SSL VPN no Internet access

Question

I have set up a SSL VPN connection in SOHPOS Firewall v20 Build 222. I can access local services and machines no problems there, but I cant get internet access. 
 When I ping external sources no packages comes through, however domain names are resolved: 
 ping www.kde.org:
PING tyran.kde.org (85.10.198.55) 56(84) bytes of data.
^C
--- tyran.kde.org ping statistics ---
42 packets transmitted, 0 received, 100% packet loss, time 41959ms 
 This is my settings: 
 The SSL VPN Global settings 
 
 Mostly kept as is but added Override hostname (Same as DDNS) witch resolves to my IP The IPv4 DNS Servers are both in my network one of them is the DNS on the Firewall 
 My user login settings: 
 
 Using tunnel as default gateway on or off makes no difference. The LAN Network contains local ip range 192.168.10.0/24 I tried adding #Port2 just to have tried every possibilities I could think off. It is now removed since it had no effect. 
 Automatic generated Firewall rule: 
 
 Only change her is I tried adding ##ALL_SSLVPN_RW to source network. No VPN firewall Security features is enabled. 
 SSL VPN Authentication method: 
 
 Default kept here. 
 Clients: 
 I&rsquo;m using OpenVPN Client 3.4.2 on my mobile devices and NetworkManager (KDE5) on my Laptop 
 Some changes had to be maid to the .ovpn file downloaded to get it to import in NetworkManager The following line needed to be commented out: 
 route remote_host 255.255.255.255 net_gateway 
 The default LAN to WAN Firewall rule is left at default except Block QUIC protocol ha been activated and all Malware and Conetnt scanning is activated. So Source, Destination and Services is set to Any 
 I have tried different setting all over without any changes. I&rsquo;m out of ideas on how to get this to work. The traffic has to be blocked somewhere, I just cant see what.

Vishal_R · Accepted Answer

Hi NismoC32 Here it seems your VPN to WAN rule does not have any linked NAT rule OR for this VPN to WAN traffic Firewall rule, no other matching NAT rule exists in the existing NAT rule to apply the NAT action and due to this reason while traffic is going out via WAN Port 2, source IP is remaining the original one (the SSL VPN machine leased IP) and that should not be the case ideally when traffic is going out to WAN Interface over WAN Zone. 14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64 14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64 I would suggest to fix the issue please create a link NAT rule ( with NAT action MASQ) in the existing VPN to WAN rule through which this traffic is getting allowed and confirm the status.

Mayur Makvana · Answer

Hello, 
 Thank you for reaching to Sophos Community! 
 1. Review the output of route print command on Windows client PC and check for the default route via SSL VPN IP. 2. If there is no default route via SSL VPN IP, run the client with the admin rights . 3. If the default route added on end PC via SSL VPN IP. Start the ping to 8.8.4.4 and at the same time, review tcpdump on the firewall for the 8.8.4.4 to validate whether the traffic reaches to the firewall and what action has been taken by Sophos Firewall. 
 If this still does not works, DM me with the access ID and client PC from where you have started ping to 8.8.4.4 
 Thank you for choosing Sophos!

SSL VPN no Internet access

Top Replies