Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos VPN Client - disable autoconnect when in local network

Hi all,

I'm struggling with setting up Sophos VPN Client on user's Windows computers.

What behaviour I expect is to automatically connect when user connects any network except internal LAN/WIFI.

So if users is turning on the laptop at home and connects to his/her home WIFI, Sophos Client shoud connect VPN immediately. But when user comes to the office and connects to LAN network, Sophos Client should stop connecting. I edited ovpn config file and added auto_connect parameter as LAN VLAN network address (192.168.3.1), but it didn't help - after connecting to office's wifi, Sophos Client is connecting to VPN.

Next thing I tried was to block SSL VPN in firewall administration and it helped, but now Sophos Client is continuously trying to connect, fails, tries again, fails, and so on.

How to set it up so it just stops trying to connect when in LAN, and after network change (going back to home), connects VPN immediately?



This thread was automatically locked due to age.
Parents
  • With Sophos connect you can provision a provisioning file with an auto_connect_host. See this for more explanation.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • OK, I did it, created .pro file and imported to client's Sophos Connect. Instantly it discovered that it's in LAN, so no auto-connect is needed, but when I tried to connect to download policy (nevermind if from LAN WIFI or another VLAN WIFI with user portal and VPN portal enabled) it gives an error:

    No SSL VPN policy is defined for this user

    And it's not true - in Sophos Firewall on REMOTE ACCESS VPN section SSL VPN under my policy members I have this user.. And on the user side there's also SSL VPN policy choosen.

  • Try to have the user login to the VPN-portal and download the config (it is an .ovpn file). Double click this file to import it to Sophos connect and see if that makes a difference.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • You mean I should delete the .pro configuration from Sophos Client and import standard config from user VPN Portal? If so - I've done it. As I wrote at the beginning, I started from that. So now when I deleted .pro config file and imported new ovpn config from VPN Portal, user can log in without problems. But of course there is no option to auto-connect.

    One other thing - I have dynamic DNS set up, but when I download the ovpn file, there are three remote addresses at this order - WAN address, my server VLAN network address (which I created and set access for VPN network), and lastly domain address from my dynamic dns server. When I imported the file "as it is", Sophos Connect pointed my WAN address and I didn't have a chance to anyhow change it. So I edited ovpn file, deleted first two lines, left only ddns domain and imported the file to Sophos Connect. Works like a charm, but as I mentioned - there is no auto-connect then...

  • Are you sure that fqdns/ip-addresses in the .pro file are correct? 

    Do you see anything in the firewall logging about the request failing when using the .pro file?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I've done it along with instruction from your link - I created empty txt file and copied provisioning file template for single connection. For gateway I entered dynamic domain name so it can resolve my WAN IP every time, then entered correct user portal port, opt left as default (false), for auto_connect_host I entered interface IP for users VLAN, check_remote_availability as false and run_logon_script also false. That's it - hard to make a mistake here. As for the firewall - I log traffic on rule VPN to WAN, but there is nothing there. Should I checked somwhere else?

  • Sounds like everything is correct. With logging you can also check VPN log to see if you can find something there.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi  , if you want openvpn to connect to only the ddns, you can specify it in the "Override hostname" in the SSLVPN global settings on the firewall:
     

    With this, the .ovpn file will only have the override hostname in its remote directive and you will be able to use the .pro file also.

  • I have a problem with that. Don't know why, but when I open SSL VPN global settings and even try to save without any changes, error message tells me YOU MUST ENTER A NETWORK IP ADDRESS.

    Nevermind if I put something in override hostname or not.

    From top to bottom I have this:

    Unfortunately when I click APPLY, the error comes out. The problem is, after clicking OK on the error, SFOS doesn't point to any specific field (nor by standing in that field, nor by making the field red or marked in any other way).

    Next when I enter in OVERRIDE HOSTNAME my ddns hostname (domain, not IP address) I get the same error. Despite I added Dynamic DNS service in NETWORK settings and it connected succesfully on domain name.

Reply
  • I have a problem with that. Don't know why, but when I open SSL VPN global settings and even try to save without any changes, error message tells me YOU MUST ENTER A NETWORK IP ADDRESS.

    Nevermind if I put something in override hostname or not.

    From top to bottom I have this:

    Unfortunately when I click APPLY, the error comes out. The problem is, after clicking OK on the error, SFOS doesn't point to any specific field (nor by standing in that field, nor by making the field red or marked in any other way).

    Next when I enter in OVERRIDE HOSTNAME my ddns hostname (domain, not IP address) I get the same error. Despite I added Dynamic DNS service in NETWORK settings and it connected succesfully on domain name.

Children
  • This should not happen. This is seen if we have some problem in the interface configuration. If you can share the access id in DM, we can take a look at this problem. Alternatively, you can open a support ticket and share the access id via the ticket.

  • The problem is the IPv4 address you have specified. Make a network out of it because you have the netmask 24 .

    Net: 10.81.234.0

  • OK, so it helped with global settings saving - after changing IP to 10.81.234.0 as well as override hostname with my ddns host, SFOS let me save config.

    Unfortunately, when imported .pro config on user's laptop, after skipping wrong certificate warning, I tried to connect, enter username and password (which is working fine for ovpn config) and the results are:

    1. when in LAN - error "No SSL VPN policy is defined for this user"

    2. When on external hotspot - FAILED TO LOAD CONNECTION (which, I assume, is obvious because Sophos Connect can't import ovpn setup from VPN/user portal. But it was worth trying to be 100% sure)

    What's another weird thing - when I enabled SSL VPN, in global settings there already was this incorrect IP set up. I didn't change anything, so it looks like Sophos has wrong data as default setup.

  • How are your device access settings configured, did you enable SSL VPN for the correct zones?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Although I had SSL VPN checked only for WAN, for the tests I checked this for all my networks. Still the same error about no ssl vpn policy.

  • In the .pro file, are you using the correct gateway and port ? A sample of the .pro file can be attached.


    I believe you are on v20 release on the firewall. If yes, can you do the following:
    1) Connect using .pro file
    2) ssh to firewall and collect /log/vpnpoprtal.log 

    It may tell what could be wrong with the API being called from Sophos Connect Client.


  • Yes, I double-checked those in .pro file - gateway is ddns domain address and port for user portal is identical as in Sophos settings. One thing came to my mind - I changed default port from 4443 to other one - maybe this is the problem?

    About firewall software - yes, I'm on v20, but I don't know what do you mean by connect using .pro file. You mean I should try to connect user using .pro file, get an error and then collect vpnportal.log to check if there's anything there?

  • You mean I should try to connect user using .pro file, get an error and then collect vpnportal.log to check if there's anything there?

    Yes, that is what I meant


    I changed default port from 4443 to other one - maybe this is the problem?

    For .pro files, use the vpn portal port in the .pro file (which by default is 443)

  • What? So the manual is specifically saying to use port for user portal, and it's misleading? That's a bummer. Ok, I'll try to change port and see if it helps.

  • The instructions are from an older version where there was only the user portal. As of version 20, they have split it into user and VPN portal. The .pro file is there to pull the .ovpn file from the VPN portal, so the port from the VPN portal and not from the user portal must be specified there.

    What's another weird thing - when I enabled SSL VPN, in global settings there already was this incorrect IP set up. I didn't change anything, so it looks like Sophos has wrong data as default setup.

    Yes, this also results from an older version where an IP range still had to be specified. for example: 10.81.234.5-10.81.234.85
    At some point this was also changed to a whole subnet e.g. /24, but probably forgot to adjust the IP as well.