although I do see folder after I tap "connect to server" in the Files app on iOS, and enter details... "Content is unavailable" when I open share folder.

I just assumed since Sophos WAN has internet access, I just assumed that would be the same when connected remotely over VPN as well. (Unless I restricted it)

Everting is ok locally though, I cannot ping mobile when vpn connected and visa vera... Any suggestions ?



This thread was automatically locked due to age.
  • 0

    2021-07-13 10:47:43 ----- OpenVPN Start -----

    OpenVPN core 3.git::58b92569 ios arm64 64-bit

    2021-07-13 10:47:43 OpenVPN core 3.git::58b92569 ios arm64 64-bit

    2021-07-13 10:47:43 Frame=512/2048/512 mssfix-ctrl=1250

    2021-07-13 10:47:43 UNUSED OPTIONS

    3 [verify-x509-name] [C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_qLipG3d...]

    5 [resolv-retry] [infinite]

    6 [nobind]

    7 [persist-key]

    8 [persist-tun]

    16 [route-delay] [4]

    17 [verb] [3]

    2021-07-13 10:47:43 EVENT: RESOLVE

    2021-07-13 10:47:43 Contacting [103.94.50.168]:8443/TCP via TCPv4

    2021-07-13 10:47:43 EVENT: WAIT

    2021-07-13 10:47:43 Connecting to [103.94.50.168]:8443 (103.94.50.168) via TCPv4

    2021-07-13 10:47:43 EVENT: CONNECTING

    2021-07-13 10:47:43 Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client

    2021-07-13 10:47:43 Creds: Username/Password

    2021-07-13 10:47:43 Peer Info:

    IV_VER=3.git::58b92569

    IV_PLAT=ios

    IV_NCP=2

    IV_TCPNL=1

    IV_PROTO=2

    IV_LZO_STUB=1

    IV_COMP_STUB=1

    IV_COMP_STUBv2=1

    IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760

    IV_SSO=openurl

    2021-07-13 10:47:44 VERIFY OK: depth=1, /C=AU/ST=Western Australia/L=NA/O=NA/OU=NA/CN=Default_CA_Ue5B4KDwHIH6SZJ/emailAddress=test@test.com

    2021-07-13 10:47:44 VERIFY OK: depth=0, /C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=Appliance_Certificate_qLipG3dMGR1w0Rk/emailAddress=na@example.com

    2021-07-13 10:47:45 SSL Handshake: CN=Appliance_Certificate_qLipG3dMGR1w0Rk, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

    2021-07-13 10:47:45 Session is ACTIVE

    2021-07-13 10:47:45 EVENT: GET_CONFIG

    2021-07-13 10:47:45 Sending PUSH_REQUEST to server...

    2021-07-13 10:47:46 Sending PUSH_REQUEST to server...

    2021-07-13 10:47:48 Sending PUSH_REQUEST to server...

    2021-07-13 10:47:48 OPTIONS:

    0 [route] [remote_host] [255.255.255.255] [net_gateway]

    1 [route-gateway] [10.81.234.5]

    2 [sndbuf] [0]

    3 [rcvbuf] [0]

    4 [sndbuf] [0]

    5 [rcvbuf] [0]

    6 [ping] [45]

    7 [ping-restart] [180]

    8 [route] [172.16.139.10] [255.255.255.255]

    9 [topology] [subnet]

    10 [route] [remote_host] [255.255.255.255] [net_gateway]

    11 [inactive] [900] [7680]

    12 [ifconfig] [10.81.234.6] [255.255.255.0]

    2021-07-13 10:47:48 PROTOCOL OPTIONS:

      cipher: AES-128-CBC

      digest: SHA256

      compress: LZO_STUB

      peer ID: -1

    2021-07-13 10:47:48 EVENT: ASSIGN_IP

    2021-07-13 10:47:48 NIP: preparing TUN network settings

    2021-07-13 10:47:48 NIP: init TUN network settings with endpoint: 103.94.50.168

    2021-07-13 10:47:48 NIP: adding IPv4 address to network settings 10.81.234.6/255.255.255.0

    2021-07-13 10:47:48 NIP: adding (included) IPv4 route 10.81.234.0/24

    2021-07-13 10:47:48 NIP: adding (included) IPv4 route 172.16.139.10/32

    2021-07-13 10:47:48 Connected via NetworkExtensionTUN

    2021-07-13 10:47:48 LZO-ASYM init swap=0 asym=1

    2021-07-13 10:47:48 Comp-stub init swap=0

    2021-07-13 10:47:48 EVENT: CONNECTED qnap_user@103.94.50.168:8443 (103.94.50.168) via /TCPv4 on NetworkExtensionTUN/10.81.234.6/ gw=[/]

  • FormerMember
    0 FormerMember in reply to NA NA3

    Hey, 

    It seems like you've not enabled the Default gateway option in the SSL VPN policy and also only one route is getting pushed which is for 172.16.139.10/32.

    You can enable the Default gateway option in the SSL VPN policy and reconnect the VPN then the internet traffic will go through the VPN as well.



    Also, You'll need to make a VPN to WAN Firewall rule in order to allow VPN traffic to reach the internet. 

    NA NA3 said:
    I cannot ping mobile when vpn connected and visa vera... Any suggestions ?

    -> For this, you'll need to have LAN to VPN rule to allow FW's Lan to access VPN Devices.

  • 0 in reply to FormerMember

    ah.. much better  "NIP : redirecting all IPv4 traffic to TUN interface"

    However, SMB s still not working..  Here are  rules:

    SMB  created services and specified TCP/UDP 445 and TCP/UDP 1194 (openvpn)

    I'm using Windows 7, so i don't think 'NetBios//over TCP/IP' would be an issue.  Ports on router are 445 and 1194 forwarded to port#2.

  • FormerMember
    0 FormerMember in reply to NA NA3

    Try adding a VPN to LAN rule. From your snapshot, it appears that there's no rule in place to allow traffic from VPN to LAN.

    If the VPN connects to this Firewall, You'll need a VPN to LAN rule, Not WAN to LAN as incoming traffic from SSL VPN counts in VPN zone by default

    Something like this,

Unfiltered HTML