Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 1026 views
  • Users 0 members are here
Options
Suggested

Allow 3rd Party Wireguard VPN to Access LAN ressources from offsite Server

Rene Böhres

Hello everyone Slight smile
I am struggeling with the following:

The customer has microtik router that connects via wireguard VPN to a remote Windows Server in a Datacentre.
The Microtik router is the VPN Client, the Windows Server is the VPN Server.
The employees are supposed to print from the remote Windows Server to local LAN printers.

Setup:
Local LAN 192.168.5.0 /24
VPN: 10.19.15.0 /24

in SFOS 19 I only needed to set a static route 10.19.15.0/24 with Gateway (Microtik router) on br0 to make it work.
Since upgrading to SFOS 20 the VPN connection suddenly stopped working.

Which Rules do I need to set in place, to tell the XGS that:
- Data from the VPN 10.19.15.0 are okay to access the local LAN ( logs tell me that the XGS can't associate the Microtik VPN traffic with any connection ).

Thanks





EDIT: We managed to establish the VPN connection again, by switching the Port. The connection itself is still.... "kinda buggy". If I ping a printer from the remote server, 5/7 (ish) pings go threw, 2 get dropped by the firewall. "invalid traffic" // source: internal printer ip / target: vpn IP of the remote server / "Could not associate packet to any connection."
[edited by: Rene Böhres at 2:30 PM (GMT -7) on 27 May 2024]
  • 0

    Hello Rene, 

    Thanks for reaching out. Could you share your network diagram/setup, firewall rule, routes and logs on SF for this? Thank you

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    It's not very complicated in Terms of Setup so a Diagram would probably be overkill

    Local LAN 192.168.5.0 /24
    Printer 192.168.5.96 /24


    VPN: 10.19.15.0 /24
    "VPN Box" 192.168.5.31 / 10.19.15.1
    Windows Server 10.19.15.1/24

    ISP Router Lan: 192.168.6.0/24

    Local Lan: 192.168.5.0 -> ISP Router LAN

    In the "Local LAN" is a small Router (let's call it VPN Box) that connects as a Wireguard VPN Client to a Windows Server that is a Wireguard VPN 
    The VPN Box has a LAN Adress (Lets say 192.168.5.31) as well as a VPN Adress ( Say 10.19.15.2) and the Windows Server (10.19.15.1) 
    Printers from the Local LAN are installed on the Windows Server so employees can Print locally.
    Right now the connection to the Windows Server in the cloud works, but if i ping the printers from the windows server I get like 6 successes and 4 fails.



    I had to black out a bunch of Stuff, since this Firewall is setup for 2 companies (sorry)

  • 0

    Hello Rene,

    does the mikrotik router probably do some kind of NAT?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Not sure how it is configured, since a 3rd Party company did the configuration. We let them check the configuration of the mikrotik router and since the VPN is working again, and I can ping the printer from the offsite Windows Server, the problem is the configuration of the Sophos.
    The strange thing to me is that some pings go threw and some get dropped (screenshot of the log)
    As you can see in the firewall configuration screenshot, I already deactivated a bunch of stuff like IPS security etc. just to make sure the problem is not caused by anything like IPS etc.

  • 0 in reply to Rene Böhres

    Hello Rene,

    the excerpt from the log you show us has tcp/9100, that is the HP printing port, not an ICMP. Did you actually test with ping?

    And believe or not: a network diagram would be very helpful, as I don't really understand your setup as well.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML