Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot access intranet websites over VPN.

Dynautics IT Admin

We are using OpenVPn on our Sophos firewall. Yesterday I upgraded from SFOS 18.0.5 MR-5-Build586 to SFOS 19.0.0 GA-Build317.

We have a number of intranet websites running in docker containers on a single server. After the upgrade they are fully accessible through the intranet, the server and docker containers are all up and running fine.

Before the upgrade, the intranet websites could all be accessed over OpenVPN. After the upgrade they cannot.

The logs report that the relevant firewall rule is working fine and allowing access. They show 1 packet incoming and 1 packet outgoing on the connections.

Using wget to test the website, I get the error "Connection refused."

TCP dump on the docker server shows no packets at all.

PCAP on the firewall shows a SYN packet incoming and an RST packet outgoing.

The problem happens with both port 80 and port 443 connections.

All other OpenVPN traffic is fine (ping, SSH, VNC).

Does anyone have any clues?



This thread was automatically locked due to age.
Parents
  • 0

    Hi.

    I to have the same issue. I talked to Sophos and there are an issue in the ACL for the Object that handles client VPN so connection gets refused. I ended up doing a NAT rule and with that it started to work. But this is a workaround, not a solution. There should be a fix for it in MR1 for V19. 

    One more thing you could try is in the SSL config file change the value: comp-lzo to yes

    //Rickard

  • 0 in reply to RickardNordahl

    Hi, Rickard.

    That sounds really helpful. Could you give me a bit more detail, please.

    What NAT rule did you add?

    Does the SSL config file change require terminal/console access or can I use the WebUI? Does it require a reboot?

  • 0 in reply to Dynautics IT Admin

    Hi.

    The NAT rule I ended up with was to use a SNAT rule to use an IP on the Internal Network. So VPN clients hides behind a Local network address that you have or add on the firewall.

    The  comp-lzo yes is on every client that have the SSL config, with might no be possible to change that easy.

    A roleback of the firewall will get you back to the config on 18.5 MR3 with the configuration that you have then. So if you have not done any changes on the config or settings in V19 everything will be as before (That have been the case for me anyway). 

    //Rickard

  • 0 in reply to RickardNordahl

    I just tried changing comp-lzo on my OpenVPN client - no luck.

    I am really not an expert. How do I add a SNAT rule? What values do I need to set? The web UI only lets me create NAT and DNAT rules.

    I had a go with a NAT with:

    Source = OpenVPN address range

    Translated source = MASQ

    Destination = Our intranet server

    Service = HTTP + HTTPS

    All other settings = default/any

    It doesn't work.

Reply
  • 0 in reply to RickardNordahl

    I just tried changing comp-lzo on my OpenVPN client - no luck.

    I am really not an expert. How do I add a SNAT rule? What values do I need to set? The web UI only lets me create NAT and DNAT rules.

    I had a go with a NAT with:

    Source = OpenVPN address range

    Translated source = MASQ

    Destination = Our intranet server

    Service = HTTP + HTTPS

    All other settings = default/any

    It doesn't work.

Children
Unfiltered HTML