Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Temporary Fix OpenVPN (3.4.0) Unsupported Options error

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Table of Contents

Overview

This recommended read describes the workaround regarding OpenVPN 3.4.0 won't connect due to Unsupported Options.

Background

The release of OpenVPN 3.4 started validating the OpenVPN parameters; if the input parameters are redundant/unsupported, this will cause a Connection Failed (specifically UNSUPPORTED OPTIONS) when a user tries to connect using OpenVPN. 

The route-delay command is the specific option that causes the connection to fail; this option is used/needed when addresses are issued dynamically to the tunnel interfaces. This setting is still necessary for the OVPN version in Sophos Connect. 

Temporary Fix

1. Access via SSH the Sophos Firewall

2. Press 5 > 3 in the Main Menu to land in the Advanced Shell

3. Enter the following line: vi /content/sslvpn/client-config-template.ovpn

The above command will open the file called client-configuration-template in the vi editor

4. Press the Down Arrow on your keyboard until you see the pointer is at "route-delay 4.",

5. Press the letter "i" on your keyboard to enter INSERT mode in vi, and press the semicolon symbol (;) on your keyboard

6. Press the key ESC on your keyboard followed by :x or:wq (you should see the :X On the left bottom corner of your screen (Advanced Shell) 

After this change, ask the user to access the User Portal to re-download the configuration, and the user won't be presented with the Unsupported Options error when trying to connect.

Note: This won't survive a Firmware update, so you’ll need to re-enter the commands after doing a Firmware Upgrade

Note: Sophos is aware of this error and plans to work on fixing this in the upcoming v19.5MR4 and v20.0MR1.

Update

The latest mobile client updates on iOS/Android has added support to ignore unsupported attribute; the issue isn’t solved for Desktop clients. 

https://apps.apple.com/in/app/openvpn-connect-openvpn-app/id590379981
https://play.google.com/store/apps/details?id=net.openvpn.openvpn 

For UTM Firewall, kindly check the the following link:




Added TAG
[edited by: Erick Jan at 8:51 AM (GMT -7) on 17 Sep 2024]
Parents Reply
  • This is still not fixed as of the latest firmware v20 as I write this June 8 2024. It is easy to fix by editing the profile. Open it in a text editor and add a semi-colon before the phrase route-delay-4. Of course it took ages of experimentation and trial and error before I found this post. Sophos please fix this. Edit: this fix will work for OpenVPN client on Mac but will not work for Ubuntu, which rejects the profile.

Children