I'd just like to document how we did it:
- Sophos UTM SG 230 running latest firmware:
- SSL VPN configured, multiple connections allowed, compression disabled
- Each device got a new local user account on the UTM with their machine name, e.g. "COMPUTER$"
- Each device got a password, uniquely per machine.
- Then, we manually export the certificates required to connect to our file server.
- File Server:
- The file server limits access: One SMB shared sub-folder per machine with ACL set to "COMPUTER$:readOnly" and all other ACL revoked. That ensures Windows domain machines can only read their own certificates and not other ones.
- Client machine:
- OpenVPN (with Service option) installed by MSI+MST (transform), version 2.5.3-I601.
- A batch script running under LocalSystem on boot uses the machine's (domain) account "COMPUTER$" to retrieve the certificate when the client is on-site and connected to the corporate network via cable.
- The retrieved machine cert is combined like this to a new OpenVPN profile, comprised of:
- OpenVPN profile
- CA cert (the same for all machines)
- Machine cert (different for each machine)
We use a full tunnel and also tunnel DNS fully to the corporate's DNS servers on the internal network.
This is the profile that allows for full Software/GPO deployment pre-logon on Windows 10.
remote vpn.company.com 443
verify-x509-name "C=XXX, L=XXX, O=XXX, CN=vpn.company.com, emailAddress=XXX@company.com"
route remote_host 255.255.255.255 net_gateway
pull-filter ignore "ping-restart "
pull-filter ignore "route "
pull-filter ignore "redirect-gateway "
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_1]
dhcp-option DNS [TOFILL_CORPORATE_DNS_SERVER_2]
pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN [TOFILL_CORPORATE_DOMAIN_TLD]