Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN SSL VPN Configuration gives error: Unsported Options "route delay 4"

Since Sophos XG is depended on OpenVPN for many clients, we only use it for all:

https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/RemoteAccessVPN/VPNSophosConnectClient/index.html#import-configuration-and-provisioning-files (Recommended, since no support.)

Since openvpn-connect-3.4.0.3121_signed  or 3.4, i get the error "Unsported Options" and i cant connect.

So i removed after looking at the log, the options "route delay 4", what does it do? Is it important?

I tried to reach out for the support, but you get the classic "not our product, not our problem" answer. Maybe someone can it explain it me, but is this a bug from openvpn or does sophos not support the new configuration rules for newer version?

And is there a permanent fix, which does not get whiped after a update?



This thread was automatically locked due to age.
Parents
  • Latest answer from Support: "Thank you for sharing the details. We have investigated the case internally and we were able to connect to the VPN using Sophos Connect Client. As far as OpenVPN connect client is concerned, unfortunately, we won't be able to provide a fix on this as this is a 3rd party software. Here the request is not even reaching the firewall while we are trying to connect the VPN as we were not able to see any logs while reproducing the error."

    This is just a headache, now i can edit files for each device before installing them. This will be a nightmare if clients like ios or other devices cant handle anymore the old config file format.

  • Quick and dirty fix:

    • SSH login to Sophos XG
    • open an advanced shell (5 -> 3)
    • vi /content/sslvpn/client-config-template.ovpn
    • scroll down to "route-delay 4"
    • press i for insert mode
    • add ";" in front
    • ESC -> :wq

    After the change, you can finally download working .ovpn-configuration files for OpenVPN 3.4 in the XG user portal again.

  • @Hayashi81 Thanks a lot, we try this.

  •   What do you think of this solution?

  • Hi Hayashi81,

    Thanks for the tip on editing the ovpn config. file so we don't have to do it after the download.  Just wanting to point out that there is also the 'route' option that is not supported. I have also commented this line as well. 

    For others viewing this post, this is what my config file looks like.

    [<OPENVPN_WIN_OPTIONS>]                                                        
    client                                                                         
    dev tun                                                                        
    proto [<OPENVPN_PROTOCOL>]                                                     
    verify-x509-name "[<OPENVPN_SERVER_DN>]"                                       
    ;route remote_host 255.255.255.255 net_gateway                                 
    resolv-retry infinite                                                          
    nobind                                                                         
    persist-key                                                                    
    persist-tun                                                                    
    ca [<OPENVPN_CA_FILE>]                                                         
    cert [<OPENVPN_CLIENT_CERT>]                                                   
    key [<OPENVPN_CLIENT_KEY>]                                                     
    auth-user-pass                                                                 
    cipher [<OPENVPN_CIPHER>]                                                      
    auth [<OPENVPN_AUTH>]                                                          
    comp-lzo [<OPENVPN_COMPRESSION>]                                               
    ;can_save [<OPENVPN_SEVECREDENTIAL>]                                           
    ;otp [<OPENVPN_TWOFATOKEN>]                                                    
    ;run_logon_script [<OPENVPN_ADLOGON>]                                          
    ;auto_connect [<OPENVPN_AUTOCONNECT>]                                          
    ;route-delay 4                                                                 
    verb 3                                                                         
    reneg-sec 0

    I have an additional question...Can this config file be downloaded once and sent out to multiple users that need an OpenVPN connection. I do understand that the config file as shown above has placeholders for content that will be filled upon download, but it seems there is nothing in there that is user specific.

Reply
  • Hi Hayashi81,

    Thanks for the tip on editing the ovpn config. file so we don't have to do it after the download.  Just wanting to point out that there is also the 'route' option that is not supported. I have also commented this line as well. 

    For others viewing this post, this is what my config file looks like.

    [<OPENVPN_WIN_OPTIONS>]                                                        
    client                                                                         
    dev tun                                                                        
    proto [<OPENVPN_PROTOCOL>]                                                     
    verify-x509-name "[<OPENVPN_SERVER_DN>]"                                       
    ;route remote_host 255.255.255.255 net_gateway                                 
    resolv-retry infinite                                                          
    nobind                                                                         
    persist-key                                                                    
    persist-tun                                                                    
    ca [<OPENVPN_CA_FILE>]                                                         
    cert [<OPENVPN_CLIENT_CERT>]                                                   
    key [<OPENVPN_CLIENT_KEY>]                                                     
    auth-user-pass                                                                 
    cipher [<OPENVPN_CIPHER>]                                                      
    auth [<OPENVPN_AUTH>]                                                          
    comp-lzo [<OPENVPN_COMPRESSION>]                                               
    ;can_save [<OPENVPN_SEVECREDENTIAL>]                                           
    ;otp [<OPENVPN_TWOFATOKEN>]                                                    
    ;run_logon_script [<OPENVPN_ADLOGON>]                                          
    ;auto_connect [<OPENVPN_AUTOCONNECT>]                                          
    ;route-delay 4                                                                 
    verb 3                                                                         
    reneg-sec 0

    I have an additional question...Can this config file be downloaded once and sent out to multiple users that need an OpenVPN connection. I do understand that the config file as shown above has placeholders for content that will be filled upon download, but it seems there is nothing in there that is user specific.

Children
No Data