Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN SSL VPN Configuration gives error: Unsported Options "route delay 4"

Since Sophos XG is depended on OpenVPN for many clients, we only use it for all:

https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSophosConnectClient/index.html#import-configuration-and-provisioning-files (Recommended, since no support.)

Since openvpn-connect-3.4.0.3121_signed  or 3.4, i get the error "Unsported Options" and i cant connect.

So i removed after looking at the log, the options "route delay 4", what does it do? Is it important?

I tried to reach out for the support, but you get the classic "not our product, not our problem" answer. Maybe someone can it explain it me, but is this a bug from openvpn or does sophos not support the new configuration rules for newer version?

And is there a permanent fix, which does not get whiped after a update?



This thread was automatically locked due to age.
Parents
  • Latest answer from Support: "Thank you for sharing the details. We have investigated the case internally and we were able to connect to the VPN using Sophos Connect Client. As far as OpenVPN connect client is concerned, unfortunately, we won't be able to provide a fix on this as this is a 3rd party software. Here the request is not even reaching the firewall while we are trying to connect the VPN as we were not able to see any logs while reproducing the error."

    This is just a headache, now i can edit files for each device before installing them. This will be a nightmare if clients like ios or other devices cant handle anymore the old config file format.

  • I find the response from Sophos support strange. Sophos use the open source OpenVPN server in their firewall and the OpenVPN client in there is Sophos Connect Client and now they don't support new versions of OpenVPN?


    I had no problem using Sophos Connect Client when they implemented the auto-connect and auto-update feature and the OpenVPN components was up to date.

    When I download the Sophos Connect Client from our Sophos XG (SFOS 19.5.2 MR-2-Build624) user portal with the latest firmware, I get OpenVPN Client 2.5.6, dated 2022-03-15 (see https://openvpn.net/community-downloads/), which is over a year old.

    Sophos, why do I get a OpenVPN server and client that are over a year old? Why don't you update them?

  • It is actually a usual approach to not update to newest version.

    The reasoning is: Updating always increases the Q/A Process within each and every product enormous "without" any benefits at all. Think about it: SFOS is a harden system, you are only carefully updating systems and only if you have to (Because security vulnerabilities, you need a certain feature etc.). 

    It is not a linux system, where you press "sudo apt-get update / upgrade" everyday. Even Linux Admin would not do that on a productive system. It needs testing and consideration - And if there is no real benefit to upgrade - you will not do that. 

    An upgrade of a sub system is a crucial part - Every customer would be impacted - Each integration needed to be investigated and tested. 

    To bring this home: everybody can do it on there own machine as they want - OpenVPN offers the package and everybody can install it. But the system of SFOS is looking at it always for a "reason". For example, some vulnerabilities even are not affected to the system, so you dont need to stay up2date on the system itself, as you can mitigate a vulnerability otherwise, instead of updating. 

    __________________________________________________________________________________________________________________

Reply
  • It is actually a usual approach to not update to newest version.

    The reasoning is: Updating always increases the Q/A Process within each and every product enormous "without" any benefits at all. Think about it: SFOS is a harden system, you are only carefully updating systems and only if you have to (Because security vulnerabilities, you need a certain feature etc.). 

    It is not a linux system, where you press "sudo apt-get update / upgrade" everyday. Even Linux Admin would not do that on a productive system. It needs testing and consideration - And if there is no real benefit to upgrade - you will not do that. 

    An upgrade of a sub system is a crucial part - Every customer would be impacted - Each integration needed to be investigated and tested. 

    To bring this home: everybody can do it on there own machine as they want - OpenVPN offers the package and everybody can install it. But the system of SFOS is looking at it always for a "reason". For example, some vulnerabilities even are not affected to the system, so you dont need to stay up2date on the system itself, as you can mitigate a vulnerability otherwise, instead of updating. 

    __________________________________________________________________________________________________________________

Children
  • Or you can just add at userportal a version to it, so you can see whats supported, and there should be multiple version like newest, stable, older versions(Maybe even custom config?). Problem solved? Each modern company does this with his software nowdays, Sophos is very unflexiable if encouncering new features request. (Just pointing at current state of diagnostics and reporting feature, you cant track anything)

    The problem is, i make remote connection like teamviewer/anydesk on customer/employee private pc, there i download the latest openvpn client. I cant just give a customer a outdated client, there are reasons why it's outdated.

    Or other problem is, sophos does not have client for android/ios or mac, so tell me what should i use?

  • SFOS support Sophos Connect offered by the System itself - That is tested. 

    The other files are configuration files and it is up to the customer to choose for a client. 

    If there is a problem, you can rise this situation as well with support -  Could we track the Support ID? 

    __________________________________________________________________________________________________________________

  • Hi  , I have three questions about your information:

    How do I know if the bug fixes don't fix a problem I have?

    Why don't you have CI/CD pipelines that test a new version of Sophos Firmware, including the new OpenVPN server and client, so you know what works and what doesn't? github.com/.../openvpn-tests

    Why don't you have two channels for OpenVPN Server in the Sophos Firmware like other software vendors that customers can choose from: latest with limited support and annual? So the conservative IT admins can choose annual channel and people like me can choose the current version?