This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall connecting to NordVPN

Sophos Firewall connecting to NordVPN

Hi

I'm user of Untangle at my home/homelab. I'm trying Sophos Firewall to see if i switch from Untangle to Sophos Firewall.
I'm from Brazil but i live in Canada, because of my country of origin i have to use an VPN like NordVPN to "tell" to brazilian service providers (like banks, governement sites and etc.) that "i'm in brazil".


So not having a way to connect to a VPN service like Nord VPN and route my trafic over NordVPN can be a deal breaker.


I researched and i'm not sure if its possible or not possible to do this.


Can you tell me if i can connect to an VPN service like NordVPN and route my trafic over there in Sophos Firewal?


I think i have the newest version, i started to test it yesterday.

Thanks guys.



This thread was automatically locked due to age.
  • Hi,

    Sophos has inbuilt VPN clients to setup inter firewall traffic eg RED etc.

    Let us take a different way of looking at the issue. NORDVPN is an application ,to be able to run an application you need to be able to install the application which implies read/write/execute permissions on critical directories, Sophos does not allow users to write to critical directories.

    Then you need to launch the the application, configure it. NORDVPN is an end user application.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Sophos it's not capable of act like an VPN client in any way shape or form?

    I'm not an expert, but as far as I can tell, no. Sophos can only act as a "remote access" VPN server to connect to it from the outside world. It does support split and full tunneling, but it won't do what you're asking, which is be a VPN gateway to connect to NordVPN

  • That's an start. NordVPN accepts connections from standard VPN Clients, you don't have to use the NordVPN application.

    So can I configure Sophos as an VPN Client to connect to an OpenVPN Server or an IKEV2 Server? If yes, I will be able to make Sophos connect to NordVPN servers.

  • Let me explain this as well as I can. I believe what you're referring to is a SOCKS proxy where you input the "anonymous" server's IP and port number into your client's internet settings or your browser settings, so that your traffic appears to be coming from the location of the proxy server (Brazil, China, Russia, Canada, ect). 

    Anyway, you cannot do this from within Sophos itself. This question has been asked multiple times by many people. Maybe a good option for you is to look into installing NordVPN on a raspberry Pi or on a spare PC and use it as a VPN gateway.

  • No, it's not that at all.

    Let's Imagine an scenario to explain better.

    Imagine that my house it's an branch office, and NordVPN it's the main office.

    In the main office I have an OpenVPN (or IKEV2) server. I want to use Sophos on my branch office to make an always on VPN to my main office as an VPN Client. After the VPN tunnel it's on, I want to route all my internet traffic through my main office.

    It's that possible?

  • I'm having trouble understanding that analogy. Let me ask what you want to do:

    You want to be able to use Sophos XG as a VPN client to encrypt your traffic using NordVPN? No you cannot do that. You cannot "install" the correct software to be able to do that.

    Let me give you an example of what you CAN do:

    You CAN set up a VPN server on Sophos so that you can connect TO it from wifi hotspot at Starbucks, using VPN client software on your iPhone, or laptop, and then tunnel out of the Sophos VPN server back into the world wide web using your home's internet connection while maintaining an encrypted tunnel so that your browsing cannot be eavesdropped on by Mr. Hacker.

    You CAN set up a VPN server on Sophos so that you can access your home's IP cameras, NAS storage, file/FTP server using Sophos' own VPN client software or OpenVPN software.

  • The XG can terminate VPNs from most sources provided the connection meets the XG security requirements. The XG can originate VPNs to other VPN termination points as long as the connection meets XG security requirements.

    The XG firewall rules will pass a VPN connection through to a PC or server on your LAN assuming the firewall rule is setup correctly.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • do you have the link of the documentation on how to do that? I mean configure Sophos to connect to an VPN server and to configure the firewall rule to direct the traffic?

    Sophos can be an OpenVPN client or only IKEV2?

    Thanks.

  • Hi,

    please try searching the support documents in this url. I searched, but possibly looking at the wrong information.

    support VPNs

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Have you looked at Site-to-Site VPN > SSL VPN > Client > Add? That's how you add a site-to-site SSL VPN connection if you have the appropriate server's configuration file -- which I assume you do for your NordVPN.

    And this is what you are asking for: a site-to-site connection where your XG is the branch office and NordVPN is the main office.

    There are lots of other resources at Sophos and in the help referring to routing, etc, with a branch office and main office setup. Unlike some consumer firewalls, Sophos by default drops everything, so you will have to first set up the routing you want, then set up firewall rules to allow that traffic. For the firewall rules, you will want to take advantage of Zones.

    This is only true IF NordVPN truly supports open standards VPN clients and provides you with open standards VPN config files. If NordVPN does not do this, then it's a nice feature that Untangle has that it will work with a proprietary "main office", but that's an anti-customer choice by NordVPN if that's the case. Which wold force you to use a consumer-oriented firewall that caters to NordVPN.

    (To be fair, it's also possible that the XG only accepts configuration files from other XG's. I doubt it, since the main office could have Cisco's, SonicWall's, etc. But you can probably reverse-engineer the (presumably JSON) config file if that's the case.)