Advisory: Sophos Endpoint - "Your connection isn't private" We're aware of a certificate issue and are actively working to resolve. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[How To] Use /etc/crontab-static to assign SSL VPN users a static IP address in the adress pool


I've searched for the solution for a long time and didn't find a way to make changes persistent regarding the IP address of Sophos SSL VPN users. If do NOT allow multiple CN from one user (certificate), you can force the UTM's OpenVPN daemon to hand out static IP addresses per user (cert).

Disclaimer: I'm using this in a home lab environment with UTM home free. Your warranty may be void doing those steps.

To do this, login via SSH, username = loginuser. Then "su -" to the root account. 

Use the command "vim /etc/crontab-static" to insert the following line at the end of the file. This will give SSL VPN user "user1" the static IP of "".

# SSL VPN static IP addresses
* * * * * root grep -q "ifconfig-push" "${OPENVPN_CONFD}/user1" || echo "ifconfig-push" >> "${OPENVPN_CONFD}/user1"

Then, enter "reboot" to restart your Sophos UTM for the changes to be automatically taken over to "/etc/crontab".

If you'd like to check after a minute, if the "ifconfig-push" line had been added to the user's VPN config, you can use:

watch -n 1 cat /var/chroot-openvpn/etc/openvpn/conf.d/user1

I chose the "/etc/crontab-static" with a minutely running cron job as my experience on Sophos UTM always was, this was very robust against updates when applying a newer version of the UTM firewall firmware. The static IP will "go lost", for example, when you toggle a VPN user on or off via the WebAdmin GUI, and then refreshed after a minute because of the cron job.

Kind regards.

This thread was automatically locked due to age.
  • Why do you need a static IP?
    The user-network-object becomes assigned the current IP and you can use this within Rules/NAT/...

    ... and within user-config you can use "Use static remote access IP".


    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hey guys,

     "Use static remote access IP" doesn't work with the SSL VPN.

    Agreed with Dirk that the "(User Network)" and "(User Group Network)" objects obviate the need for fixed VPN IPs.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I need it because our applications also look at IP addresses.

    Even in Active Directory environments it may be a benefit to have static IP instead of waiting for AD DNS registration (through VPN) taking place and update the Windows client's IP address. Since we're static IP, many problems are solved.