[Howto] Sophos SSL VPN: Always on device tunnel, group policy software install applies correctly on boot


I'd just like to document how we did it:

  • Sophos UTM SG 230 running latest firmware:
    • SSL VPN configured, multiple connections allowed, compression disabled
    • Each device got a new local user account on the UTM with their machine name, e.g. "COMPUTER$"
    • Each device got a password, uniquely per machine.
    • Then, we manually export the certificates required to connect to our file server.
  • File Server: 
    • The file server limits access: One SMB shared sub-folder per machine with ACL set to "COMPUTER$:readOnly" and all other ACL revoked. That ensures Windows domain machines can only read their own certificates and not other ones.
  • Client machine:
    • OpenVPN (with Service option) installed by MSI+MST (transform), version 2.5.3-I601.
    • A batch script running under LocalSystem on boot uses the machine's (domain) account "COMPUTER$" to retrieve the certificate when the client is on-site and connected to the corporate network via cable.
    • The retrieved machine cert is combined like this to a new OpenVPN profile, comprised of:
      • OpenVPN profile
      • CA cert (the same for all machines)
      • Machine cert (different for each machine)

We use a full tunnel and also tunnel DNS fully to the corporate's DNS servers on the internal network.

This is the profile that allows for full Software/GPO deployment pre-logon on Windows 10.

  • C:\Program Files\OpenVPN\config-auto\COMPUTER.ovpn

dev tun
proto udp
remote vpn.company.com 443
verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"
route remote_host net_gateway
resolv-retry infinite
auth SHA1
comp-lzo no
route-delay 4
verb 3
reneg-sec 0
data-ciphers AES-128-CBC
pull-filter ignore "ping-restart "
ping-restart 25
pull-filter ignore "route "
pull-filter ignore "redirect-gateway "
redirect-gateway def1
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "dhcp-option DOMAIN"
auth-user-pass [TOFILL_COMPUTERNAME].conf

Parents Reply Children
No Data