This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open VPN to UTM - site to site

Hi, 

anybody got a site to site openvpn connection working with the UTM. I copied the certificates from the APC file using notepad++ but this didn't seem to work.

 

Louis



This thread was automatically locked due to age.
Parents
  • Hi  

    Have you followed these articles: Sophos UTM: How to configure a Site to Site SSL VPN tunnel & UTM: SSL Site to Site VPN Troubleshooting? You don't need to import a certificate additionally apart from importing the config file. 

    Regards

    Jaydeep

  • I've got it working now. It wasn't as simple as a UTM to UTM. This is a UTM to OpenVPN site to site (not remote access)

    I had to basically:

    1. Use UTM as server

    2. Download apc file and extract the certs (CA, Cert & Key)

    3. Extract the username/password from above file  (this is the bit I was stuck at)

    4. Use remote server as SSL client and enter above details/certs

  • Hi  

    Thanks for the update. Would you please tell us if you have connected a Linux server or any other system using this method?

    Regards

    Jaydeep

  • I connected a Teltonika RUTX11 using the UTM as the server side (Fixed IP) and the RUTX11 as the client side (dynamic IP)

    This is configured as a site to site SSL VPN on the UTM (not Remote Access)

    Certs (CA & Cert + Key) were extracted using notepad++ from the downloaded apc file on the UTM.
    Username/Password was also extracted from this file.

    RUTX11 client side used TLS+Username/Password

    Works very well so far.

    The system above is a linux based system (as with most) so I imagine anything that has OpenVPN client on it will work. The trick was to extract the correct details from the apc file and also use TLS+password authentication on the client side. I'm not sure why Sophos make the site to site a little bit harder to configure if it's not another UTM?

  • Louis, This is the first time I remember anyone doing this successfully.  Can you a little more precise about extracting and naming the certs, username and password?  Also, what you did in the OpenVPN client to enter the details.

    TIA!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)

    Client Cert is the first one:

    copy from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----

    and save in a file called some_cert.txt OR you can rename to some_cert.crt

    CA cert is the next one:

    copy from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----

    and save in in a file called some_CA.txt OR you can rename to some_CA.crt

    Private key is the next one:

    copy from
    -----BEGIN PRIVATE KEY-----
    to
    -----END PRIVATE KEY-----

    and save in some file called some_key.txt OR you can rename to some_key.key

    That completes the certs.

    Now you need the username & password which they cleverly hide in the file.
    Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA cert
    Search for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key

    On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.
    Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.

    Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.

    ****************************************************************************************************

    Using with OpenVPN Client

    Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:

    REF_AaaUse1
    REF_SSLSERXXXXAPN0000ref_sslserxxxxapn

    place that file in the same directory as you put the certs into.

    openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)

    client
    dev tun
    proto udp
    hand-window 30
    port 1194
    remote myopenvpnserver.com   <<< your remote IP
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/certs/some_CA.crt   <<< your CA Cert
    cert /etc/openvpn/certs/some_cert.crt  <<< your cert
    key /etc/openvpn/certs/some_key.key  <<< your private key

    route 10.1.1.0 255.255.255.0  <<< your route
    route 10.1.2.0 255.255.255.0  <<< your route yada yada as many as you want

    cipher AES-256-CBC
    auth SHA1

    comp-lzo                                                                                                                         
    route-delay 4
    verb 3

    reneg-sec 0
    auth-user-pass /etc/openvpn/certs/user.creds  <<< your username/password file

Reply
  • Hi Bob,

    in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)

    Client Cert is the first one:

    copy from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----

    and save in a file called some_cert.txt OR you can rename to some_cert.crt

    CA cert is the next one:

    copy from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----

    and save in in a file called some_CA.txt OR you can rename to some_CA.crt

    Private key is the next one:

    copy from
    -----BEGIN PRIVATE KEY-----
    to
    -----END PRIVATE KEY-----

    and save in some file called some_key.txt OR you can rename to some_key.key

    That completes the certs.

    Now you need the username & password which they cleverly hide in the file.
    Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA cert
    Search for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key

    On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.
    Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.

    Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.

    ****************************************************************************************************

    Using with OpenVPN Client

    Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:

    REF_AaaUse1
    REF_SSLSERXXXXAPN0000ref_sslserxxxxapn

    place that file in the same directory as you put the certs into.

    openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)

    client
    dev tun
    proto udp
    hand-window 30
    port 1194
    remote myopenvpnserver.com   <<< your remote IP
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/certs/some_CA.crt   <<< your CA Cert
    cert /etc/openvpn/certs/some_cert.crt  <<< your cert
    key /etc/openvpn/certs/some_key.key  <<< your private key

    route 10.1.1.0 255.255.255.0  <<< your route
    route 10.1.2.0 255.255.255.0  <<< your route yada yada as many as you want

    cipher AES-256-CBC
    auth SHA1

    comp-lzo                                                                                                                         
    route-delay 4
    verb 3

    reneg-sec 0
    auth-user-pass /etc/openvpn/certs/user.creds  <<< your username/password file

Children