Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN no Internet access

I have set up a SSL VPN connection in SOHPOS Firewall v20 Build 222.
I can access local services and machines no problems there, but I cant get internet access.

When I ping external sources no packages comes through, however domain names are resolved:

ping www.kde.org:
PING tyran.kde.org (85.10.198.55) 56(84) bytes of data.
^C
--- tyran.kde.org ping statistics ---
42 packets transmitted, 0 received, 100% packet loss, time 41959ms

This is my settings:

The SSL VPN Global settings

Mostly kept as is but added Override hostname (Same as DDNS) witch resolves to my IP
The IPv4 DNS Servers are both in my network one of them is the DNS on the Firewall

My user login settings:

Using tunnel as default gateway on or off makes no difference.
The LAN Network contains local ip range 192.168.10.0/24
I tried adding #Port2 just to have tried every possibilities I could think off. It is now removed since it had no effect.

Automatic generated Firewall rule:

Only change her is I tried adding ##ALL_SSLVPN_RW to source network.
No VPN firewall Security features is enabled.

SSL VPN Authentication method:

Default kept here.

Clients:

I’m using OpenVPN Client 3.4.2 on my mobile devices and NetworkManager (KDE5) on my Laptop

Some changes had to be maid to the .ovpn file downloaded to get it to import in NetworkManager
The following line needed to be commented out:

route remote_host 255.255.255.255 net_gateway

The default LAN to WAN Firewall rule is left at default except
Block QUIC protocol ha been activated and all Malware and Conetnt scanning is activated.
So Source, Destination and Services is set to Any

I have tried different setting all over without any changes. I’m out of ideas on how to get this to work.
The traffic has to be blocked somewhere, I just cant see what.



This thread was automatically locked due to age.
Parents
  • Hello,

    Thank you for reaching to Sophos Community!

    1. Review the output of route print command on Windows client PC and check for the default route via SSL VPN IP.
    2. If there is no default route via SSL VPN IP, run the client with the admin rights.
    3. If the default route added on end PC via SSL VPN IP. Start the ping to 8.8.4.4 and at the same time, review tcpdump on the firewall for the 8.8.4.4 to validate whether the traffic reaches to the firewall and what action has been taken by Sophos Firewall.

    If this still does not works, DM me with the access ID and client PC from where you have started ping to 8.8.4.4

    Thank you for choosing Sophos!

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • This is the output from route (Linux not Windows):

    Before Connected to VPN SSL:

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         Firewall        0.0.0.0         UG    600    0        0 wlp1s0
    link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp1s0
    192.168.0.0     0.0.0.0         255.255.0.0     U     600    0        0 wlp1s0
    

    After Connected to VPN SSL:

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         _gateway        0.0.0.0         UG    50     0        0 tun0
    default         Firewall        0.0.0.0         UG    600    0        0 wlp1s0
    10.81.0.0       0.0.0.0         255.255.0.0     U     50     0        0 tun0
    ***.**-***-***. Firewall        255.255.255.255 UGH   50     0        0 wlp1s0 #IP sensored
    link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp1s0
    192.168.0.0     0.0.0.0         255.255.0.0     U     600    0        0 wlp1s0
    Firewall        0.0.0.0         255.255.255.255 UH    50     0        0 wlp1s0

    And this is the tcpdump:

    14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
    14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
    14:07:18.060638 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 7, length 64
    14:07:18.060660 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 7, length 64
    14:07:19.084163 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 8, length 64
    14:07:19.084187 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 8, length 64
    

    It looks like the packages reaches the firewall and is sent to Port2 witch is the WAN port.
    But nothing is coming back.

  • Hi   Here it seems your VPN to WAN rule does not have any linked NAT rule OR for this VPN to WAN traffic Firewall rule, no other matching NAT rule exists in the existing NAT rule to apply the NAT action and due to this reason while traffic is going out via WAN Port 2, source IP is remaining the original one (the SSL VPN machine leased IP) and that should not be the case ideally when traffic is going out to WAN Interface over WAN Zone.

    14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
    14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64

    I would suggest to fix the issue please create a link NAT rule ( with NAT action MASQ)  in the existing VPN to WAN rule through which this traffic is getting allowed and confirm the status.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi   Here it seems your VPN to WAN rule does not have any linked NAT rule OR for this VPN to WAN traffic Firewall rule, no other matching NAT rule exists in the existing NAT rule to apply the NAT action and due to this reason while traffic is going out via WAN Port 2, source IP is remaining the original one (the SSL VPN machine leased IP) and that should not be the case ideally when traffic is going out to WAN Interface over WAN Zone.

    14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
    14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64

    I would suggest to fix the issue please create a link NAT rule ( with NAT action MASQ)  in the existing VPN to WAN rule through which this traffic is getting allowed and confirm the status.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children