[Howto] Sophos SSL VPN: Always on device tunnel, group policy software install applies correctly on boot

Hi,

I'd just like to document how we did it:

  • Sophos UTM SG 230 running latest firmware:
    • SSL VPN configured, multiple connections allowed, compression disabled
    • Each device got a new local user account on the UTM with their machine name, e.g. "COMPUTER$"
    • Each device got a password, uniquely per machine.
    • Then, we manually export the certificates required to connect to our file server.
  • File Server: 
    • The file server limits access: One SMB shared sub-folder per machine with ACL set to "COMPUTER$:readOnly" and all other ACL revoked. That ensures Windows domain machines can only read their own certificates and not other ones.
  • Client machine:
    • OpenVPN (with Service option) installed by MSI+MST (transform), version 2.5.3-I601.
    • A batch script running under LocalSystem on boot uses the machine's (domain) account "COMPUTER$" to retrieve the certificate when the client is on-site and connected to the corporate network via cable.
    • The retrieved machine cert is combined like this to a new OpenVPN profile, comprised of:
      • OpenVPN profile
      • CA cert (the same for all machines)
      • Machine cert (different for each machine)

We use a full tunnel and also tunnel DNS fully to the corporate's DNS servers on the internal network.

This is the profile that allows for full Software/GPO deployment pre-logon on Windows 10.

  • C:\Program Files\OpenVPN\config-auto\COMPUTER.ovpn

client
dev tun
proto udp
remote vpn.company.com 443
verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
auth SHA1
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
data-ciphers AES-128-CBC
pull-filter ignore "ping-restart "
ping-restart 25
pull-filter ignore "route "
pull-filter ignore "redirect-gateway "
redirect-gateway def1
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_1]
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_2]
register-dns
block-outside-dns
pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN [TOFILL_CORPORATE_DOMAIN_TLD]
auth-nocache
auth-user-pass [TOFILL_COMPUTERNAME].conf
<ca>
...[TOFILL_CA_CERT]...
</ca>
<cert>
...[TOFILL_MACHINE_CERT]...
</cert>
<key>
...[TOFILL_MACHINE_CERT_PRIVATE_KEY]...
</key>