This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Question

Hi, I am configuring SSL VPN for my company mobile phones to use OpenVPN to enable them to securely connect to public networks.

When connected will all traffic be sent over the VPN? Or do I have to enable "Use as Default Gateway"?



This thread was automatically locked due to age.
Parents
  • It seems like you are trying to accomplish a full tunnel SSL VPN. If SSL VPN is setup on the UTM, all traffic going into the UTM from remote users will also tunnel back out into the internet so that remote users can browse the internet using the advantages of the web filter?

    Sophos UTM SSL VPN - www.fastvue.co/.../

  • Hi, sorry for the delay in responding. Yes we would like to achieve a full tunnel. When I select "Use as Default Gateway" the client IP changes to the WAN IP address of the XG when I connect the VPN. When I deselect the same option the IP stays the same as the one registered by the local ISP. 

    So I was wondering if it makes a difference to the tunnel if I enable "Use as Default Gateway" 

  • Your question is a little confusing. If your client is directing all traffic through the VPN, that traffic will not consider itself to be from whatever IP the local ISP assigned to the client. Obviously, the OpenVPN client software and the client OS needs to be aware of the actual IP in order to communicate on its LAN and to get to the remote Sophos-based VPN server. But the OpenVPN client configures the client OS in such a way that all other processes consider the far end -- the address assigned by your Sophos -- to be the actual IP address.

    So yes, you'll want to set Use as Default Gateway. I'm on SFOS, not UTM so have to assume that the flag works the same way on both. But I had to set it in order for everything to work properly. I seem to remember that I'd have DNS issues if I didn't. I did set up the Sophos VPN server such that VPN clients have no access to resources inside the firewall, though: they only have access to the Internet.

    (This post is in the UTM forum. Is it actually a SFOS/XGS question? Both systems could use the same name for a similar checkbox. But it's also easy to post to the UTM forum when you meant the "Sophos Firewall" (i.e. SFOS) forum instead.)

Reply
  • Your question is a little confusing. If your client is directing all traffic through the VPN, that traffic will not consider itself to be from whatever IP the local ISP assigned to the client. Obviously, the OpenVPN client software and the client OS needs to be aware of the actual IP in order to communicate on its LAN and to get to the remote Sophos-based VPN server. But the OpenVPN client configures the client OS in such a way that all other processes consider the far end -- the address assigned by your Sophos -- to be the actual IP address.

    So yes, you'll want to set Use as Default Gateway. I'm on SFOS, not UTM so have to assume that the flag works the same way on both. But I had to set it in order for everything to work properly. I seem to remember that I'd have DNS issues if I didn't. I did set up the Sophos VPN server such that VPN clients have no access to resources inside the firewall, though: they only have access to the Internet.

    (This post is in the UTM forum. Is it actually a SFOS/XGS question? Both systems could use the same name for a similar checkbox. But it's also easy to post to the UTM forum when you meant the "Sophos Firewall" (i.e. SFOS) forum instead.)

Children
No Data