Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This recommended read describes the workaround regarding OpenVPN 3.4.0 won't connect due to Unsupported Options.
The release of OpenVPN 3.4 started validating the OpenVPN parameters; if the input parameters are redundant/unsupported, this will cause a Connection Failed (specifically UNSUPPORTED OPTIONS) when a user tries to connect using OpenVPN.
The route-delay command is the specific option that causes the connection to fail; this option is used/needed when addresses are issued dynamically to the tunnel interfaces. This setting is still necessary for the OVPN version in Sophos Connect.
1. Access via SSH the Sophos Firewall
2. Press 5 > 3 in the Main Menu to land in the Advanced Shell
3. Enter the following line: vi /content/sslvpn/client-config-template.ovpn
The above command will open the file called client-configuration-template in the vi editor
4. Press the Down Arrow on your keyboard until you see the pointer is at "route-delay 4.",
5. Press the letter "i" on your keyboard to enter INSERT mode in vi, and press the semicolon symbol (;) on your keyboard
6. Press the key ESC on your keyboard followed by :x or:wq (you should see the :X On the left bottom corner of your screen (Advanced Shell)
After this change, ask the user to access the User Portal to re-download the configuration, and the user won't be presented with the Unsupported Options error when trying to connect.
Note: This won't survive a Firmware update, so you’ll need to re-enter the commands after doing a Firmware Upgrade
Note: Sophos is aware of this error and plans to work on fixing this in the upcoming v19.5MR4 and v20.0MR1.
The latest mobile client updates on iOS/Android has added support to ignore unsupported attribute; the issue isn’t solved for Desktop clients.
https://apps.apple.com/in/app/openvpn-connect-openvpn-app/id590379981
https://play.google.com/store/apps/details?id=net.openvpn.openvpn
For UTM Firewall, kindly check the the following link:
Hi,
I met this issue and right searched this article. Just one more question: After I input :X, What should I do in SSH screen? click Enter and input a customized encrypt key or just close the SSH directly?
Hi,
with SFOS 19.5.3 MR3 this temp Fix worked fine.
... But I did the same with SFOS 20.0.0. EAP1 and the fresh downloaded .ovp File still shows route-delay without ";".
Hello Gerd,
Thank you for reaching out!
I was able to replicate the same; since this is being reported in EAP1, I would check internally if this is fixed in GA.
Regards,
the option as it stands it is required for the Sophos Desktop VPN Client, i imagine once this is dealt with on the client they'll patch it in an MR
Hi, we also have this problem but it is only relevant for iPhone users.
If we apply this solution, will all users have to download new profiles to connect, or is it enough for the affected users to update their profile and everyone else can continue to work with the old one?
Regards, Alex
Hi Alex,
Of course not, you only have to do this for the devices (Iphone) that are affected.
BR Gerd
This is still an issue in v20 thats just been released. Is this a fix that needs to be the connect client then rather than the firewall firmware? If so is there an expected timescale for this.
Note: Sophos is aware of this error and plans to work on fixing this in the upcoming v19.5MR4 and v20.0MR1.
Wait for MR1 :-)
-----
Best regards
Martin
Sophos XGS 2100 @ Home | Sophos v20 Technician
Yes,
https://apps.apple.com/in/app/openvpn-connect-openvpn-app/id590379981
https://play.google.com/store/apps/details?id=net.openvpn.openvpn
Latest mobile clients have provision to ignore unsupported attribute.
Is this a hot fix or a firmware update? Dont spot anything prompting an update when I go into firewall.
This is still not fixed as of the latest firmware v20 as I write this June 8 2024. It is easy to fix by editing the profile. Open it in a text editor and add a semi-colon before the phrase route-delay-4. Of course it took ages of experimentation and trial and error before I found this post. Sophos please fix this. Edit: this fix will work for OpenVPN client on Mac but will not work for Ubuntu, which rejects the profile.
Did you try the V20.0 MR1?
__________________________________________________________________________________________________________________
I don't see that as available. We are on SFOS 20.0.0 GA-Build222 and it is telling me no more updates.
Also I just noticed this statement "The latest mobile client updates on iOS/Android has added support to ignore unsupported attribute; the issue isn’t solved for Desktop clients. "