This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[How To] Use /etc/crontab-static to assign SSL VPN users a static IP address in the adress pool

Hi,

I've searched for the solution for a long time and didn't find a way to make changes persistent regarding the IP address of Sophos SSL VPN users. If do NOT allow multiple CN from one user (certificate), you can force the UTM's OpenVPN daemon to hand out static IP addresses per user (cert).

Disclaimer: I'm using this in a home lab environment with UTM home free. Your warranty may be void doing those steps.

To do this, login via SSH, username = loginuser. Then "su -" to the root account. 

Use the command "vim /etc/crontab-static" to insert the following line at the end of the file. This will give SSL VPN user "user1" the static IP of "10.20.26.50/24".

# SSL VPN static IP addresses
OPENVPN_CONFD="/var/chroot-openvpn/etc/openvpn/conf.d"
* * * * * root grep -q "ifconfig-push" "${OPENVPN_CONFD}/user1" || echo "ifconfig-push 10.20.26.50 255.255.255.0" >> "${OPENVPN_CONFD}/user1"

Then, enter "reboot" to restart your Sophos UTM for the changes to be automatically taken over to "/etc/crontab".

If you'd like to check after a minute, if the "ifconfig-push" line had been added to the user's VPN config, you can use:

watch -n 1 cat /var/chroot-openvpn/etc/openvpn/conf.d/user1

I chose the "/etc/crontab-static" with a minutely running cron job as my experience on Sophos UTM always was, this was very robust against updates when applying a newer version of the UTM firewall firmware. The static IP will "go lost", for example, when you toggle a VPN user on or off via the WebAdmin GUI, and then refreshed after a minute because of the cron job.

Kind regards.



This thread was automatically locked due to age.
Parents
  • Why do you need a static IP?
    The user-network-object becomes assigned the current IP and you can use this within Rules/NAT/...

    ... and within user-config you can use "Use static remote access IP".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I need it because our applications also look at IP addresses.

    Even in Active Directory environments it may be a benefit to have static IP instead of waiting for AD DNS registration (through VPN) taking place and update the Windows client's IP address. Since we're static IP, many problems are solved.

Reply
  • I need it because our applications also look at IP addresses.

    Even in Active Directory environments it may be a benefit to have static IP instead of waiting for AD DNS registration (through VPN) taking place and update the Windows client's IP address. Since we're static IP, many problems are solved.

Children
No Data