[How To] Use /etc/crontab-static to assign SSL VPN users a static IP address in the adress pool

Hi,

I've searched for the solution for a long time and didn't find a way to make changes persistent regarding the IP address of Sophos SSL VPN users. If do NOT allow multiple CN from one user (certificate), you can force the UTM's OpenVPN daemon to hand out static IP addresses per user (cert).

Disclaimer: I'm using this in a home lab environment with UTM home free. Your warranty may be void doing those steps.

To do this, login via SSH, username = loginuser. Then "su -" to the root account. 

Use the command "vim /etc/crontab-static" to insert the following line at the end of the file. This will give SSL VPN user "user1" the static IP of "10.20.26.50/24".

# SSL VPN static IP addresses
OPENVPN_CONFD="/var/chroot-openvpn/etc/openvpn/conf.d"
* * * * * root grep -q "ifconfig-push" "${OPENVPN_CONFD}/user1" || echo "ifconfig-push 10.20.26.50 255.255.255.0" >> "${OPENVPN_CONFD}/user1"

Then, enter "reboot" to restart your Sophos UTM for the changes to be automatically taken over to "/etc/crontab".

If you'd like to check after a minute, if the "ifconfig-push" line had been added to the user's VPN config, you can use:

watch -n 1 cat /var/chroot-openvpn/etc/openvpn/conf.d/user1

I chose the "/etc/crontab-static" with a minutely running cron job as my experience on Sophos UTM always was, this was very robust against updates when applying a newer version of the UTM firewall firmware. The static IP will "go lost", for example, when you toggle a VPN user on or off via the WebAdmin GUI, and then refreshed after a minute because of the cron job.

Kind regards.

  • Why do you need a static IP?
    The user-network-object becomes assigned the current IP and you can use this within Rules/NAT/...

    ... and within user-config you can use "Use static remote access IP".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hey guys,

     "Use static remote access IP" doesn't work with the SSL VPN.

    Agreed with Dirk that the "(User Network)" and "(User Group Network)" objects obviate the need for fixed VPN IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I need it because our applications also look at IP addresses.

    Even in Active Directory environments it may be a benefit to have static IP instead of waiting for AD DNS registration (through VPN) taking place and update the Windows client's IP address. Since we're static IP, many problems are solved.