anybody got a site to site openvpn connection working with the UTM. I copied the certificates from the APC file using notepad++ but this didn't seem to work.
Have you followed these articles: Sophos UTM: How to configure a Site to Site SSL VPN tunnel & UTM: SSL Site to Site VPN Troubleshooting? You don't need to import a certificate additionally apart from importing the config file.
I've got it working now. It wasn't as simple as a UTM to UTM. This is a UTM to OpenVPN site to site (not remote access)
I had to basically:
1. Use UTM as server
2. Download apc file and extract the certs (CA, Cert & Key)
3. Extract the username/password from above file (this is the bit I was stuck at)
4. Use remote server as SSL client and enter above details/certs
Thanks for the update. Would you please tell us if you have connected a Linux server or any other system using this method?
I connected a Teltonika RUTX11 using the UTM as the server side (Fixed IP) and the RUTX11 as the client side (dynamic IP)
This is configured as a site to site SSL VPN on the UTM (not Remote Access)
Certs (CA & Cert + Key) were extracted using notepad++ from the downloaded apc file on the UTM.Username/Password was also extracted from this file.
RUTX11 client side used TLS+Username/Password
Works very well so far.
The system above is a linux based system (as with most) so I imagine anything that has OpenVPN client on it will work. The trick was to extract the correct details from the apc file and also use TLS+password authentication on the client side. I'm not sure why Sophos make the site to site a little bit harder to configure if it's not another UTM?
Louis, This is the first time I remember anyone doing this successfully. Can you a little more precise about extracting and naming the certs, username and password? Also, what you did in the OpenVPN client to enter the details.
Cheers - Bob
in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)
Client Cert is the first one:
copy from-----BEGIN CERTIFICATE-----to-----END CERTIFICATE-----
and save in a file called some_cert.txt OR you can rename to some_cert.crt
CA cert is the next one:
and save in in a file called some_CA.txt OR you can rename to some_CA.crt
Private key is the next one:
copy from-----BEGIN PRIVATE KEY-----to-----END PRIVATE KEY-----
and save in some file called some_key.txt OR you can rename to some_key.key
That completes the certs. Now you need the username & password which they cleverly hide in the file. Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA certSearch for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key
On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.
Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.
Using with OpenVPN Client
Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:
place that file in the same directory as you put the certs into.
openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)
clientdev tunproto udphand-window 30port 1194remote myopenvpnserver.com <<< your remote IPresolv-retry infinitenobindpersist-keypersist-tunca /etc/openvpn/certs/some_CA.crt <<< your CA Certcert /etc/openvpn/certs/some_cert.crt <<< your certkey /etc/openvpn/certs/some_key.key <<< your private keyroute 10.1.1.0 255.255.255.0 <<< your route route 10.1.2.0 255.255.255.0 <<< your route yada yada as many as you want
cipher AES-256-CBCauth SHA1comp-lzo route-delay 4verb 3reneg-sec 0auth-user-pass /etc/openvpn/certs/user.creds <<< your username/password file
Quick update on this. Seems the UTM pushes the routes so no need to add routes into the opvn file if you don't want to. They will appear as long as the subnets are specified on the UTM server side.