Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 1273 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Install client on Linux VPS, have static IP

Jeff x

I'm trying to establish a reliable VPN connection from a cloud VPS (CentOS7) to my Sophos UTM.

The purpose is for taking a Veeam Linux Agent backup of the VPS. The backup destination is a Veeam B&R repository on the local network (192.168.1.0/24), behind the Sophos UTM.

I have installed the OpenVPN client on the VPS and I can establish a connection but the VPS gets a dynamic IP (10.242.2.0/24). It needs a static IP. I tried adding a SNAT as described here, but it does not help for some reason. Is there a rule that needs to be added to iptables on the VPS?

I even considered working with the dynamic IP and running the backup job manually but for whatever reason, the VPN connection periodically disconnects/reconnects and the VPS gets a new IP each time so the backup job fails.

Any ideas? I'm open to suggestions. In Veeam I can specify the computer that is being backed up by name or IP.

What do most people use to backup/restore a cloud VPS? I have to store the backup on a Windows NTFS partition so sticking with Veeam would eliminate a lot of the Linux to Windows file system headaches.

UPDATE (2021-06-15):

The post I linked to above only mentions creating a SNAT. I found a more recent post which mentions creating a SNAT and a DNAT. This works in my preliminary testing.

So to make this work, you need three things:

  • Host network definition:
    • This is where you specify the local,static IP that you want to assign to this particular user. You can even assign a DNS hostname.
    • Example: Test-static, 10.242.2.99, test.local, interface: Internal
  • SNAT:
    • test (User Network) -> Any -> Internal (Network) : from Test-static
  • DNAT:
    • Any -> Any -> Test-static : to test (User Network)


This thread was automatically locked due to age.
Parents
  • 0

    10.242.2.0/24 is the default SSL VPN pool in Sophos UTM.  These are the default pools for their respective Remote Access pools:

    So you have to change the IP pool for that group, or modify it to your liking, and you should be able to have your PC keep a static IP through VPN.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Thanks for the info. Can you elaborate? It seems to me that you can have multiple users that use the SSL VPN but you can have only one pool for all users. I have verified that when the VPN connection drops, I get a different IP when I reconnect. For example: I get 10.242.2 2. When the connection is reestablished, I get 10.242.2.3.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to Amodin

    Thanks for the info. Can you elaborate? It seems to me that you can have multiple users that use the SSL VPN but you can have only one pool for all users. I have verified that when the VPN connection drops, I get a different IP when I reconnect. For example: I get 10.242.2 2. When the connection is reestablished, I get 10.242.2.3.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
  • 0 in reply to Jeff x

    It's a virtual IP pool so each user that logs in via VPN/SSL gets an IP address from that pool.  I use the default, and add my VPN Pool (SSL) group to my 'Allowed Networks' under DNS so that I can access my NAS and other resources by DNS name.

    I don't worry too much about static IPs for my VPN connections.  But, if you need a static IP, *if I am remembering this right* I don't believe you can have a static IP address for SSL, but you can with the other connection types, such as PPTP, IPSec and L2TP.  You can try creating a User Network Object to get your static IP assignment, I don't know if that works or not.  I'll have to try it out and see what I can do with it myself.

    I believe it's available in XG series (lol) but not SG to have the static IP assignments in SSL.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    I updated my original post. It seems a DNAT is also needed to make this work. I also neglected to tie the static host entry to the internal interface. It was defaulted to ANY.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    The other "trick" that can be used is to NOT select ' Allow multiple concurrent connections per user' on the 'Settings' tab.  That will usually insure that each user gets the same IP every time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML