Hi,
I've searched for the solution for a long time and didn't find a way to make changes persistent regarding the IP address of Sophos SSL VPN users. If do NOT allow multiple CN from one user (certificate), you can force the UTM's OpenVPN daemon to hand out static IP addresses per user (cert).
Disclaimer: I'm using this in a home lab environment with UTM home free. Your warranty may be void doing those steps.
To do this, login via SSH, username = loginuser. Then "su -" to the root account.
Use the command "vim /etc/crontab-static" to insert the following line at the end of the file. This will give SSL VPN user "user1" the static IP of "10.20.26.50/24".
# SSL VPN static IP addresses
OPENVPN_CONFD="/var/chroot-openvpn/etc/openvpn/conf.d"
* * * * * root grep -q "ifconfig-push" "${OPENVPN_CONFD}/user1" || echo "ifconfig-push 10.20.26.50 255.255.255.0" >> "${OPENVPN_CONFD}/user1"
Then, enter "reboot" to restart your Sophos UTM for the changes to be automatically taken over to "/etc/crontab".
If you'd like to check after a minute, if the "ifconfig-push" line had been added to the user's VPN config, you can use:
watch -n 1 cat /var/chroot-openvpn/etc/openvpn/conf.d/user1
I chose the "/etc/crontab-static" with a minutely running cron job as my experience on Sophos UTM always was, this was very robust against updates when applying a newer version of the UTM firewall firmware. The static IP will "go lost", for example, when you toggle a VPN user on or off via the WebAdmin GUI, and then refreshed after a minute because of the cron job.
Kind regards.
This thread was automatically locked due to age.
