Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 2220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attention: even new Sophos SSL-VPN is unreliable and potential insecure.

Fred12

Almost all of our users did report problems using SSL-VPN. Heartbeat was not working properly and many other connection issues did occur frequently.

First issue I did figure out relays to the internet provider MTU. If they are using a lower MTU (e.g. less then 1472) you are facing this behavior. Smaler MTU's are quite common for cable, mobile or even hotel internet connections.

As this is a common behavior, OpenVPN (sophos ssl vpn is based on OpenVPN) provides specific option handle such issues e.g. by setting specific MTU/MSS on server or user base.

OpenVPN also provides an option to prevent dns leaks (more details on this).

Sophos implementation of OpenVPN did not respect many of this very important options. Support cases asking for implementation of already existing underlying functionality where rejected with advice to feature request.

As it seems functionality and security is not by design but a "feature" using Sophos software you may consider using different solutions as we are doing now.



This thread was automatically locked due to age.
Parents
  • 0

    First of all, Sophos Connect should put the MTU size to 1400. So it should like work in most of the scenarios. 

    Isnt this second problem already addressed by Windows itself? Read something about this a while ago. Could be wrong. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    DNS Leak is still happening with Sophos Connect 2.0, because on the config file sent by XG - the config option "block-outside-dns" isn't used.

    At least can we please have a updated version of OpenVPN ? Seriously It's running a really old version right now, and AES-GCM + TLS 1.3 would be wonderful, since now It's using TLS v1.0.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Reply
  • 0 in reply to LuCar Toni

    DNS Leak is still happening with Sophos Connect 2.0, because on the config file sent by XG - the config option "block-outside-dns" isn't used.

    At least can we please have a updated version of OpenVPN ? Seriously It's running a really old version right now, and AES-GCM + TLS 1.3 would be wonderful, since now It's using TLS v1.0.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Children
Unfiltered HTML