This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Install client on Linux VPS, have static IP

I'm trying to establish a reliable VPN connection from a cloud VPS (CentOS7) to my Sophos UTM.

The purpose is for taking a Veeam Linux Agent backup of the VPS. The backup destination is a Veeam B&R repository on the local network (192.168.1.0/24), behind the Sophos UTM.

I have installed the OpenVPN client on the VPS and I can establish a connection but the VPS gets a dynamic IP (10.242.2.0/24). It needs a static IP. I tried adding a SNAT as described here, but it does not help for some reason. Is there a rule that needs to be added to iptables on the VPS?

I even considered working with the dynamic IP and running the backup job manually but for whatever reason, the VPN connection periodically disconnects/reconnects and the VPS gets a new IP each time so the backup job fails.

Any ideas? I'm open to suggestions. In Veeam I can specify the computer that is being backed up by name or IP.

What do most people use to backup/restore a cloud VPS? I have to store the backup on a Windows NTFS partition so sticking with Veeam would eliminate a lot of the Linux to Windows file system headaches.

UPDATE (2021-06-15):

The post I linked to above only mentions creating a SNAT. I found a more recent post which mentions creating a SNAT and a DNAT. This works in my preliminary testing.

So to make this work, you need three things:

  • Host network definition:
    • This is where you specify the local,static IP that you want to assign to this particular user. You can even assign a DNS hostname.
    • Example: Test-static, 10.242.2.99, test.local, interface: Internal
  • SNAT:
    • test (User Network) -> Any -> Internal (Network) : from Test-static
  • DNAT:
    • Any -> Any -> Test-static : to test (User Network)


This thread was automatically locked due to age.
  • 10.242.2.0/24 is the default SSL VPN pool in Sophos UTM.  These are the default pools for their respective Remote Access pools:

    So you have to change the IP pool for that group, or modify it to your liking, and you should be able to have your PC keep a static IP through VPN.

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Thanks for the info. Can you elaborate? It seems to me that you can have multiple users that use the SSL VPN but you can have only one pool for all users. I have verified that when the VPN connection drops, I get a different IP when I reconnect. For example: I get 10.242.2 2. When the connection is reestablished, I get 10.242.2.3.

    --------------------------------------------------------------

    9.707-5 Sophos UTM Software Home Edition
    Installed on a Dell OptiPlex XE SFF:

    • Intel® Core™2 Duo Processor E8600
      • 6M Cache, 3.33 GHz, 1333 MHz FSB
    • 8GB RAM
  • It's a virtual IP pool so each user that logs in via VPN/SSL gets an IP address from that pool.  I use the default, and add my VPN Pool (SSL) group to my 'Allowed Networks' under DNS so that I can access my NAS and other resources by DNS name.

    I don't worry too much about static IPs for my VPN connections.  But, if you need a static IP, *if I am remembering this right* I don't believe you can have a static IP address for SSL, but you can with the other connection types, such as PPTP, IPSec and L2TP.  You can try creating a User Network Object to get your static IP assignment, I don't know if that works or not.  I'll have to try it out and see what I can do with it myself.

    I believe it's available in XG series (lol) but not SG to have the static IP assignments in SSL.

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • I updated my original post. It seems a DNAT is also needed to make this work. I also neglected to tie the static host entry to the internal interface. It was defaulted to ANY.

    --------------------------------------------------------------

    9.707-5 Sophos UTM Software Home Edition
    Installed on a Dell OptiPlex XE SFF:

    • Intel® Core™2 Duo Processor E8600
      • 6M Cache, 3.33 GHz, 1333 MHz FSB
    • 8GB RAM
  • The other "trick" that can be used is to NOT select ' Allow multiple concurrent connections per user' on the 'Settings' tab.  That will usually insure that each user gets the same IP every time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA