This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN problem: no access to internal network

I have set up UTM 9.702-1 for Home use and want to connect remotely to internal network via OpenVPN. Internet Router is an AVM Fritz!Box and UTM uses AVM Fritz!Box as gateway. The OpenVPN Windows 10 client connects with UTM and has access to UTM but not to the internal network.

 The connection log in the OpenVPN client software shows at the end that a route is set from VPN Pool (SSL) network 192.168.11.128/25 with gateway 192.168.11.129 to internal network 192.168.9.0/24:

Thu Jul 02 11:11:37 2020 C:\WINDOWS\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 192.168.11.129
Thu Jul 02 11:11:37 2020 Route addition via service succeeded

Sadly the route is not usable / not working.

I tried different client software, tried to set the route manually as static or dynamic route under “Interfaces & Routing”, different client connection config file and so on.

Any help is greatly appreciated to gain access to internal network from VPN Pool (SSL) network!

 

 

=====================================
     Konfiguration for OpenVPN
=====================================

 

=====================================
     ovpn config file for client connection
=====================================
auth-nocache
client
dev tun
proto udp
remote [public ip address] 1195
verify-x509-name "C=de, L=[city], O=[company name], CN=firewall, emailAddress=admin@company.eu"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
auth SHA512
comp-lzo
route-delay 4
verb 3
reneg-sec 0
<ca>
[certificate]
</ca>
<cert>
[certificate]
</cert>
<key>
[key]
</key>

 

 

=====================================
     Client Connection log file
=====================================
Thu Jul 02 11:11:28 2020 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Thu Jul 02 11:11:28 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jul 02 11:11:28 2020 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Thu Jul 02 11:11:28 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Thu Jul 02 11:11:28 2020 Need hold release from management interface, waiting...
Thu Jul 02 11:11:29 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Thu Jul 02 11:11:29 2020 MANAGEMENT: CMD 'state on'
Thu Jul 02 11:11:29 2020 MANAGEMENT: CMD 'log all on'
Thu Jul 02 11:11:29 2020 MANAGEMENT: CMD 'echo all on'
Thu Jul 02 11:11:29 2020 MANAGEMENT: CMD 'hold off'
Thu Jul 02 11:11:29 2020 MANAGEMENT: CMD 'hold release'
Thu Jul 02 11:11:30 2020 MANAGEMENT: CMD 'username "Auth" "[username]"'
Thu Jul 02 11:11:30 2020 MANAGEMENT: CMD 'password [...]'
Thu Jul 02 11:11:31 2020 MANAGEMENT: >STATE:1592212291,RESOLVE,,,,,,
Thu Jul 02 11:11:31 2020 TCP/UDP: Preserving recently used remote address: [AF_INET][public ip address]:1195
Thu Jul 02 11:11:31 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Jul 02 11:11:31 2020 UDP link local: (not bound)
Thu Jul 02 11:11:31 2020 UDP link remote: [AF_INET][public ip address]:1195
Thu Jul 02 11:11:31 2020 MANAGEMENT: >STATE:1592212291,WAIT,,,,,,
Thu Jul 02 11:11:31 2020 MANAGEMENT: >STATE:1592212291,AUTH,,,,,,
Thu Jul 02 11:11:31 2020 TLS: Initial packet from [AF_INET][public ip address]:1195, sid=f2940432 d7e7e286
Thu Jul 02 11:11:31 2020 VERIFY OK: depth=1, C=de, L=[city], O=[company name], CN=[company name] VPN CA, emailAddress=[email]
Thu Jul 02 11:11:31 2020 VERIFY X509NAME OK: C=de, L=[city], O=[company name], CN=firewall, emailAddress=[email]
Thu Jul 02 11:11:31 2020 VERIFY OK: depth=0, C=de, L=[city], O=[company name], CN=firewall, emailAddress=[email]
Thu Jul 02 11:11:32 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Jul 02 11:11:32 2020 [firewall] Peer Connection Initiated with [AF_INET][public ip address]:1195
Thu Jul 02 11:11:33 2020 MANAGEMENT: >STATE:1592212293,GET_CONFIG,,,,,,
Thu Jul 02 11:11:33 2020 SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1)
Thu Jul 02 11:11:33 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.11.129,route-gateway 192.168.11.129,topology subnet,ping 10,ping-restart 120,route 192.168.9.0 255.255.255.0,ifconfig 192.168.11.132 255.255.255.128'
Thu Jul 02 11:11:33 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 02 11:11:33 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 02 11:11:33 2020 OPTIONS IMPORT: route options modified
Thu Jul 02 11:11:33 2020 OPTIONS IMPORT: route-related options modified
Thu Jul 02 11:11:33 2020 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul 02 11:11:33 2020 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jul 02 11:11:33 2020 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Jul 02 11:11:33 2020 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jul 02 11:11:33 2020 interactive service msg_channel=460
Thu Jul 02 11:11:33 2020 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=18 HWADDR=50:7b:9d:58:72:a3
Thu Jul 02 11:11:33 2020 open_tun
Thu Jul 02 11:11:33 2020 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{7FD1AB5C-B6F6-4BE0-99EC-E7EEBB59BCFC}.tap
Thu Jul 02 11:11:33 2020 TAP-Windows Driver Version 9.21
Thu Jul 02 11:11:33 2020 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.11.128/192.168.11.132/255.255.255.128 [SUCCEEDED]
Thu Jul 02 11:11:33 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.11.132/255.255.255.128 on interface {7FD1AB5C-B6F6-4BE0-99EC-E7EEBB59BCFC} [DHCP-serv: 192.168.11.254, lease-time: 31536000]
Thu Jul 02 11:11:33 2020 Successful ARP Flush on interface [14] {7FD1AB5C-B6F6-4BE0-99EC-E7EEBB59BCFC}
Thu Jul 02 11:11:33 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 02 11:11:33 2020 MANAGEMENT: >STATE:1592212293,ASSIGN_IP,,192.168.11.132,,,,
Thu Jul 02 11:11:37 2020 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Jul 02 11:11:37 2020 MANAGEMENT: >STATE:1592212297,ADD_ROUTES,,,,,,
Thu Jul 02 11:11:37 2020 C:\WINDOWS\system32\route.exe ADD [public ip address] MASK 255.255.255.255 192.168.1.1
Thu Jul 02 11:11:37 2020 Route addition via service succeeded
Thu Jul 02 11:11:37 2020 C:\WINDOWS\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 192.168.11.129
Thu Jul 02 11:11:37 2020 Route addition via service succeeded
Thu Jul 02 11:11:37 2020 Initialization Sequence Completed
Thu Jul 02 11:11:37 2020 MANAGEMENT: >STATE:1592212297,CONNECTED,SUCCESS,192.168.11.132,[public ip address],1195,,



This thread was automatically locked due to age.
Parents
  • Hello Udo,

    Thank you for contacting the Sophos Community.

    Can run the following command from the Shell of the UTM by following this KB

    # ifconfig

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.242.32.1 P-t-P:10.242.32.1 Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:18358 errors:0 dropped:0 overruns:0 frame:0
    TX packets:23372 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1444224 (1.3 Mb) TX bytes:29051632 (27.7 Mb)

    The output should show you a tun interface with the IP of the SSLVPN Pool,  then run this command

    #tcpdump -eni any host X.X.X.X (X.X.X.X is the IP you got from the SSL VPN)

    This step will let us know if the traffic is beinf routed to the UTM. 

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Udo,

    Thank you for contacting the Sophos Community.

    Can run the following command from the Shell of the UTM by following this KB

    # ifconfig

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.242.32.1 P-t-P:10.242.32.1 Mask:255.255.255.0
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:18358 errors:0 dropped:0 overruns:0 frame:0
    TX packets:23372 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:1444224 (1.3 Mb) TX bytes:29051632 (27.7 Mb)

    The output should show you a tun interface with the IP of the SSLVPN Pool,  then run this command

    #tcpdump -eni any host X.X.X.X (X.X.X.X is the IP you got from the SSL VPN)

    This step will let us know if the traffic is beinf routed to the UTM. 

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • Hello emmosophos,

    yes there is a tun0 interface:

    firewall:/home/login # ifconfig
    eth0 Link encap:Ethernet HWaddr 00:15:5D:01:0C:2C
    inet addr:192.168.9.8 Bcast:192.168.9.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:18587 errors:0 dropped:3854 overruns:0 frame:0
    TX packets:14783 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2380253 (2.2 Mb) TX bytes:16471494 (15.7 Mb)

    eth1 Link encap:Ethernet HWaddr 00:15:5D:01:0C:2D
    inet addr:192.168.8.3 Bcast:192.168.8.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:114043 errors:0 dropped:3854 overruns:0 frame:0
    TX packets:142167 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:61327490 (58.4 Mb) TX bytes:66008422 (62.9 Mb)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:97954 errors:0 dropped:0 overruns:0 frame:0
    TX packets:97954 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:39892007 (38.0 Mb) TX bytes:39892007 (38.0 Mb)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:192.168.11.129 P-t-P:192.168.11.129 Mask:255.255.255.128
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:72025 errors:0 dropped:0 overruns:0 frame:0
    TX packets:132771 errors:0 dropped:125 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:3182010 (3.0 Mb) TX bytes:47870199 (45.6 Mb)

    And yes I get a ton of output mostly to port 22 (SSH) but also also some to an ip address within internal network which I tried to ping or access a file share: 

    # tcpdump -eni any host 192.168.11.130

    11:03:55.245350 In ethertype IPv4 (0x0800), length 76: 192.168.11.130 > 192.168.9.2: ICMP echo request, id 1, seq 8, length 40
    11:03:55.245475 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12349152, win 511, length 0
    11:03:55.245620 Out 00:15:5d:01:0c:2c ethertype IPv4 (0x0800), length 76: 192.168.11.130 > 192.168.9.2: ICMP echo request, id 1, seq 8, length 40
    11:03:55.245628 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 12389808:12390032, ack 14161, win 556, length 224
    11:03:55.245679 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12349872, win 516, length 0
    11:03:55.245806 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12350320, win 514, length 0
    11:03:55.246134 Out ethertype IPv4 (0x0800), length 968: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 12390032:12390944, ack 14161, win 556, length 912
    11:03:55.246189 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12351184, win 516, length 0
    11:03:55.246320 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12351632, win 514, length 0

    [...]

    11:03:55.392227 B 00:15:5d:01:0c:11 ethertype ARP (0x0806), length 44: Request who-has 192.168.11.130 tell 192.168.9.2, length 28
    11:03:55.392350 B 00:15:5d:01:0c:11 ethertype ARP (0x0806), length 62: Request who-has 192.168.11.130 tell 192.168.9.2, length 46
    11:03:55.393268 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12504672, win 516, length 0
    11:03:55.393397 Out ethertype IPv4 (0x0800), length 664: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 12546752:12547360, ack 14321, win 556, length 608
    11:03:55.393558 Out ethertype IPv4 (0x0800), length 408: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 12547360:12547712, ack 14321, win 556, length 352
    11:03:55.399061 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12505392, win 513, length 0
    11:03:55.399242 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 12547712:12547936, ack 14321, win 556, length 224
    11:03:55.399140 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 12505840, win 511, length 0

    [...]

    11:03:56.581766 In ethertype IPv4 (0x0800), length 68: 192.168.11.130.58802 > 192.168.9.2.445: Flags [S], seq 989789965, win 64240, options [mss 1308,nop,wscale 8,nop,nop,sackOK], length 0
    11:03:56.581900 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13452480, win 516, length 0
    11:03:56.582080 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13486800:13487024, ack 15281, win 556, length 224
    11:03:56.582178 Out ethertype IPv4 (0x0800), length 888: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13487024:13487856, ack 15281, win 556, length 832
    11:03:56.582365 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13487856:13488080, ack 15281, win 556, length 224
    11:03:56.582457 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13488080:13488304, ack 15281, win 556, length 224
    11:03:56.582541 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13488304:13488528, ack 15281, win 556, length 224
    11:03:56.582624 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13488528:13488752, ack 15281, win 556, length 224
    11:03:56.582707 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13488752:13488976, ack 15281, win 556, length 224
    11:03:56.582815 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13488976:13489200, ack 15281, win 556, length 224
    11:03:56.582962 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13489200:13489424, ack 15281, win 556, length 224
    11:03:56.583071 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13489424:13489648, ack 15281, win 556, length 224
    11:03:56.583155 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13489648:13489872, ack 15281, win 556, length 224
    11:03:56.583173 Out 00:15:5d:01:0c:2c ethertype IPv4 (0x0800), length 68: 192.168.11.130.58802 > 192.168.9.2.445: Flags [S], seq 989789965, win 64240, options [mss 1308,nop,wscale 8,nop,nop,sackOK], length 0
    11:03:56.583287 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13452928, win 514, length 0
    11:03:56.583457 Out ethertype IPv4 (0x0800), length 712: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13489872:13490528, ack 15281, win 556, length 656
    11:03:56.583405 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13453376, win 512, length 0
    11:03:56.583475 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13453824, win 516, length 0
    11:03:56.583900 Out ethertype IPv4 (0x0800), length 696: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13490528:13491168, ack 15281, win 556, length 640
    11:03:56.583883 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13454272, win 514, length 0
    11:03:56.584143 Out ethertype IPv4 (0x0800), length 408: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13491168:13491520, ack 15281, win 556, length 352
    11:03:56.584247 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13491520:13491744, ack 15281, win 556, length 224
    11:03:56.584344 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13491744:13491968, ack 15281, win 556, length 224
    11:03:56.584440 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13491968:13492192, ack 15281, win 556, length 224
    11:03:56.584434 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13454720, win 512, length 0
    11:03:56.584747 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13492192:13492416, ack 15281, win 556, length 224
    11:03:56.584890 Out ethertype IPv4 (0x0800), length 248: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13492416:13492608, ack 15281, win 556, length 192
    11:03:56.584983 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13492608:13492832, ack 15281, win 556, length 224
    11:03:56.585067 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13492832:13493056, ack 15281, win 556, length 224
    11:03:56.585141 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13455168, win 516, length 0
    11:03:56.585273 Out ethertype IPv4 (0x0800), length 280: 192.168.9.8.22 > 192.168.11.130.58660: Flags [P.], seq 13493056:13493280, ack 15281, win 556, length 224
    11:03:56.585155 B 00:15:5d:01:0c:11 ethertype ARP (0x0806), length 44: Request who-has 192.168.11.130 tell 192.168.9.2, length 28
    11:03:56.585258 In ethertype IPv4 (0x0800), length 56: 192.168.11.130.58660 > 192.168.9.8.22: Flags [.], ack 13455888, win 513, length 0
    11:03:56.585330 B 00:15:5d:01:0c:11 ethertype ARP (0x0806), length 62: Request who-has 192.168.11.130 tell 192.168.9.2, length 46
    ^C
    72661 packets captured
    72699 packets received by filter
    38 packets dropped by kernel

  • Hello Udo Eber,

    Thank you for the update.

    So it means that the traffic is reaching the UTM but I don't see a reply from 192.168.9.2 it could be that the Local Firewall of the machine, is not replying to packets that are not from its subnet, would it be possible for you to try to disable the Local Firewall.

    Additionally to this if that work, you could try creating a SNAT for the SSLVPN traffic so when it comes from the tunnel and out the LAN destination the UTM can Masquerade the traffic for the SSLVPN tunnel. You can follow the screenshot below, just match it to the destination (Going to) and the UTM interface where the computer connects to. (Change the source to). 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello emmosophos,

    yes thanks to the SNAT rule I can use now all network services of the internal network via OpenVPN:

    Thank you so much! Problem solved.

  • Hallo Udo and welcome to the UTM Community!

    My usual recommendation is to try the SNAT as a way to define the problem.  In most cases, the UTM's firewall makes the one in the local device redundant.  I prefer to disable the local firewall so that incoming traffic from the VPN can be identified by originating IP by the internal devices.  If that's not reasonable for some reason, then I would limit the SNAT to traffic only to that local device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA